Restrict access to entity records based on field value (Through security roles)

Question

Hi everyone,

I've two security roles accessing Entity A. 

Security Role 1 has CRUD privileges on Entity A and Security Role 2 has only "Read" privilege on Entity A. So my requirement is based on a record's field value set ( yes or no) I've to remove read privileges to the users in SR2 on Entity A (users in SR2 shouldnt be able to view this record if the field value is "yes").

Can this be purely done with Security Roles or do I need to use any other feature  to accomplish it?

Answer 1

Hi CRM Surfer,

To accomplish that you are going to have to do a little bit of custom development.

I think you best bet is to give SR2 User Level Read access to the entity and then share / unshare records with SR2 when you custom flag is toggled.

The read access will allow records to be shared with the user but until a record is actually shared it will be invisable to SR2.

Just giving SR1 organisation level access to the Entity satisfies the other part of you requirements.

The sharing can be controlled by using either a plugin or custom workflow activity.  The workflow activity is probably easier and quicker to setup.  This library: http://crm2011workflowutils.codeplex.com/ has workflow activities that can be used to control the sharing.

Regards,

Malachy

Answer 2

Hi Malachy,

I'm very thankful for your time and reply. That really worked for me. I've used the workflow utility that was mentioned in your reply but as someone new to CRM am kinda curious does people use these utilities on a regular basis in there implementations? Do I have to be concerned when update roll ups are released?

On a different note I've another question regarding Security roles configuration for my another requirement. I've an Entity A record which has a look up to another Entity B. Entity B is an Account entity and so far we have 10 accounts. Each Account has a set of users that use the system and they should have access to only those records of Entity A where there account is selected. So how do i create security roles in this scenario? Do I need to create a security role for each account and if so how do i provide access to only their records?

Answer 3

Custom workflow activities tend to be used more often than plugins - there are more generic and there and alot of the common custom workflow activities tend to have already been developed by someone else.  The tend to work for small deployments that just need a little bit more functionallity.

Plugin dev tend to be used to more significanly change the behaviour of the platfom and/or to tightly integrate with other systems.  You will do alot of that if you are taking the xRM as platform approach.

I wouldnt too much about backward compatability; (I may not be 100% correct on this) as long as you use the CRM API's in a supported manner; Microsoft guarantee that the same API's will be supported in the next version of the platform (although they could be depricated).  You can still install CRM 4.0 compatable custom workflows activities on CRM 2011.  Even rewriting them in the CRM 2011 format wasnt a huge change either.

On your second example - I'm not sure if I fully understand you but if you are using the CRM model to allow access to a select number of Account using sharing and you wish to allow the same users access to a child record of the Accound then that can be accomplished by setting the relationship between Entity A and B to be parental.

We an account is shared with a user the should get access to the child records as well.

Answer 4

Hi Malachy,

Thanks for clarifying my concern on third party workflow utilities usage. 

I'm sorry for not able to explain myself clearly on the second example. Let me try it again.

I've an Entity A (custom entity) which is having a N:1 relationship with Account entity ( Facility) and therefore I've a lookup control on Entity A that refers to its parent account (Facility). So far I've 10 facility records in the Account (Facility) entity which will be referred by records in custom entity A. 

So each Facility would be using this system and once they log into the system and when they try to view the records in this custom entity A they should be able to view only those records where in there facility is been referred.

I haven't created any security roles for the users in these facilities yet and not sure how the roles need to be created for this whole facility requirement.

Thanks,

Answer 5

Hi,

I suppose it depends on how you Faciltys access CRM - does each user of the system have a User Account or are you using portal type access with a single Web User.

If you are using a portal with single user then you are going very bespoke and there will be no quick way to implement you security model although it should still be quite doable.

If every user of the system is a User then you should be able to manage the process using the OOTB security.  It may be a case of creating a default team for each facilty and then sharing the custom record with the Team associated with the facilty using a workflow.

 Its hard to know exactly what your requirements are but I would be very surprised if CRM couldn't model them with no more than limited custom dev.

Answer 6

Hi Malachy,

That's a good question. To be frank am not sure either how the facilities would be accessing the system. It's not included in the security requirements. I was of the assumption each one of them would have a user account. I was even planning to create a workflow and follow the same procedure of creating a default team for each facility and start sharing the record based on the facility selected in the custom entity.

I was trying the same with the workflow utility library that you've suggested in previous reply but unfortunately I can share with only one team at a time. If I use the utility I'm kinda forced to hard code the workflow. I mean based on the facility selected in the record I'm sharing it with the respective team that's been created for the facility. But my concern is what if they have created a new account for a facility and then I need to update this workflow every time when a new account is created. Instead am trying to write my own custom workflow assembly and based on the facility selected in the record I would look for a team with the same name and would share with that team. How does this sound?

I couldn't thank you enough for all your valuable suggestions and time.