User able to see related records even though security roles does not give privileges to read other than user level

(0) Share

Report

Posted on by Community Member

Hi!

I do have a problem with the crm I'm working on, a user that has a security role over a custom entity that has read privileges set at user level can see related records on a Case that they don't own the records of that custom entity.

So far I see is that the user belongs on a access team (that has the same BU the user is on) and the Case is own by a Team that has the same BU (but the user does not belong on that team), I checked that if I remove the user of the access team it fixes the problem but they don't want to remove the user of the team, do you know what solution could apply about this?

Thanks!

*This post is locked for comments

I have the same question (0)

All responses (6)

Answers (0)

Arun Vinoth 11,615 Moderator on at

Like (1)

Report

Interesting problem!

Can you check the relationship behavior between case & that custom entity? Parental/Referential/Cascading ?

Also Access Team template gives right access on that custom entity or what?
Community Member on at

Like (0)

Report

Hi, thanks for answer me.

The behavior between the two entities is Parental, does that has to do anything with this?

I checked Access Teams and there's no template that gives rights on that entity.

Thanks!
Mahadeo Matre 17,021 on at

Like (0)

Report

Is user has multiple security roles or user is member of any team?

CRM will grant permission to user based on all security roles assigned to user and to teams of users.

if any of the assigned role has permission to view those records then user will able to see those records.
gdas 50,091 Moderator on at

Like (0)

Report

Sorry I am bit confused your below lines-

"If I remove the user of the access team it fixes the problem but they don't want to remove the user of the team, "

if my understanding is not wrong in short you want user can only see the user owned custom entity records but not the team owned or access teams where user exists.

For me straight forward way it is not possible , however there is a possibilities to add additional filter in retrieve multiple plugin , where you need to check the user having particular security role then add filter condition record owner is the login user.

You may refer below article where I am filtering records using retrieve multiple plugin-

goutamdascrm.wordpress.com/.../restrict-advanced-find-entity-record-based-on-security-role-using-retrieve-multiple-plugin
Community Member on at

Like (0)

Report

Great Answer!

I was thinking the same using a plugin, but I try to wrap my head around why is this happening.

I'll try it, Thanks!
Community Member on at

Like (0)

Report

Now I do have a question, maybe some images will help on this, as you know I do have an issue with the cases and some related records (custom entity) that if the user belongs on an access team it will provide unwanted access to some records,

That's the security role the only role the user has assigned (and does not belong on another team that has more roles), as you see it only has a create, write, append & append to to an org level, only can read their own attachment (custom) record

But now if i check the access with xrmtoolbox access checker on a related attachment record the user doesn't own

As you see, it gives read and delete access to that record even if the security roles does not, with their own records it's the same, it gives a delete right.

Now if I remove the user the access team, now it will be good

This bugs me because even if I apply the retrieve multiple plugin it will still gives delete access to the record and that will be a problem.

Thanks!