Skip to main content

Notifications

Announcements

No record found.

News and Announcements icon
Dynamics 365 Community / Forums / Microsoft Dynamics CRM (Archived) / User able to see relat...
Microsoft Dynamics CRM (Archived)

User able to see related records even though security roles does not give privileges to read other than user level

(0) ShareShare
ReportReport
Posted on by Community Member Microsoft Employee

Hi!

I do have a problem with the crm I'm working on, a user that has a security role over a custom entity that has read privileges set at user level can see related records on a Case that they don't own the records of that custom entity.

So far I see is that the user belongs on a access team (that has the same BU the user is on) and the Case is own by a Team that has the same BU (but the user does not belong on that team), I checked that if I remove the user of the access team it fixes the problem but they don't want to remove the user of the team, do you know what solution could apply about this?

Thanks!

*This post is locked for comments

  • Community Member Profile Picture
    Community Member Microsoft Employee on at
    RE: User able to see related records even though security roles does not give privileges to read other than user level

    Now I do have a question, maybe some images will help on this, as you know I do have an issue with the cases and some related records (custom entity) that if the user belongs on an access team it will provide unwanted access to some records,

    accessrightrecord.PNG

    That's the security role the only role the user has assigned (and does not belong on another team that has more roles), as you see it only has a create, write, append & append to to an org level, only can read their own attachment (custom) record

    But now if i check the access with xrmtoolbox access checker on a related attachment record the user doesn't own

    accessrightrecord.PNG

    As you see, it gives read and delete access to that record even if the security roles does not, with their own records it's the same, it gives a delete right.

    Now if I remove the user the access team, now it will be good

    accessrightrecord2.PNG

    This bugs me because even if I apply the retrieve multiple plugin it will still gives delete access to the record and that will be a problem.

    Thanks!

  • Community Member Profile Picture
    Community Member Microsoft Employee on at
    RE: User able to see related records even though security roles does not give privileges to read other than user level

    Great Answer!

    I was thinking the same using a plugin, but I try to wrap my head around why is this happening.

    I'll try it, Thanks!

  • gdas Profile Picture
    gdas 50,085 on at
    RE: User able to see related records even though security roles does not give privileges to read other than user level

    Sorry I am bit confused your below lines-

    "If I remove the user of the access team it fixes the problem but they don't want to remove the user of the team, "

    if my understanding is not wrong in short you want user can only see the user owned custom entity records but not the team owned or access teams  where  user exists.

    For me straight forward way it is not possible , however there is a possibilities to add additional  filter in retrieve multiple plugin , where you need to  check the user having particular  security role then add filter condition record owner is the login user.

    You may refer below article where I am filtering records using retrieve multiple plugin-

    goutamdascrm.wordpress.com/.../restrict-advanced-find-entity-record-based-on-security-role-using-retrieve-multiple-plugin

  • Mahadeo Matre Profile Picture
    Mahadeo Matre 17,021 on at
    RE: User able to see related records even though security roles does not give privileges to read other than user level

    Is user has multiple security roles or user is member of any team?

    CRM will grant permission to user based on all security roles assigned to user and to teams of users.

    if any of the assigned role has permission to view those records then user will able to see those records.

  • Community Member Profile Picture
    Community Member Microsoft Employee on at
    RE: User able to see related records even though security roles does not give privileges to read other than user level

    Hi, thanks for answer me.

    The behavior between the two entities is Parental, does that has to do anything with this?

    I checked Access Teams and there's no template that gives rights on that entity.

    Thanks!

  • Arun Vinoth Profile Picture
    Arun Vinoth 11,613 on at
    RE: User able to see related records even though security roles does not give privileges to read other than user level

    Interesting problem!

    Can you check the relationship behavior between case & that custom entity? Parental/Referential/Cascading ?

    Also Access Team template gives right access on that custom entity or what?

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

December Spotlight Star - Muhammad Affan

Congratulations to a top community star!

Top 10 leaders for November!

Congratulations to our November super stars!

Tips for Writing Effective Suggested Answers

Best practices for providing successful forum answers ✍️

Leaderboard

#1
André Arnaud de Calavon Profile Picture

André Arnaud de Cal... 291,280 Super User 2024 Season 2

#2
Martin Dráb Profile Picture

Martin Dráb 230,214 Most Valuable Professional

#3
nmaenpaa Profile Picture

nmaenpaa 101,156

Leaderboard

Featured topics

Product updates

Dynamics 365 release plans