Skip to main content

Notifications

Announcements

No record found.

News and Announcements icon
Dynamics 365 Community / Forums / Microsoft Dynamics CRM (Archived) / User is able to assign...
Microsoft Dynamics CRM (Archived)

User is able to assign a record although it shouldn't be possible for him

(0) ShareShare
ReportReport
Posted on by Mick_4711 552

Hey together,

I've got a question concerning Access Level and User Rights.

2045.Forum1.PNG

- "User 1" owns a contact

- "Sharing", "Append", "Append" And "Append To" are on "User Level"

- Although "User 1" is able to share and assign the record to "User 2"

5125.Forum2.PNG

How is that possible?

Over all "User 1" gets an error message after assigning the record, that the "User 1" doesn't have the Read Access. So it seems, that record was assigned directly to "User 2" (the new owner) and after that the page of the contact was loaded in the background, the system asked for the permissions of "User 1" and told, that he got no rights to read the contact. 
But as I understand the Security Role, "User 1" should just have been able to assign the record to a user in his team. 

Does anyone has any idea to solve this problem? This would be awesome!

Best regards and a nice wednesday to you.

Mick

*This post is locked for comments

  • Mick_4711 Profile Picture
    Mick_4711 552 on at
    RE: User is able to assign a record although it shouldn't be possible for him

    Oh, my god! I understood the Access Levels, Ownership and so on completely wrong.

    As Daniel said, it depends on the ownership. That wasn't that obvious for me.

    So User 1 is the owner and is able to share just his records - but in the whole organization.

    If User 1 would have "Share" on Business Unit-Level, he could share the records of the Business Unit he is in.

    Now I got it! *facepalm*

    Have a nice weekend!

  • Mick_4711 Profile Picture
    Mick_4711 552 on at
    RE: User is able to assign a record although it shouldn't be possible for him

    To prevent that there are any connections to an account/contact I let User 1 create a new account and contact.

    After that I let him share this contact. It was still possible for him. 

    FYI:  there was a structure before. The BUs and Teams are completely new. 

  • Mick_4711 Profile Picture
    Mick_4711 552 on at
    RE: User is able to assign a record although it shouldn't be possible for him

    Thanks for your replies, guys.

    I'll check it all tomorrow and get right back to you with the/my results.

    Have a nice thursday!

  • Aric Levin Profile Picture
    Aric Levin 30,188 on at
    RE: User is able to assign a record although it shouldn't be possible for him

    Does User 1 have a parent record that is not in the same Business Unit as User 1?

    For example if User 1 has a parent account in BU0, he will be able to do such.

    I encountered a similar issue with a few years back, and per Microsoft this with a feature with this type of relationship.

    I am not sure if you are facing a similar situation. I would check it...

  • Verified answer
    Daniel Wikell Profile Picture
    Daniel Wikell 2,360 on at
    RE: User is able to assign a record although it shouldn't be possible for him

    Ah ok I think I understand.

    When you have "user level" on assign, it means you are able to assign the contacts that you own yourself. The target of the assignment is not regulated in the security role only the rights you have to the particular contact. As long as you can read the user entity from another business unit, people will be able to select them as the assignee target.

    What you can do to solve this is either:

    A: Change the read rights to the User entity to "Business Unit Level". This will make it so that users from other business units don't show up as an assignee target. This read restriction may have other effects as well so you would want to experiment a bit after setting this.

    B: Write a plugin that triggers on the assign step of the contact. In the plugin, check that the selected target user is in the same business unit as the previous owner, otherwise reject the assign event.

  • Mick_4711 Profile Picture
    Mick_4711 552 on at
    RE: User is able to assign a record although it shouldn't be possible for him

    Thanks for your replies.

    It think there is a misunderstanding. Sure the user 1 cannot read the contact that is assigned to another user, because of the User Access Level in Contact/Read.

    I'm wondering how is it possible that User1 is able to assign the contact to another User in another Business Unit at all?

  • Suggested answer
    Daniel Wikell Profile Picture
    Daniel Wikell 2,360 on at
    RE: User is able to assign a record although it shouldn't be possible for him

    Hi

    What you are experiencing is by design. When you have "user level" on read rights, it means that you are able to read only those contacts that you own yourself. When you have "user level" on assign, it means you are able to assign the contacts that you own yourself. The target of the assignment is not regulated in the security role. When re-assigning a contact, you transfer the ownership so that the security role no longer grants you the access to that contact.

    If you want to avoid User 1 from losing access to the contact, you can solve this in multiple ways:

    A: If you want users within a team to be able to see all records belonging to users within that team you can assign the contact to the Team rather than the user directly. When team owned, users within that team should be able to see all contacts owned the team.

    B: You can change a system setting to have the contacts automatically shared with the original owner when they are re-assigned. This way both User 1 and User 2 will have access after re-assignment. You can find this setting in Settings->Administration->System Settings. In the first tab "General" the setting is called "Share reassigned records with original owner".

  • Community Member Profile Picture
    Community Member Microsoft Employee on at
    RE: User is able to assign a record although it shouldn't be possible for him

    Hi Mike,
                  As per my knowledge, The user1 and user2 having the user level read access in contact entity. The assign functionality has changed the owner of the record as User1 to User2. In your case, user1 is assigned the record to User2. So that's why it will not have the rights to read again. If the User1 share the record to User2 means, that time both users can have the access of the corresponding record. Otherwise, you can provide the Parent: Child Business Units rights to both user for read.

    Read-Access-Issue-in-Contact-Entity.png

  • Mick_4711 Profile Picture
    Mick_4711 552 on at
    RE: User is able to assign a record although it shouldn't be possible for him

    Does anyone has an idea?

  • Mick_4711 Profile Picture
    Mick_4711 552 on at
    RE: User is able to assign a record although it shouldn't be possible for him

    Hi Ryan,

    They all have the same security roles and these are attached to the users.

    Each user is set to just one team.

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Congratulations 2024 Spotlight Honorees

Kudos to all of our 2024 community stars! 🎉

Meet the Top 10 leaders for December

Congratulations to our December super stars! 🥳

Start Your Super User Journey

Join the ranks of our community heros! 🦹

Leaderboard

#1
André Arnaud de Calavon Profile Picture

André Arnaud de Cal... 291,711 Super User 2024 Season 2

#2
Martin Dráb Profile Picture

Martin Dráb 230,458 Most Valuable Professional

#3
nmaenpaa Profile Picture

nmaenpaa 101,156

Leaderboard

Featured topics

Product updates

Dynamics 365 release plans