Microsoft Dynamics CRM (Archived)

Record level security

(0) Share

Report

Posted on by sardar ahmed

520

Hi experts,

I have a user, whose records should be visible to everyone except few records(private records).

These private records should be only visible to a group of users...

How do we achieve this in CRM.

Your help is much appreciated

Thanks.

*This post is locked for comments

I have the same question (0)

All responses (7)

Answers (0)

Suggested answer

Community Member on at

Like (0)

Report

Hi Sadar,

please proceed as follows:

1) Create a Business unit higher above the other user business units

2) Create a Role with privilege "BU and childs" about those type of records

3) Move the user which own the records and all the users which could see those records in this BU

3) Move the user which could not below this BU

Hope it helps!

If you found the answer helpful, please mark as Verified

Join my network on LinkedIn Follow me on Twitter

Thank You & Best Regards

Francesco Picchi

Microsoft Dynamics CRM Consultant, Bologna, ITALY

Independent Contractor

http://www.francescopicchi.com

Was this reply helpful? Yes No
Suggested answer

ashlega 34,477 on at

Like (0)

Report

Hi,

I don't think you can do it based off the owner security (no matter what you do, if you give other users access to this user's records using ownership security, you wan't be able to deny access to any of the records)

The only option would be to use record sharing (either direct sharing, or, if possible, using manual/system access teams)

In that case, you might create an access team and add all those other users to the team.. then you might share all the records (except those few ones) with that access team.

You might probably add some automation there (a workflow that would share the records automatically unless they are somehow marked as "private".. might add a new boolean field for that)

Was this reply helpful? Yes No
Suggested answer

Aric Levin - MVP 30,190 Moderator on at

Like (0)

Report

We actually have a similar situation for one of our clients. The records are available for Read-Only access on an organization level, but update is only for a particular group.

The way we set it up is we have two business units under the root business unit. Let's call them staff and private.

All the records have ownership set to staff team, while the private records have ownership set to private team.

We have security roles for team and private accordingly.

The members of the private team have organization R/W.

The members of the staff team have organization Read access (in our case), and business unit Write access.

Another note here, I am not sure which entities you are trying to do this on, but there is (or used to be) a bug/by design issue with Contacts and Accounts, since they have a special relationship.

The issue here is if a contact belongs to the private bu, but has a parent account that belongs to the staff bu, then the record will be visible. For us, the resolution for this was to set the parent account to also be owned by the private bu, which was ok, but if you are working with accounts and contacts, you should be aware of this issue.

Hope this helps.

Was this reply helpful? Yes No
sardar ahmed 520 on at

Like (0)

Report

Hi Aric,

The scenario is slightly different for me here.It's about restricting records rather than access levels.

The problem here is, the user's records should be by default public to everyone and if he wants to make a record private, then we need to restrict them to some specific users.

Was this reply helpful? Yes No
sardar ahmed 520 on at

Like (0)

Report

Hi Alex,

Yes, we are planning for something of this sort.

But, the problem with automating is, we need to share the records with all the users in the Organization, which is quite painful, as we might have more number of users.

Was this reply helpful? Yes No
ashlega 34,477 on at

Like (1)

Report

Hi,

You might use teams for sharing - just add users to the team and share records with that team(use access team for that).that might help with the number of sharings

Was this reply helpful? Yes No
Suggested answer

Community Member on at

Like (1)

Report
Hi Sardar,

if you want to exclude without using complex BU/Role/Sharing rules you could always reach your goal by plugin.

Proceed as follows:

1) Create a new attribute into this type of records, we say "Track as Private"

2) Create a plugin for Retrieve e RetrieveMultiple message checking "Track as Private" value

3) When value is true and current User is not added to the selected Team, set Entity (for retrieve) or BusinessEntity list (for retrieve multiple) as empty; this will "hide" records to unauthorized users.

This code hide all retrieved entities to users not found by method "RetrieveUserInAuthorizedTeam" (at your charge :-) ):

var businessentitylist = context.OutputParameters.Contains("BusinessEntityCollection") && context.OutputParameters["BusinessEntityCollection"] is EntityCollection && ((EntityCollection)context.OutputParameters["BusinessEntityCollection"]).Entities.Count > 0 ? ((EntityCollection)context.OutputParameters["BusinessEntityCollection"]).Entities.ToList(): null;
bool isuserinteam = RetrieveUserInAuthorizedTeam(crmService, currentUserId);
if (isuserinteam && businessentitylist != null && businessentitylist.Count > 0) {

context.OutputParameters["BusinessEntityCollection"]).Entities.Clear();

}

Hope it helps!

If you found the answer helpful, please mark as Verified

Join my network on LinkedIn Follow me on Twitter

Thank You & Best Regards

Francesco Picchi

Microsoft Dynamics CRM Consultant, Bologna, ITALY

Independent Contractor

http://www.francescopicchi.com

Was this reply helpful? Yes No