Hello experts,
Recently we encountered the following problem while working on the security roles and the visibility of records: the security role Agent is at the bottom of the organizational hierarchy model, yet they need an organizational access to all the contact records, regardless of which agency (business unit) they belong to. The problem is that now they want to block a certain contact records from these agents, and we cannot just change their access to the contact entity to level Deep cuz they need to see other records from the other agencies or countries.
So is there a way to block a certain records from them?
Thank you for your help!
Cheers
*This post is locked for comments
Hi there.
Yes, this is correct.
You must combine the three security elements... sec role, team and owner.
Hello Jarren, thank you for your reply. However the role-based view functionality is not available anymore, at least not for free at this date.
Check out this link: archive.codeplex.com
Thank you.
Regards,
Yi
Hello Alex, thank you for your reply. The reason why we granted org-level read access to security role Agent is that they need to see all the contacts in other business units, (ex: agents who work in the UK need to see the contact records in France.... ) If we manage this with teams, and remove their org-level read access, that will affect the business practice.
Basically there are two types of contacts, "normal contacts" and "service provider contacts", and we want to hide the latter from agents.
I will think about the plug-in option that you mentioned.
Thank you ,
Regards,
Yi
Hi Yi Yang,
if there is a "class" of contacts you want to exclude, you might create two teams, add regular contacts to one team and "protected" contacts to the other, then add all agents to the first team and adjust their security so they don't have org-level access. They will see those "common" contacts through team membership, and all other contacts will have to be shared with them.
if it's more about having "exceptions" for just about any contact (as in you want to have the ability to prevent any agent from seeing any contact), that's the most complicated security scenario for Dynamics, and you'll need to resort to the sharing and/or team membership.
For example, you might create a set of plugin to always have a team per contact, to share each contact with the team, and to maintain team membership for the agents automatically (and, then, you may introduce some kind of user-contact N:N to identify those agents that should not have access to a contact.. then the plugin will take care of maintaining team membership). That would a bit of development, that might introduce performance issues, and would require quite a bit of testing.
Hi,
A workaround of this is to Hide/Show certain Views. Create specific Views to be used for certain groups of people, and filter them based on what they need to see.
Granted, this does not provide high levels for security purposes, but if that is not a concern, a customized View could help.
Hello Syed, thank you for your reply, yeah we did create separate security roles, the problem is the security role Agent need to have an organisation level read access over the contact records for business concern, and we are trying to find a way to <hide> a certain specific contact records from them.
Thank you.
Regards,
Yi
Hello Karsten, thank you for your reply. I have been looking into assess teams and owner teams, however they are managed by entity, so even if I create an assess team for these contact records, the agents (who have organisation level read access) will still see the contact records right ?
Thank you.
Begards,
Yi
Hello Yi.
I recommend the use of owner teams or access teams. I realized a similiar scenario with Owner-Teams. But it's highly complex and requires strict control through Admins.
Kind regards,
Karsten
Unfortunately we can't restrict permission for few records alone.. I advise is to create separate security roles permissions .
Hope this helps
Hi Yi Yang,
The security roles permissions apply to all records - so if a user has read privilege (organization level) for Accounts - he will be able to read all of them, without any restrictions.
Maybe you could explore the access teams msdn.microsoft.com/.../dn481569.aspx and see if you can use that to grant access to certain record to certain users only.
Hope this helps,
Radu
André Arnaud de Cal...
292,160
Super User 2025 Season 1
Martin Dráb
230,962
Most Valuable Professional
nmaenpaa
101,156