web
You’re offline. This is a read only version of the page.
close
Skip to main content

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Blogs / MY LIFE Microsoft Dynamic CRM / MS CRM Security Flaw

MS CRM Security Flaw

Views (1441)
Varun Singh Profile Picture Varun Singh 943

Today while going through CRM security model I found one flaw that I would like to share with you all.
Below I tried to explain the things in Note fashion to easily understand it, however the things are little bit complex to understand it:

Note1:Team and Security Roles are dependent to BU, because while creating both you need to explicitly define business unit.(Did practical in CRM 2015 what I found if a Team T1 is created under BU1 and a User is created under BU1 then you will able to assign the team T1 to BU1 user only not to other BU user ,however a team can be inherited from Parent BU to child BU user but in reverse direction it's not possible. Means to say that suppose BU2 is the child business unit of BU1 and you have created Team T2 under BU2 then user of BU1 will not able to add Team T2 in his account.)

Note2: When you create a security role under BU1 then you can not delete or edit that security role from BU1 child business unit directly. To update or delete that security role you need to come first under BU1 then take your action. In short the meaning is that Inherited role can not be modified or deleted in MS CRM.

Note3 : So the conclusion of above two notes is while assigning ,everything(Security Role, Team) flow from Top level to Down level Business Unit (or Child BU user )but reverse is not possible. However same is not true for Field security profile, because Field security profile is independent of BU whereas Team and Security Role are dependent of BU.

So where is the problem?

On further practical with CRM 2015 I  came across to a awkward behavior of CRM, while assigning Security Role and Team the behavior is Ok but if you change the business unit of a user then user will lose Security Role  but not both Team (except default team for that old BU) and Field Security profile. However according to me Team should also be removed from CRM user account. Because if the Team (BU1) has some security role and that security role doesn't belong to BU2 then the situation is virtually BU1 security role also travel to BU2.

I have done practical for this through this security role of one unit is traveling to another BU through team however that new BU doesn't contain that security role. This is a security flaw.

Pease feel free to put your comments and knowledge on this.

Comments

*This post is locked for comments

  • Varun Singh Profile Picture Varun Singh 943
    Posted at

    Hi Ratheesh,

    I am saying same, clearing of security role is good while changing the BU of the user however I am also saying that CRM should also remove Team tagging with user while changing the BU of  that user because a Team contains Security Role to define Team Privilege  .

  • Varun Singh Profile Picture Varun Singh 943
    Posted at

    Hi Dominic & Ratheesh,

    What I am saying suppose BU1 is the parent of BU2 and BU3. And you have one custom  security role SR2 in BU2, is it possible to assign same security role SR2 to some other user  in BU3 when the security  role even doesn't exist for that BU3 (I am sure no).

    Ideally you can see while creating a team T2 in BU2 you can add that SR2 security role to T2 team, however for the same BU3 if you create a team T3 and if you want to add this SR2 security role to it, this is not possible because this SR2 security role doesn't exist in BU3.

    But this is possible  while changing the users unit from BU2 to BU3 because while changing the BU user's Team will remain same (except default team for that old BU will be removed).

  • Community Member Profile Picture Community Member
    Posted at

    Hi Varun,

    I think the purpose of introducing team in CRM was to help members from different business unit to work together which otherwise is difficult to control using security role in some scenarios. Inherited Security roles are applied to the business units in hierarchy. SO any change required to the inherited security role has to be done in the parent business unit where the role was defined actually.

    When a person change a business unit, it means that there is some change in his responsibilities, so I think it is a good idea to clear off all his security role to make sure that the user assign the right privileges to him in the new business unit. Otherwise there is a good chance that whoever is changing the business unit will forget to update the user's security role.

  • Community Member Profile Picture Community Member
    Posted at

    Hi Varun,

    I personally wouldn't consider this a flaw. If a user moves BUs then the records they can access in the context of their existing Teams, and associated Security Roles, stay exactly the same. However this is not true of the records they would newly have access to from within their new Business Unit, which is why the Security Roles need to be cleared out from there.

    Dom