Introduction

                Nowadays, developers frequently write JavaScript code on entity forms to read/modify field values. But, in some scenarios, our JavaScript code may not receive the expected value from the field (even though the value is present in the field). The possible reason could be field level security.

                If field level security is enabled for a field, and if logged-in user does not have READ right to the field, then JavaScript will get null value. This may result in incorrect business logic.

                Hence, to avoid such scenarios, it is better to check what level of permissions does logged-in user have. In this blog, I have given step by step implementation of Custom Action with Plugin to check what level of permissions user has on a field.

Tricky part in querying field permissions

1. In case of querying field permissions for team, we will follow below path. This is straightforward.

SELECT     fp.attributelogicalname, 
           fpcancreate, 
           fp.canread, 
           fp.canupdate 
FROM       teamprofiles TP 
INNER JOIN fieldsecurityprofile FSP 
ON         tp.fieldsecurityprofileid = fsp.fieldsecurityprofileid 
INNER JOIN fieldpermissions FP 
ON         fp.fieldsecurityprofileid = fsp.fieldsecurityprofileid 
WHERE      tp.teamid = <team id passed IN parameter>

2. In case of querying field permissions for user, we need to first check users association with security profiles and teams (in which the user is added as member) association with security profiles. Below will be query path for the same.

SELECT     fp.attributelogicalname, 
           fp.cancreate, 
           fp.canread, 
           fp.canupdate 
FROM       systemuserprofiles SUP 
INNER JOIN fieldsecurityprofile FSP 
ON         sup.fieldsecurityprofileid = fsp.fieldsecurityprofileid 
INNER JOIN fieldpermissions FP 
ON         fp.fieldsecurityprofileid = fsp.fieldsecurityprofileid 
WHERE      sup.systemuserid = <USER id passed IN parameter> 
UNION 
SELECT     fp.attributelogicalname, 
           fp.cancreate, 
           fp.canread, 
           fp.canupdate 
FROM       teamprofiles tp 
INNER JOIN teammembership tm 
ON         tm.teamid = tp.teamid 
INNER JOIN fieldsecurityprofile fsp 
ON         tp.fieldsecurityprofileid = fsp.fieldsecurityprofileid 
INNER JOIN fieldpermissions fp 
ON         fp.fieldsecurityprofileid = fsp.fieldsecurityprofileid 
WHERE      tm.systemuserid = <USER id passed IN parameter>

[Note: This clause gets field permissions of user which are assigned through Teams.]

Step-by-step guide

Create custom action

  • Create custom action with below configuration:
    • Scope:Global (not to specific entity)
    • Parameters

Explanation:

  • Why scope is set to Global?

This operation is not specific to any entity and developer might want to call the action for either system user or team. Hence, we have set the scope as Global.

  • Parameters description
Parameter NamePurpose
outputThis parameter will contain the result of the action. This will contain JSON string with all the security enabled fields and their permissions.
entityidThis is an input parameter. It should contain either System User GUID or Team GUID.
primaryentityThis is an input parameter. The valid values are either “systemuser” or “team”. This will determine whether field permissions are being identified for user or team.
fieldsecurityprofilenameThis input parameter contains the name of the Field Security Profile from which permissions will be retrieved.
entitynameThis is an optional input parameter. This should contain entity type code.
fieldnameThis is an optional input parameter. If you want to find permissions for any specific field, you can put its logical name in this parameter.

Locate file named GetFieldSecurityProfileAssociationAction.cs under Plugins project.

  • Register Post Operation – Synchronous plugin on action message.
  • Call the action. Sample input & output format is given below.

References

  • Link by Microsoft explains how to retrieve Field Permissions.

https://docs.microsoft.com/en-us/dynamics365/customer-engagement/developer/sample-retrieve-field-permissions