Microsoft Dynamics CRM (Archived)

User is able to assign a record although it shouldn't be possible for him

(0) Share

Report

Posted on by Mick_4711

552

Hey together,

I've got a question concerning Access Level and User Rights.

2045.Forum1.PNG

- "User 1" owns a contact

- "Sharing", "Append", "Append" And "Append To" are on "User Level"

- Although "User 1" is able to share and assign the record to "User 2"

5125.Forum2.PNG

How is that possible?

Over all "User 1" gets an error message after assigning the record, that the "User 1" doesn't have the Read Access. So it seems, that record was assigned directly to "User 2" (the new owner) and after that the page of the contact was loaded in the background, the system asked for the permissions of "User 1" and told, that he got no rights to read the contact.
But as I understand the Security Role, "User 1" should just have been able to assign the record to a user in his team.

Does anyone has any idea to solve this problem? This would be awesome!

Best regards and a nice wednesday to you.

Mick

*This post is locked for comments

I have the same question (0)

All responses (11)

Answers (1)

Ryan Maclean 3,070 on at

Like (0)

Report

Do you have any security roles attached the the Team that User 1 is in? Are they in any other teams, or do they have any other security roles attached to them?

Was this reply helpful? Yes No
Mick_4711 552 on at

Like (0)

Report

Hi Ryan,

They all have the same security roles and these are attached to the users.

Each user is set to just one team.

Was this reply helpful? Yes No
Mick_4711 552 on at

Like (0)

Report

Does anyone has an idea?

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report

Hi Mike,
As per my knowledge, The user1 and user2 having the user level read access in contact entity. The assign functionality has changed the owner of the record as User1 to User2. In your case, user1 is assigned the record to User2. So that's why it will not have the rights to read again. If the User1 share the record to User2 means, that time both users can have the access of the corresponding record. Otherwise, you can provide the Parent: Child Business Units rights to both user for read.

Was this reply helpful? Yes No
Suggested answer

Daniel Wikell 2,360 on at

Like (1)

Report

Hi

What you are experiencing is by design. When you have "user level" on read rights, it means that you are able to read only those contacts that you own yourself. When you have "user level" on assign, it means you are able to assign the contacts that you own yourself. The target of the assignment is not regulated in the security role. When re-assigning a contact, you transfer the ownership so that the security role no longer grants you the access to that contact.

If you want to avoid User 1 from losing access to the contact, you can solve this in multiple ways:

A: If you want users within a team to be able to see all records belonging to users within that team you can assign the contact to the Team rather than the user directly. When team owned, users within that team should be able to see all contacts owned the team.

B: You can change a system setting to have the contacts automatically shared with the original owner when they are re-assigned. This way both User 1 and User 2 will have access after re-assignment. You can find this setting in Settings->Administration->System Settings. In the first tab "General" the setting is called "Share reassigned records with original owner".

Was this reply helpful? Yes No
Mick_4711 552 on at

Like (0)

Report

Thanks for your replies.

It think there is a misunderstanding. Sure the user 1 cannot read the contact that is assigned to another user, because of the User Access Level in Contact/Read.

I'm wondering how is it possible that User1 is able to assign the contact to another User in another Business Unit at all?

Was this reply helpful? Yes No
Verified answer

Daniel Wikell 2,360 on at

Like (1)

Report

Ah ok I think I understand.

When you have "user level" on assign, it means you are able to assign the contacts that you own yourself. The target of the assignment is not regulated in the security role only the rights you have to the particular contact. As long as you can read the user entity from another business unit, people will be able to select them as the assignee target.

What you can do to solve this is either:

A: Change the read rights to the User entity to "Business Unit Level". This will make it so that users from other business units don't show up as an assignee target. This read restriction may have other effects as well so you would want to experiment a bit after setting this.

B: Write a plugin that triggers on the assign step of the contact. In the plugin, check that the selected target user is in the same business unit as the previous owner, otherwise reject the assign event.

Was this reply helpful? Yes No
Aric Levin - MVP 30,190 Moderator on at

Like (1)

Report

Does User 1 have a parent record that is not in the same Business Unit as User 1?

For example if User 1 has a parent account in BU0, he will be able to do such.

I encountered a similar issue with a few years back, and per Microsoft this with a feature with this type of relationship.

I am not sure if you are facing a similar situation. I would check it...

Was this reply helpful? Yes No
Mick_4711 552 on at

Like (0)

Report

Thanks for your replies, guys.

I'll check it all tomorrow and get right back to you with the/my results.

Have a nice thursday!

Was this reply helpful? Yes No
Mick_4711 552 on at

Like (0)

Report

To prevent that there are any connections to an account/contact I let User 1 create a new account and contact.

After that I let him share this contact. It was still possible for him.

FYI: there was a structure before. The BUs and Teams are completely new.

Was this reply helpful? Yes No