I am an admin for MS CRM 2011 and I have this demand that certain users - although they have READ access to an entity - should NOT have access to any of this entity's forms.
Meaning, they should only view the records via sub grids, on related records.
Is there a way to have such control over user view?
You could make all the tabs on the form invisible unless the user had certain roles(s) through JavaScript.
This seems like a very strange request. Any chance you could elaborate?
Put these users in a role. Create a new form for each entity and assign that form to that role. Make sure these users do not have access to the other forms by role. Don't put any fields on this new form and maybe even add a javascript pop-up error message and some code that closes the form immediately.
This way your other forms aren't slowed down by a javascript request that always checks role membership plus everything is contained in that special form instead of spread through your other "real" forms.
if this entity just hold relationships like a N:N entity would do, you can also make sure that the relationship (reference to it) is not shown on the navigation area of the related entity forms. This way its there but no one can 'use' it.
Related
there are many standard objects e.g. AccountcontactRole, LetterHead, Approval etc. which can be retrieved using Salesforce APIs. What is the way to see these objects in Salesforce environment in browser?
Very roughly speaking - easiest cheat is to simply put the Id in the URL. So if your Salesforce instance is https://na1.salesforce.com then adding /001.... (any valid Account Id) will take you to this account. Similarly /016... will take you to "this" Letterhead record.
Some data is easily accessible to users - for example AccountContactRole should be available as related list under Account. If it isn't - probably the administrator removed it from page layout because the company decided to use only the straightforward Account - Contact relationship.
Some data like Letterheads, EmailTemplates, Approval processes is visible in the setup area (not all users have the "View Setup and Configuration" permission in their Profiles!)
*Share records (like AccountShare) would be visible after you click the Sharing button on the page layout (if it's not visible - again, check with Admin).
If you're using API to fetch the data, you probably can also use "describe" calls to fetch info which objects are available, what fields are present in the tables... Sometimes the "Frontdoor URLs" property is set (although I confess I'm not sure how to get it, http://www.salesforce.com/us/developer/docs/apexcode/Content/apex_Schema_DescribeSObjectResult_instance_methods.htm doesn't mention it).
Also - if you haven't noticed yet - all Accounts start with "001". Try to guess where "/001" and "/001/o" links would lead.
Entity Application has a look up to Contact. Now, Entity Application Document has a look up to Application. In my Application Document form, I want to display the Contact who is associated with the Application Document. I do not want to be creating a look up to Contact as it is just bad database design.
How can I show the related contact in the Application Document form. It is after all a look up - alright, a two level look up right? I can go from the Application Document to the Application to which it is related and from there to the Contact.
My suggested solution would be to have a read only text field in the Application Document entity. Populate it with Contact (Primary Field) onloadform with a JavaScript.
I'd resolve it as a call to the DB, fetching the linked entity and then fetch it's linked entity. JavaScript seems to be the wises choice in this case.
However, you mention that you find this solution bad, so I might be missing a requirement.
using php if that matters.
If you create a website that has users and groups. Where do you put this in the web application? Do you just put a function at the top of every page (pseudo):
if someone is in a group then they can see this page
or
if someone is in this group they can see this button
That sure seems wrong. I wouldn't want to edit the web app code just to change who can see what group-wise. I'm not sure what I should do or how to implement something like this.
Thanks.
In MySQL, I always create these 4 tables: users, user_groups, permissions and user_groups_permissions which are linked using Foreign Keys.
So, user A can be in a user group B, which this user group permissions are in user_groups_permissions.
Now, I just do a INNER JOIN on this 4 tables (or better, three: users, user_groups_permissions and permissions), the results are permissions that user have. all we need is selecting permissions.key by INNER JOIN.
Now, before processing request, I need to check that Client::has_permissin('send_post') returns true or not. And better, also on top of each user-group-related function.
Note: Client is a class that loads all user permissions just one time, before processing request, and then uses that permissions for whole request-life-time, without needing to access to database several times in that request. Use static methods and $permissions property for this class so you never need to send it's object over your applications classes/methods/functions :)
You can have a utility function which takes user id and group code and return true or false.
You can use that utility function as pseudo at the top of each page and the same function also be used to hide or show sections in your page.
If your web application is in MVC, embed user authorization logic in your controller.
The administrator of the web application I am working on, asks for a 'I wanna know everything' log. He wants to track all what the other users did when they were connected (logged in) to the web app :
What pages he/she visited.
What actions he/she performed.
On what entities (JPA Entities) he/she performed actions.
At what exact time she/he performed a given action if successful.
What attribute of the a given record he/she modified.
The user principals of this user.
All I could do now, is export a CSV file where the administrator finds the user principals, the time this user logged in and logged out.
I also created an example history table in database populated by EclipseLink Customizer to track changes for a corresponding table. (The problem with this EclipseLink customizer is that it is not flexible, because database tables are changing with time (adding/removing attributes) and so are their corresponding entities. And the user does not want to modify things two times (one time in the main table and the second time in the history table)!
Could something like a third library 'log4j' do that?
Is there any alternatives, solutions, or better practices related to my issu!?
Best regards.
Look into Interceptors/Listeners - both for JSF to get page/action and JPA to get data accessed. In your interceptors/listener you could then log to file using log4j.
EclipseLink Listeners
Hibernate Interceptors (for comparison)
JSF Listeners
I've created some custom property for my web part with Personalizable(PersonalizationScope.User) attribute. I changing this property in EditorPartClass in ApplyChanges() Method only. The main problem is user with contribute permission for a site can't save this property when editing personalized view of a page. Changing property applies when user click OK button on EditorPart, but after page postback value returns to its previous condition. Users with full control privilleges saves this property without a problem.
If User has an "Add and Customize Page" privilege property saves too.. But than User can modify web part in shared view too.. It's bad...
you need to explicitly change the SafeAgainstScript attribute on the SafeControl tags. This is new in 2010 because of the Client OM. you can't ever be sure that the user won't type malicious JS - so make sure you also encode any input your property takes!