MS CRM Security Flaw
Varun Singh
943
Like
Share
ReportToday while going through CRM security model I found one flaw that I would like to share with you all.
Below I tried to explain the things in Note fashion to easily understand it, however the things are little bit complex to understand it:
Note1:Team and Security Roles are dependent to BU, because while creating both you need to explicitly define business unit.(Did practical in CRM 2015 what I found if a Team T1 is created under BU1 and a User is created under BU1 then you will able to assign the team T1 to BU1 user only not to other BU user ,however a team can be inherited from Parent BU to child BU user but in reverse direction it's not possible. Means to say that suppose BU2 is the child business unit of BU1 and you have created Team T2 under BU2 then user of BU1 will not able to add Team T2 in his account.)
Note2: When you create a security role under BU1 then you can not delete or edit that security role from BU1 child business unit directly. To update or delete that security role you need to come first under BU1 then take your action. In short the meaning is that Inherited role can not be modified or deleted in MS CRM.
Note3 : So the conclusion of above two notes is while assigning ,everything(Security Role, Team) flow from Top level to Down level Business Unit (or Child BU user )but reverse is not possible. However same is not true for Field security profile, because Field security profile is independent of BU whereas Team and Security Role are dependent of BU.
So where is the problem?
On further practical with CRM 2015 I came across to a awkward behavior of CRM, while assigning Security Role and Team the behavior is Ok but if you change the business unit of a user then user will lose Security Role but not both Team (except default team for that old BU) and Field Security profile. However according to me Team should also be removed from CRM user account. Because if the Team (BU1) has some security role and that security role doesn't belong to BU2 then the situation is virtually BU1 security role also travel to BU2.
I have done practical for this through this security role of one unit is traveling to another BU through team however that new BU doesn't contain that security role. This is a security flaw.
Pease feel free to put your comments and knowledge on this.
Comments
-
-
Hi Dominic & Ratheesh,
What I am saying suppose BU1 is the parent of BU2 and BU3. And you have one custom security role SR2 in BU2, is it possible to assign same security role SR2 to some other user in BU3 when the security role even doesn't exist for that BU3 (I am sure no).
Ideally you can see while creating a team T2 in BU2 you can add that SR2 security role to T2 team, however for the same BU3 if you create a team T3 and if you want to add this SR2 security role to it, this is not possible because this SR2 security role doesn't exist in BU3.
But this is possible while changing the users unit from BU2 to BU3 because while changing the BU user's Team will remain same (except default team for that old BU will be removed).
-
Hi Varun,
I think the purpose of introducing team in CRM was to help members from different business unit to work together which otherwise is difficult to control using security role in some scenarios. Inherited Security roles are applied to the business units in hierarchy. SO any change required to the inherited security role has to be done in the parent business unit where the role was defined actually.
When a person change a business unit, it means that there is some change in his responsibilities, so I think it is a good idea to clear off all his security role to make sure that the user assign the right privileges to him in the new business unit. Otherwise there is a good chance that whoever is changing the business unit will forget to update the user's security role.
-
Hi Varun,
I personally wouldn't consider this a flaw. If a user moves BUs then the records they can access in the context of their existing Teams, and associated Security Roles, stay exactly the same. However this is not true of the records they would newly have access to from within their new Business Unit, which is why the Security Roles need to be cleared out from there.
Dom
*This post is locked for comments