web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Microsoft Dynamics CRM (Archived) / SharePoint security mo...
Microsoft Dynamics CRM (Archived)

SharePoint security model based off Dynamics365

(0) ShareShare
ReportReport
Posted on by Shidin Haridas 3,497

Hi All,

We are using Dynamics 365 Online (9.02.54) with OOB SharePoint Integration.

As with OOB SP Integration, any CRM user can see all the folders and items in SharePoint Online.
What would be the recommended way of ensuring that the security between Dynamics365 and SharePoint are in sync?

I have knowledge of plugins, the CSOM model and am aware of building plugins to share and revoke access to the SP folders.

I did find a product which does the same here -> https://www.connecting-software.com/dynamics-crm-sharepoint-permissions-replicator/

However, if I want to get this done without purchasing a product, what would be the best way?

Ideas & Suggestions are welcome.

Thanks in advance!

*This post is locked for comments

I have the same question (0)
  • Verified answer
    ashlega Profile Picture
    ashlega 34,477 on at

    I guess you might try writing your own permissions replicator.. not sure it's worth doing it purely in the plugins because of the potential performance issues.. But, in a nutshell, you may have to have a plugin to track role/team/BU/position/manager changes (probably a plugin on the associate/disassociate messages to see if something has changed for a user)..

    And, then, you may need to use RetrieveSharedPrincipalsAndAccessRequest for every record that user may have access to.. (to optimize, maybe start from the document locations records, then go to the actual records, then check permissions for those users who had their security updated since the last "run")

    This could be a time-consuming job, so may require more than a plugin

  • Verified answer
    Community Member Profile Picture
    Community Member on at

    Hello Shidin,

    my recommendation to purchase a product. At first look it may look easy task but complexity is really huge and it doesn't make economical to reinvent the wheel in this case.

    @Alex: RetrieveSharedPrincipalsAndAccessRequest is not a solution for 2 reasons:

    - it is not covering all possible security configuration, e.g. hierarchy security changes are not reflected

    - accepting previous point, performance wise it would works only in very small CRMs because you need to execute this request per user, per record. Let's say you have 100 users, 10000 records, you have already 1 million queries that you need to repeat regularly!

    So you do know have easy, reliable and performant way how to read security from CRM, you would have to create internal representation for CRM security model and build it up based on available security data (evaluate / calculate security in your logic).

    But let's back to your question:

    I would recommend you to have have combination of plugin and some external service.  The plugin should be used as event listener for security changing events - simply you need this, you cannot do pooling for everything. In separated service you should process all the logic, you cannot have everything in plugin because of 2 minutes execution restriction.

    I'm just going to enumerate some point that should clarify complexity (maybe not all of them are valid for you).

    • initial load (secure already existing documents)
    • event-based security adjustments based on changes in CRM: create user, disable user, security role changes, BU structure changes, moving users between BU, sharing (user, team), access through access teams, cascading security behavior, manager / position based hierarchy security, Opportunity Sales Team ...
    • handle various conflicts
    • resolve user mapping - map users between CRM / SharePoint
    • resolve permission mapping - how to map CRM security objects (user, team, BU, role, position .. ) to SharePoint security objects (users / groups + permission level)
    • proper testing

    Hopefully it helps

    Tomas

  • ashlega Profile Picture
    ashlega 34,477 on at

    @Tomas Nice post. I ran into Connect Bridge a couple of times, but not enough to really figure out those details. Thanks for the explanations - guess doing those calculations outside of Dynamics is really the way to go.

  • Verified answer
    Shidin Haridas Profile Picture
    Shidin Haridas 3,497 on at

    Alex and Tomas,

    Thank you for your pointers! :)

    @Tomas - Agree with you on the tips. 'Connecting-Software' works great and well, it is the answer to what I need.

    My scenarios are very few, on assign of a particular record type.

    For POC sake, I created a plugin, which calls an Azure function, to do all the folder creation and permission granting.

    So far, so good. But need to test more, and well, it is going to be dependant on the client's user base and other factors.

    Appreciate a lot for the replies.

    Cheers!

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Responsible AI policies

As AI tools become more common, we’re introducing a Responsible AI Use…

Neeraj Kumar – Community Spotlight

We are honored to recognize Neeraj Kumar as our Community Spotlight honoree for…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > 🔒一 Microsoft Dynamics CRM (Archived)

#1
SA-08121319-0 Profile Picture

SA-08121319-0 4

#1
Calum MacFarlane Profile Picture

Calum MacFarlane 4

#3
Alex Fun Wei Jie Profile Picture

Alex Fun Wei Jie 2

Last 30 days Overall leaderboard

Featured topics

Product updates

Dynamics 365 release plans