Identify field level permissions for specific user/team

Introduction

                Nowadays, developers frequently write JavaScript code on entity forms to read/modify field values. But, in some scenarios, our JavaScript code may not receive the expected value from the field (even though the value is present in the field). The possible reason could be field level security.

                If field level security is enabled for a field, and if logged-in user does not have READ right to the field, then JavaScript will get null value. This may result in incorrect business logic.

                Hence, to avoid such scenarios, it is better to check what level of permissions does logged-in user have. In this blog, I have given step by step implementation of Custom Action with Plugin to check what level of permissions user has on a field.

Tricky part in querying field permissions

1. In case of querying field permissions for team, we will follow below path. This is straightforward.

SELECT     fp.attributelogicalname, 
           fpcancreate, 
           fp.canread, 
           fp.canupdate 
FROM       teamprofiles TP 
INNER JOIN fieldsecurityprofile FSP 
ON         tp.fieldsecurityprofileid = fsp.fieldsecurityprofileid 
INNER JOIN fieldpermissions FP 
ON         fp.fieldsecurityprofileid = fsp.fieldsecurityprofileid 
WHERE      tp.teamid = <team id passed IN parameter>

2. In case of querying field permissions for user, we need to first check users association with security profiles and teams (in which the user is added as member) association with security profiles. Below will be query path for the same.

SELECT     fp.attributelogicalname, 
           fp.cancreate, 
           fp.canread, 
           fp.canupdate 
FROM       systemuserprofiles SUP 
INNER JOIN fieldsecurityprofile FSP 
ON         sup.fieldsecurityprofileid = fsp.fieldsecurityprofileid 
INNER JOIN fieldpermissions FP 
ON         fp.fieldsecurityprofileid = fsp.fieldsecurityprofileid 
WHERE      sup.systemuserid = <USER id passed IN parameter> 
UNION 
SELECT     fp.attributelogicalname, 
           fp.cancreate, 
           fp.canread, 
           fp.canupdate 
FROM       teamprofiles tp 
INNER JOIN teammembership tm 
ON         tm.teamid = tp.teamid 
INNER JOIN fieldsecurityprofile fsp 
ON         tp.fieldsecurityprofileid = fsp.fieldsecurityprofileid 
INNER JOIN fieldpermissions fp 
ON         fp.fieldsecurityprofileid = fsp.fieldsecurityprofileid 
WHERE      tm.systemuserid = <USER id passed IN parameter>

[Note: This clause gets field permissions of user which are assigned through Teams.]

Step-by-step guide

Create custom action

• Create custom action with below configuration:
  • Scope:Global (not to specific entity)
  • Parameters

Explanation:

• Why scope is set to Global?

This operation is not specific to any entity and developer might want to call the action for either system user or team. Hence, we have set the scope as Global.

• Parameters description

• Write plugin on custom action. Code is available on GitHub (https://github.com/ykuvalekar/dynamics-365-crm).

Locate file named GetFieldSecurityProfileAssociationAction.cs under Plugins project.

• Register Post Operation – Synchronous plugin on action message.
• Call the action. Sample input & output format is given below.

References

• Link by Microsoft explains how to retrieve Field Permissions.

https://docs.microsoft.com/en-us/dynamics365/customer-engagement/developer/sample-retrieve-field-permissions

• Code repository: https://github.com/ykuvalekar/dynamics-365-crm