Dynamics CRM Security

(0) Share

Report

Posted on by KaiHartmann1981

204

We are having a security Issue within Dynamics CRM 2016 On Premise

The Scenario is as follows: There is one main organization with three different business units A (With User A1 and A2) B (with User B1 and B2), C (with User C1 and C2). In general the users are working with the records of their own business units – accordingly the entities (e.g. Accounts and Activities) are setup for business unit access. But some users are allowed to read and access data of user business units as well. So we created an Access Team for each business unit which also gets entity access for their own business unit (via team security role) and then we assign users from other business units to this team: In our example User A1 should also work with Accounts and Activities of Business Unit B – so we created Access Team B (which is assigned to Business unit B) and put User A1 into this Access Team. This works good for accessing the data. But the problem is, when User A1 now creates Activities (e.g. Tasks) to a Company that is owned by User B1. This Activity is then visible for Business Unit A, because A1 is the owner of the Activity, and not visible for Business Unit B (except for the Account Owner User B1 – this is done by automatic Share and visible only in the PrincipalObjectAccess Table). Our Business Requirement is, that the Business Unit of the Account (which is determined by the Account Owner) regulates Access for assigned Activities as well. Is there any way to achieve this?

*This post is locked for comments

I have the same question (0)

All responses (5)

Answers (0)

Gopalan Bhuvanesh 11,401 on at

Like (0)

Report

You want the newly created Activity (regarding a record in a different business unit) to be owned by the owner of the parent record (regarding object).

Did you consider creating a plugin for this?

Was this reply helpful? Yes No
ashlega 34,477 on at

Like (0)

Report

It may be a bit of an overkill, but, if you still wanted those activities to be assigned to the users who created them, then you have to start sharing activities with the account business unit somehow. For example, you might start sharing such activities with those special teams you created per BU and this would also required a plugin, though a different one). If you move a user from one BU to another, you'll have to re-set all that sharing, though.

Was this reply helpful? Yes No
Suggested answer

prt33k 6,907 on at

Like (0)

Report

Hi Kai,

The requirement is:

1) The user should able to access record across BU.

2) The entity should be visible to BU users only in addition to whom it was granted access.

The first requirement is met by access team where you can add user from any BU and they have access.

The second requirement can be met only if we freeze the ownership of the entity to BU. For this, you can create two team for each business unit and default the ownership to these team when the record is getting created based upon the regardingid BU or any other business rule.

The User B in your case will get access to the task because he has access to parent object.

The user of Business Unit A will get access since the record belong to there BU.

Do let me know if this serve you purpose, or if I am missing something.

Thanks,

PS

Was this reply helpful? Yes No
KaiHartmann1981 204 on at

Like (1)

Report

Hi,

Thank you for your answers.

1. Gopalan Bhuvanesh: Changing the Owner of the Activtity to Company Owner

The Problem with that is, that the originate owner is lost, when changing the Activtiy owner. Then we would need to show the Creator in each Activtiy form.

2. Alex Shlega: Sharing the Activity via Plugin

Thats the concept we followed so far and it solves the visibility for the Business Unit of the Account. But the Business Unit of the Owner can still see this activity and we also need to prevent that.

3. prt33k: Access Teams for Sharing and Changing the Owner to Business Unit Team

The Problem with Access Teams as far as I know is, that they need to be defined for each Account and each User, which is too much overhead, as we need Access for complete Business Units.

Also changing the Owner strictly to BU Teams is a Problem, because we need to work with User-Ownership, so the Creator and Responsibility is clear.

However out of your answers we found a slightly different solution:

In our Scenario User A1 is assigned to Business Unit A. But within Business Unit B we will create a personal team for this user "B - A1". Via this team the user gets access to business unit B. And we're able to write a plugin for activities, that checks if Owner BU is different than Account Owner BU. And if so, the activity will be assigned to that personal Team "B - A1". This is a bit overhead for initial Administration, but then we have access and ownership as we wanted.

Thank You!

Was this reply helpful? Yes No
ashlega 34,477 on at

Like (0)

Report

Hi Kai,

for the "sharing via plugin" option.. technically, you might try the following (and the disclaimer is that there can be a lot of sharing then):

1. Add unit B user to the Access Team for Unit B

2. Re-configure security roles for your users and default BU teams to allow "user-level" access (not bu-level)

3. In the plugin, keep doing what you are doing, but, also, start sharing with the user's business unit:

- If an account belongs to another BU, don't share the activity with the user's bu access team

- If an account belongs to the same BU, share the activity with the user's bu access team

- And you'll probably need to share the accounts with the user's bu access team as well

(You might probably start using default BU teams instead of those additional teams then if you did it this way)

Was this reply helpful? Yes No