Security based on field's value?

(1) Share

Report

Posted on by chakkay

594

Hello CRM World,

I recently got a business requirement and was also asked the same interview question probably 2 months ago whether we can achieve security of CRM data based on the fields value. Is it possible in CRM?

For example , on account entity there is a 2 option-set field. All account records with the fields value set to yes should only be visible to users with security role A and all account records with the fields value no should only be visible for users with security role B. By "not visible" i mean users should not be able to see the record in advanced find or making service call to retrieve data or even in any 3rd party tool to retrieve the data (because i know using java script we can achieve this but i want the data to be hidden from the whole CRM system).

IS IT POSSIBLE TO ACHIEVE IN CRM?

*This post is locked for comments

All responses (4)

Answers (2)

Verified answer

Ben Thompson 6,350 on at

Like (0)

Report

RE: Security based on field's value?

1) It would need to be synchronous.

2) you check the user has the appropriate security role.If he doesn't you will need to throw an exception...

3) Removing records wouldn't be my recommended approach its rather slow (as you emphasis in your next point) - we do this a different way and also avoid using security roles for similar reasons.

4) Yes the suggested approach would be rather slow especially if the search returned doesn't contain the required field for filtering purposes.

Finally what happens when the user views an opportunity / case / email belonging to a account they shouldn't be able to see? Should they be able to see them or is it a complete no-no?

I know its a slight sales pitch but we wrote our Data Driven security solution (available at appsource.microsoft.com/.../houdinisecurity.houdini-record-security) to explicitly solve the type of problem you outline as I've continually seen solutions look the one above that seem like a simple fix to a simple problem rapidly open more significant issues and often creates bigger security issues than the initial fix resolves. And you really don't want to know how many months of testing with Microsoft occurred before they allowed it on Appsource.
Verified answer

jlattimer 24,558 on at

Like (1)

Report

RE: Security based on field's value?

This blog post walks through the registration and handling the data (Pre-op / sync)

https://carldesouza.com/dynamics-365-retrievemultiple-plugin/

For RetrieveMultiple you can modify the output parameter "BusinessEntityCollection"for Retrieve "BusinessEntity" - so if they aren't meant to see the data, just remove it. Works just like a plug-in on pre-create/update, if you modify the target it will carry over and get updated as if the change was always there.

Sure, performance is definitely a concern, but your're asking the system to do something it isn't meant to do so unfortunately there might be some compromises that need to be made.

https://salimadamoncrm.com/2016/12/29/plugin-on-retrieve-and-retrieve-multiple-how-bad-is-it/
chakkay 594 on at

Like (0)

Report

RE: Security based on field's value?

Thanks Jason for answering quickly. Before marking this answer as verified i do have some doubts. Appreciate your comments on them as well!

1. Is it a synchronous or async plugin? (I guess it should be sync to prevent users from seeing data). Also on what stage do i need to register the plugin pre(20) or post(40)?

2. If the calling user doesn't have security role, how should i remove the output prior to returning back to calling user? (can you provide me the code or any msdn resource). Also is it fine if i use InvalidPluginExecutionException to throw a plugin error to the calling user?

3. On retrieve multiple message, suppose say i write a plugin. Suppose i am retrieving 1000's of records, do i need to filter retrieved data inside my plugin to remove account records that doesn't match my criteria and show only records which match my criteria? (can u plz provide me code on how to remove records from my retrieved data?)

4. On longer run this might pose a performance issue because our account entity is pretty big and we have 300 users. Every time user opens an account record or does advanced find or make service call, the synchronous plugin will run, filters the data before displaying end result to the user. This also incorporates a little delay while retrieving account records. Is this the only possible way or is there any other optimized way of achieving solution?

Thanks in advance and for your REST BUILDER SOLUTION
Suggested answer

jlattimer 24,558 on at

Like (0)

Report

RE: Security based on field's value?

Plug-ins on Retrieve & RetrieveMultiple to look at the value(s) for the 2 option field and the determine if the calling user has security role A and/or B. If the user isn't meant to see the data based on the combination of field value and security roles then you'd remove the output prior to returning back to the caller.