role based security in CRM 2016 - dynamics-crm-2011

I created a new role called medical administrators
My motive is to allow the user role to create/edit/delete the medical records
I went to the custom entities tab and selected "Create, Read, write, Delete, append, append to" against the custom entity.
But when the user tries to access the CRM environment they get the below message
Insufficient Permissions
You do not have permission to access these records. Contact your
Microsoft Dynamics CRM administrator.
What else should I add for the particular user group?

I provided create,read,write,delete to entities like contacts, notes etc and it started working
It is because, there are look up fields to contacts in the entity form of the medical case
Also in the customizations section give read access for Process and the below fields

Related

Kentico User and Role Management

I am running Kentico 11. I have a section of the site that requires user login to read and download some hidden content.
Those users are stored in the Configuration -> Users table. I have a custom Role that these users are assigned to so they can login and view the content & download files. We have an external (CRM) system that is integrated with Kentico. This CRM automates the User account creation & Role assignment based on yearly training records. So the user accounts do not get manually created. CRM manages the creation & deactivation. This is working as intended with 1,000s of users.
Business requirements have changed and now requires two levels of access. Will require a 2nd Role be created. First tier will allow basic access to content. A new 2nd tier (additional Role) will allow access to the file downloads.
The first tier will remain managed by the 3rd party integration from CRM (account & 1st role assigned). The 2nd tier will have to be manually controlled. Someone will have to login to Kentico, Configuration -> Users. Search for the user and add the 2nd Role.
To avoid putting the burden on the programmers I need to allow some of my non-technical team (customer support, product management) to be able to manage the Users.
These non-technical do not have Kentico CMS accounts. I do not want to make them Administrator and give them "keys to everything".
My question is specific to Configuration -> Permissions -- can I give my non-technical team the Read permission to "CMS Basic User" and Manage User Roles "Contractor" (and my custom role 1st ) and expect that they will be able to login to Kentico, navigate to Users and maintain my Contractors.
This is expected to allow them to view my contractors, and add them to a new 2nd role "Contractor Download". Take bob.smith#someemail.com for example. Bob is a contractor, the CRM tool added him to the Users Table with the roles Authenticated, Everyone and Contractor. Bob has completed some training and now needs the Contractor Download role.
Is the appropriate best-practice in Kentico to give my non-technical staff the CMS Basic User role & Contractor Role so they can manage our contractors? Is there a risk to this configuration? Will they be able to manage other roles? I do not want them to be able to edit content management, ecommerce or any other configurations.
It can be hard to give permission to manage one role but not the other. Usually in terms of UI permissions, you either have permission to the entire operation or you don't.
While using Kentico's back end UI would be beneficial, and giving them an account with limited administrative roles I think would be fine, what i would do is create a custom User interface and give them access to that UI, and all that UI element would be would be a drop down of available users to assign to the role, and a button that would use Kentico's API to assign them.
You can make the entire thing using the Custom Control webpart and point to your ascx, don't need anything particularly fancy.
the API to assign the role is pretty simple:
UserRoleInfoProvider.AddUserToRole(ValidationHelper.GetInteger(ddlAvailableUsers.SelectedValue, 0), RoleInfoProvider.GetRole("ContractorDownload").RoleID);
Make the drop down a list of (UserID, UserFullName) using the following dataset:
int[] UserIDsInContractorRole = UserRoleInfoProvider.GetUserRoles()
.WhereEquals("RoleID", RoleInfoProvider.GetRole("Contractor").RoleID)
.Select(x => x.UserID).ToArray();
int[] UserIDsAlreadyAssigned = UserRoleInfoProvider.GetUserRoles()
.WhereEquals("RoleID", RoleInfoProvider.GetRole("ContractorDownload").RoleID)
.Select(x => x.UserID).ToArray();
ddlAvailableUsers.DataSource = UserInfoProvider.GetUsers().WhereIn("UserID", UserIDsInContractorRole).WhereNotIn("UserID", UserIDsAlreadyAssigned).Columns("UserID, FullName").OrderBy("FullName").Result;
ddlAvailableUsers.DataValueField = "UserID";
ddlAvailableUsers.DataTextField = "FullName";
ddlAvailableUsers.DataBind();

Not able to create record using a newly created profile in CRM 2016

I created a user testaccount1 in the active directory, and then created a new user profile in the CRM 2016 and added the account to a security group
I was able to create records that I have given access for that account
I repeated the same steps and created a testaccount2 in active directory, created a user profile in CRM and added to the same security group as testaccoutn1
But when I try to create record using the testaccount2 I get the below error
Insufficient Permissions You do not have permission to access these
records. Contact your Microsoft Dynamics CRM administrator.
There is only one security role that is assigned to both these accounts, where should I look for to fix this?
Hit Download log file
the error message will give you the specific permission that is missing
(it will look something like "**prvContactCreate" if you are lacking create on the contact record at the level of scope/depth required). Once you post the error message here, we will be able to give more detailed responses. Question - When creating the record with the second account - are you by chance setting the owner as someone other than yourself? If so, what is the depth of the privilege for the security role on the given user?

