Skip to main content

Notifications

Announcements

No record found.

Finance forum
Unanswered

Security practices

(0) ShareShare
ReportReport
Posted on by
Hi,

let's say we have a form with grid (we can add, delete, edit, read), there is also three buttons
 
What is a better design in case of security A or B?

Solution A:

let's say I create those duties and privileges for each duty
  • View Form duty
    • just viewing grid
  • Maintain Form duty
    • just viewing grid
    • click button 1 
    • click button 2
  • Form administration duty
    • Insert/Delete/Update/Read Form
    • click button 1
    • click button 2
    • click button 3
And I create these roles with the following duty
  • Role 1
    • Maintain Form duty
  • Role 2 
    • Form administration duty
In solution A, it seems View Duty was not added to any role
 
Solution B:
  • View Form duty
    • just viewing grid
  • Maintain Form duty
    • click button 1 
    • click button 2
  • Form administration duty
    • Insert/Delete/Update/Read Form
    • click button 3

New roles must be created:

  • Role1
    • View Form duty
    • Maintain Form duty
  • Role2
    • Maintain Form duty
    • Form administration duty
In solution B compared to Solution A:
1. we removed the /view/ privilege form /Maintain/ duty and and gave Role1 both view and maintain duty, in order to use view duty -- what is better?
 
2. Instead of giving all privileges to /admin duty/ like solution A, in Solution B, we only added extra privileges to /admin/ duty that don't exist in /Maintain/ duty. And in /admin/ we gave the two duties /Maintain and admin/  to Role 2-- so which one is better? what is a better practice? should the duty contain everything or should the role?
 
  • André Arnaud de Calavon Profile Picture
    André Arnaud de Cal... 291,861 Super User 2024 Season 2 on at
    Security practices
    Hi,
     
    Apologies for a late reply. Somehow I was not subscribed to updates on this post. I needed to reread all information again.
     
    I will try to give you my view on your questions. Note that your approach is also giving the correct result. I just tried to create less objects based on the required end result. As I don't have the full overview, maybe I missed something.
     
    1a. The Maintain form in my suggestion has a different purpose than the Maintain form in your solution. In my set, I added this button 3 to create less privileges only. It would not be wrong to have a separate privilege. 
    1b. Also valid for 1a. In case there is a need and you foresee to separate access for button 1 and 2, then indeed, you can create separate privileges. Anyway, if there is a requirement for a change, something needs to be adjusted in the security. 
     
    2. This was not a typo. Again, I didn't know all the details for this customization. In case a user is not allowed to make changes on the grid, I would initially call it a View permission. In your reply, you now clarified the purpose of the buttons. That is changing data on the grid, so then it becomes indeed a Maintain permission. 
     
    3. Correct. See the answers above (1 and 2).
     
    4. See also my reply on question 2. In case you need it in the future, you would need to make changes anyway. In case you now have an unlinked duty and you choose not to delete it, best practice checks will alert you that the duty is not included in any security role.
     
    5. In your solution B, you used all security objects. Then the best practice checks will not complain about an "obsolete" object.
     
    For your solution A or B, there is not a real difference apart from the best practice check warning you can expect for solution A.
  • Suggested answer
    André Arnaud de Calavon Profile Picture
    André Arnaud de Cal... 291,861 Super User 2024 Season 2 on at
    Security practices
    Hi,
     
    Personally, I would use the option making different building blocks as privilege and then reuse privileges in the duties for these roles, like this:
     
    Privileges:
    View form
    • Read access to the form
    Maintain form
    • Delete access to the form
    • Access to button 3
    Manage actions 
    • Access to button 1 and 2
     
    Duties:
    Inquire into form
    • Privilege: View form
    Maintain form
    • Privilege: View form
    • Privilege: Manage actions
    Form administration
    • Privilege: Maintain form
    • Privilege: Manage actions
    Roles:
    Role 1:
    • Duty Maintain form
    Role 2: 
    • Duty: Form administration
     
    Apart from this, I wonder if you need the view privilege at all when looking at the required roles. In that case, you can simplify it a bit more. With this setup, I'm not happy with the naming conventions myself, but tried to align them to your names as part of the question. E.g. a maintain duty giving only view access + two buttons does not really feel like "maintain".

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

November Spotlight Star - Khushbu Rajvi

Congratulations to a top community star!

Forum Structure Changes Coming on 11/8!

In our never-ending quest to help the Dynamics 365 Community members get answers faster …

Dynamics 365 Community Platform update – Oct 28

Welcome to the next edition of the Community Platform Update. This is a status …

Leaderboard

#1
André Arnaud de Calavon Profile Picture

André Arnaud de Cal... 291,861 Super User 2024 Season 2

#2
Martin Dráb Profile Picture

Martin Dráb 230,540 Most Valuable Professional

#3
nmaenpaa Profile Picture

nmaenpaa 101,156

Leaderboard

Featured topics

Product updates

Dynamics 365 release plans