Skip to main content

Notifications

Announcements

No record found.

News and Announcements icon
Dynamics 365 Community / Forums / Microsoft Dynamics CRM (Archived) / How to block certain r...
Microsoft Dynamics CRM (Archived)

How to block certain records from a security role ?

(0) ShareShare
ReportReport
Posted on by Community Member Microsoft Employee

Hello experts, 

Recently we encountered the following problem while working on the security roles and the visibility of records: the security role Agent is at the bottom of the organizational hierarchy model, yet they need an organizational access to all the contact records, regardless of which agency (business unit) they belong to. The problem is that now they want to block a certain contact records from these agents, and we cannot just change their access to the contact entity to level Deep cuz they need to see other records from the other agencies or countries. 

So is there a way to block a certain records from them? 

Thank you for your help! 

Cheers

*This post is locked for comments

  • Karsten Wirl Profile Picture
    Karsten Wirl 4,477 on at
    RE: How to block certain records from a security role ?

    Hi there.

    Yes, this is correct.

    You must combine the three security elements... sec role, team and owner.

  • Community Member Profile Picture
    Community Member Microsoft Employee on at
    RE: How to block certain records from a security role ?

    Hello Jarren, thank you for your reply. However the role-based view functionality is not available anymore, at least not for free at this date.

    Check out this link: archive.codeplex.com

    Thank you.

    Regards,

    Yi

  • Community Member Profile Picture
    Community Member Microsoft Employee on at
    RE: How to block certain records from a security role ?

    Hello Alex, thank you for your reply. The reason why we granted org-level read access to security role Agent is that they need to see all the contacts in other business units, (ex: agents who work in the UK need to see the contact records in France.... ) If we manage this with teams, and remove their org-level read access, that will affect the business practice.

    Basically there are two types of contacts, "normal contacts" and "service provider contacts", and we want to hide the latter from agents.

    I will think about the plug-in option that you mentioned.

    Thank you ,

    Regards,

    Yi

  • Suggested answer
    ashlega Profile Picture
    ashlega 34,475 on at
    RE: How to block certain records from a security role ?

    Hi Yi Yang,

     if there is a "class" of contacts you want to exclude, you might create two teams, add regular contacts to one team and "protected" contacts to the other, then add all agents to the first team and adjust their security so they don't have org-level access. They will see those "common" contacts through team membership, and all other contacts will have to be shared with them.

     if it's more about having "exceptions" for just about any contact (as in you want to have  the ability to prevent any agent from seeing any contact), that's the most complicated security scenario for Dynamics, and you'll need to resort to the sharing and/or team membership.

     For example, you might create a set of plugin to always have a team per contact, to share each contact with the team, and to maintain team membership for the agents automatically (and, then, you may introduce some kind of user-contact N:N to identify those agents that should not have access to a contact.. then the plugin will take care of maintaining team membership). That would a bit of development, that might introduce performance issues, and would require quite a bit of testing.

  • Community Member Profile Picture
    Community Member Microsoft Employee on at
    RE: How to block certain records from a security role ?

    Hi,

    A workaround of this is to Hide/Show certain Views. Create specific Views to be used for certain groups of people, and filter them based on what they need to see.

    Granted, this does not provide high levels for security purposes, but if that is not a concern, a customized View could help.

  • Community Member Profile Picture
    Community Member Microsoft Employee on at
    RE: How to block certain records from a security role ?

    Hello Syed, thank you for your reply, yeah we did create separate security roles, the problem is the security role Agent need to have an organisation level read access over the contact records for business concern, and we are trying to find a way to <hide> a certain specific contact records from them.

    Thank you.

    Regards,

    Yi

  • Community Member Profile Picture
    Community Member Microsoft Employee on at
    RE: How to block certain records from a security role ?

    Hello Karsten, thank you for your reply. I have been looking into assess teams and owner teams, however they are managed by entity, so even if I create an assess team for these contact records, the agents (who have organisation level read access) will still see the contact records right ?

    Thank you.

    Begards,

    Yi

  • Suggested answer
    Karsten Wirl Profile Picture
    Karsten Wirl 4,477 on at
    RE: How to block certain records from a security role ?

    Hello Yi.

    I recommend the use of owner teams or access teams. I realized a similiar scenario with Owner-Teams. But it's highly complex and requires strict control through Admins.

    Kind regards,

    Karsten

  • Suggested answer
    Syed Ibrahim Profile Picture
    Syed Ibrahim 6,257 on at
    RE: How to block certain records from a security role ?

    Unfortunately we can't restrict permission for few records alone.. I advise is to create separate security roles permissions .

    Hope this helps

  • Suggested answer
    Radu Chiribelea Profile Picture
    Radu Chiribelea 6,667 on at
    RE: How to block certain records from a security role ?

    Hi Yi Yang,

    The security roles permissions apply to all records - so if a user has read privilege (organization level) for Accounts - he will be able to read all of them, without any restrictions.

    Maybe you could explore the access teams msdn.microsoft.com/.../dn481569.aspx and see if you can use that to grant access to certain record to certain users only.

    Hope this helps,

    Radu

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

December Spotlight Star - Muhammad Affan

Congratulations to a top community star!

Top 10 leaders for November!

Congratulations to our November super stars!

Tips for Writing Effective Suggested Answers

Best practices for providing successful forum answers ✍️

Leaderboard

#1
André Arnaud de Calavon Profile Picture

André Arnaud de Cal... 291,269 Super User 2024 Season 2

#2
Martin Dráb Profile Picture

Martin Dráb 230,198 Most Valuable Professional

#3
nmaenpaa Profile Picture

nmaenpaa 101,156

Leaderboard

Featured topics

Product updates

Dynamics 365 release plans