Access Control with a multi database application

I have a mainDB.nsf that contains all of the XPages design, agents, script libraries etc. From this database the user selects an application. There may be one or more application databases. Each of the applications databases contain the actual data for the application, plus the views of that data that is accessed in custom controls in the mainDB.
So when a person authenticates against the mainDB they get all their security rights and assume that there is a role in the mainDB called [Finance]. Now there are no real data documents in the mainDB but in the PurchaseReq.nsf there are and anyone with the [Finance] role gets Editor rights to all documents in the PurchaseReq.nsf. So I have defined the role in both the mainDB.nsf and PurchaseReq.nsf. However, I do not want the person with the role [Finance] to have Editor rights in mainDB.nsf but only in PurchaseReq.nsf. If I assign the role to a person in the MainDB.nsf with say Reader rights and duplicate the ACL entry in the PurchaseReq.nsf with Editor rights the user opens a document in PurchaseReq.nsf will they have reader or editor rights.
Seccondly, do I even have to have the role [Finance] in the mainDB.nsf.
I read somewhere about this sort of setup with a design database and multiple data repositories but I can't find that reference.
Access is determined on a per database level - and not across databases.
So if you assign a role to a person in MainDB.nsf with Reader rights and assign a role with the same name with Editor rights in another database, then the person will have reader rights to MainDB.nsf and editor rights to the other database.
The role is not necessary in MainDB unless used for access control to documents/design elements in that database.

diff between Privileges and acces level in MSCRM Dynamics 2011

In the Security in the MSCRM , there are different security implement in MSCRM, could anyboday define,what is diff between Privileges and acces level in MSCRM Dynamics 2011 ?
A Privilege is a permission to perform an action on a specific entity type in Microsoft Dynamics CRM. Privilege is MS CRM 2011 we are providing the privilege Read, Write, Delete, Assign, Share, Append and append to.
Access level is provides accessibility in particular Entity in Microsoft CRM includes four distinct access levels presented in order in MS CRM User Level, Organization level and Business Unit etc.
Here is a good start: how-to-interpret-accessrights-numbers.
Basically there are lots of different privileges. Certain tasks can require multiple privileges. Some privileges also involve access levels that control a users rights to that privilege depending on the ownership of the entity in which they are acting upon.
Example:
So you can grant a user the Read privilege on the Contact entity with an access level of Owner BU, and they will have access to read all Contacts that are in the same BU as they are.
Privileges
Privileges are the most basic security unit in MSCRM, it define what actions a user can perform on each entity in the system.(Example Create, read update,delete,Append, Append To, Assign, Share)
Access level
The Access level indicates which records the user can perform that action upon for that entity like None , user , BU , Parent child BU , Organization

How to implement Field Level Security in Microsoft Dynamics CRM 2011

I am getting a problem in implementing Field Level Security in CRM 2011. I am very new to this technology hence not able to resolve this problem.
This is the steps i have done -
1.Created an Entity names Inquiry.
2.On Form Under Entity created a field named 'Password' with EnableSecurity set to 'true'.
3.Then Moved to Administration -> Field Security Profiles -> Created a Profile named 'Inquiry'. Under Users Tab selected a User(Mike) and kept the Field Permissions as it is i.e 'No'.
4.Now on Login for User(Mike) the 'Password' should be seen encrypted. but it does not display as encrypted.
Steps used to Create User -
1.Under Users & groups created new user and assigned 'Service administrator'.
Please tell me if i missed out sum step or if i have done something wrong.
I think user Mike has System Administrator security role.
This security gives always full access to all secured fields, you can find more information here:
How Field Security Can Be Used to Control Access to Field Values in Microsoft Dynamics CRM
section Which Security Roles Allow You to See Secured Fields?
Hey i got the solution to my question.Posting it so that it may help the beginners like me.
All i did was -
Steps used to Create User -
1.Under Users & groups created new user and did not give the user administrator permissions.
2.Then Under Settings->Administration-> Users -> Selected the user and opened the Form.
3.Then choose Manage Roles from Ribbon menus and selected 'System Customizer' as the Security Role.
Rest process same for applying field security.
5.In the end logged in as a System Customizer and was able to see the changes.
Thank you #Guido Preito for the help.

Resources