The security model in Dynamics CRM is indeed complicated, and in many cases, that complexity provides needed features. There are occasions however in which the intertwined intricacies of Dynamics CRM’s security make you take a step back and think “Wow, I would never have guessedthat is what was causing the problem.” One of these such cases arose when trying to find out why a user with a specific Security Role could add users to a Team, but could not remove them from the Team.
You would think that the only permissions needed to modify a Dynamics CRM Security Team would be under the Team entity, however this is not the case. A Role does inded need the Write permission on the Team entity to add users, however to remove them, the Role will also require permissions on the Queue entity.
In the hopes that this saves you some frustration, beyond the permissions required on the Team entity, here are the minimum rights you’ll need to apply to the Queue entity in order to allow a Role to remove users from a Team.