Skip to main content

Notifications

Microsoft Dynamics CRM forum

Security based on field's value?

Posted on by 594

Hello CRM World,

I recently got a business requirement and was also asked the same interview question probably 2 months ago whether we can achieve security of CRM data based on the fields value. Is it possible in CRM?

For example , on account entity there is a 2 option-set field. All account records with the fields value set to yes should only be visible to users with security role A and all account records with the fields value no should only be visible for users with security role B. By "not visible" i mean users should not be able to see the record in advanced find or making service call to retrieve data or even in any 3rd party tool to retrieve the data (because i know using java script we can achieve this but i want the data to be hidden from the whole CRM system). 

IS IT POSSIBLE TO ACHIEVE IN CRM?

*This post is locked for comments

  • Verified answer
    Ben Thompson Profile Picture
    Ben Thompson 6,350 on at
    RE: Security based on field's value?

    1) It would need to be synchronous.

    2) you check the user has the appropriate security role.If he doesn't you will need to throw an exception...

    3) Removing records wouldn't be my recommended approach its rather slow (as you emphasis in your next point) - we do this a different way and also avoid using security roles for similar reasons.

    4) Yes the suggested approach would be rather slow especially if the search returned doesn't contain the required field for filtering purposes.

    Finally what happens when the user views an opportunity / case / email belonging to a account they shouldn't be able to see? Should they be able to see them or is it a complete no-no?

    I know its a slight sales pitch but we wrote our Data Driven security solution (available at appsource.microsoft.com/.../houdinisecurity.houdini-record-security) to explicitly solve the type of problem you outline as I've continually seen solutions look the one above that seem like a simple fix to a simple problem rapidly open more significant issues and often creates bigger security issues than the initial fix resolves. And you really don't want to know how many months of testing with Microsoft occurred before they allowed it on Appsource.

  • Verified answer
    jlattimer Profile Picture
    jlattimer 24,558 on at
    RE: Security based on field's value?

    This blog post walks through the registration and handling the data (Pre-op / sync)

    https://carldesouza.com/dynamics-365-retrievemultiple-plugin/

    For RetrieveMultiple you can modify the output parameter "BusinessEntityCollection"for Retrieve "BusinessEntity" - so if they aren't meant to see the data, just remove it. Works just like a plug-in on pre-create/update, if you modify the target it will carry over and get updated as if the change was always there. 

    Sure, performance is definitely a concern, but your're asking the system to do something it isn't meant to do so unfortunately there might be some compromises that need to be made. 

    https://salimadamoncrm.com/2016/12/29/plugin-on-retrieve-and-retrieve-multiple-how-bad-is-it/

  • chakkay Profile Picture
    chakkay 594 on at
    RE: Security based on field's value?

    Thanks Jason for answering quickly. Before marking this answer as verified i do have some doubts. Appreciate your comments on them as well!

    1. Is it a synchronous or async plugin? (I guess it should be sync to prevent users from seeing data). Also on what stage do i need to register the plugin pre(20) or post(40)?

    2. If the calling user doesn't have security role, how should i remove the output prior to returning back to calling user? (can you provide me the code or any msdn resource). Also is it fine if i use InvalidPluginExecutionException to throw a plugin error to the calling user?

    3. On retrieve multiple message, suppose say i write a plugin. Suppose i am retrieving 1000's of records, do i need to filter retrieved data inside my plugin to remove account records that doesn't match my criteria and show only records which match my criteria? (can u plz provide me code on how to remove records from my retrieved data?)

    4. On longer run this might pose a performance issue because our account entity is pretty big and we have 300 users. Every time user opens an account record or does advanced find or make service call, the synchronous plugin will run, filters the data before displaying end result to the user. This also incorporates a little delay while retrieving account records. Is this the only possible way or is there any other optimized way of achieving solution?

    Thanks in advance and for your REST BUILDER SOLUTION

  • Suggested answer
    jlattimer Profile Picture
    jlattimer 24,558 on at
    RE: Security based on field's value?

    Plug-ins on Retrieve & RetrieveMultiple to look at the value(s) for the 2 option field and the determine if the calling user has security role A and/or B. If the user isn't meant to see the data based on the combination of field value and security roles then you'd remove the output prior to returning back to the caller.

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Forum Structure Changes Coming on 11/8!

In our never-ending quest to help the Dynamics 365 Community members get answers faster …

Dynamics 365 Community Platform update – Oct 28

Welcome to the next edition of the Community Platform Update. This is a status …

Leaderboard

#1
André Arnaud de Calavon Profile Picture

André Arnaud de Cal... 290,807 Super User 2024 Season 2

#2
Martin Dráb Profile Picture

Martin Dráb 229,135 Most Valuable Professional

#3
nmaenpaa Profile Picture

nmaenpaa 101,156

Leaderboard

Featured topics

Product updates

Dynamics 365 release plans