Skip to main content

Notifications

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Microsoft Dynamics CRM (Archived) / Read-level Auditing in...
Microsoft Dynamics CRM (Archived)

Read-level Auditing in CRM

(0) ShareShare
ReportReport
Posted on by ashishtrivedi 70

We have a (challenging!!) requirement to audit read-operations in CRM. This audit won't be the OOTB CRM Auditing but audit to an external auditing system via web services. Basically we will be classifying all the entity fields as High/Medium/Low and whenever any user views any fields tagged as High/Medium, we need to audit it.

I understand that Read-level auditing isn't supported OOTB by CRM and this requirement will have significant performance impact, however there is no way out since this is a business-critical functionality. Since the CRM records can be viewed from multiple sources (Form, Home Grid, Sub Grid, Advanced Find, Lookup Views, etc.), I am trying to look for a common solution that works in all the scenarios. One approach I tried out is using plugins on Retrieve/RetrieveMultiple messages and have the custom audit logic in the plugin, however I am concerned about the performance impact this approach will have. Another approach I can think of would be to handle this using Javascript, however the Javascript approach won't work with all the scenarios like Advanced Find, Lookup Views, etc.

I am looking for suggestions on any other better solution to this.

*This post is locked for comments

  • Suggested answer
    a33ik Profile Picture
    a33ik 84,325 Most Valuable Professional on at
    RE: Read-level Auditing in CRM

    Ashish,

    Solution from my blog post you mentioned will work for on-premice outside of isolation only.

  • David Jennaway Profile Picture
    David Jennaway 14,063 on at
    RE: Read-level Auditing in CRM

    If the SDK calls are done under a given service account you could identify them from the calling user. Otherwise the dummy attribute is probably your best option

  • ashishtrivedi Profile Picture
    ashishtrivedi 70 on at
    RE: Read-level Auditing in CRM

    Thanks Andrew and David for your responses. I think Async plugin seems to be the best solution in this scenario. However one issue that I am trying to dig into now is how to find the source of all the RetrieveMultiple calls since the message can be triggered from multiple sources including any SDK calls, Views, Lookups, Advanced Find, etc. I had used the CallerOrigin property in plugin context in previous versions of CRM but seems it isn't available in 2016.    

    I am still to try this solution suggested by Andrew with CRM 2016. Another solution to this would be to modify all the SDK calls to include a dummy attribute. Any other suggestions or anything got added to CRM 2016 I may be missing? 

  • ashishtrivedi Profile Picture
    ashishtrivedi 70 on at
    RE: Read-level Auditing in CRM

    Thanks Alex for your response. We are already using field level security for some of the fields to govern whether the user can view those fields or not. However in this scenario the user already has the correct rights and privileges to view those fields, however the auditing needs to take place specifying who viewed what data and when.

  • ashlega Profile Picture
    ashlega 34,477 on at
    RE: Read-level Auditing in CRM

    What if you created a field security profile for high/medium fields that would enable "read" access to such fields, and, then, had a ribbon button on the forms that would allow the users to "add themselves" to that profile (you might have a plugin configured to run under an admin account for that).

    Once the button is clicked, you would add a user to the profile, then you would reload the form, and count that as read-access(to all the high/medium fields on the form)

    And, then, you might remove that user from the security profile right away (actually, could be done through team membership)

    The limitation would be that your users would have to open a form to see those fields, they won't be able to see such fields in the advanced find.. but this would cover reporting and excel..

    PS. You might probably do this for each individual field(put a button next to each field).. but that's a lot of field security profiles / buttons

  • David Jennaway Profile Picture
    David Jennaway 14,063 on at
    RE: Read-level Auditing in CRM

    Andrew's right, in that a plugin is the only solution, and async plugins should minimise the performance overhead (though the performance overhead may still make CRM unusable).

    However, RetrieveMultiple plugins don't fire in all circumstances. Two that they don't cover are:

    • Export to Excel
    • Running reports

    The only option here is to prevent users from having access to this functionality.

  • Suggested answer
    a33ik Profile Picture
    a33ik 84,325 Most Valuable Professional on at
    RE: Read-level Auditing in CRM

    Hello Ashish,

    Try to switch your plugins to Async mode. This should not cause such huge performance impact as Sync plugin cause.

    I'm afraid that Plugins is the only solution for you. Good luck implementing it.

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Announcing Our 2025 Season 1 Super Users!

A new season of Super Users has arrived, and we are so grateful for the daily…

Vahid Ghafarpour – Community Spotlight

We are excited to recognize Vahid Ghafarpour as our February 2025 Community…

Tip: Become a User Group leader!

Join the ranks of valued community UG leaders

Leaderboard

#1
André Arnaud de Calavon Profile Picture

André Arnaud de Cal... 292,494 Super User 2025 Season 1

#2
Martin Dráb Profile Picture

Martin Dráb 231,307 Most Valuable Professional

#3
nmaenpaa Profile Picture

nmaenpaa 101,156

Leaderboard

Featured topics

Product updates

Dynamics 365 release plans