I have a mainDB.nsf that contains all of the XPages design, agents, script libraries etc. From this database the user selects an application. There may be one or more application databases. Each of the applications databases contain the actual data for the application, plus the views of that data that is accessed in custom controls in the mainDB.
So when a person authenticates against the mainDB they get all their security rights and assume that there is a role in the mainDB called [Finance]. Now there are no real data documents in the mainDB but in the PurchaseReq.nsf there are and anyone with the [Finance] role gets Editor rights to all documents in the PurchaseReq.nsf. So I have defined the role in both the mainDB.nsf and PurchaseReq.nsf. However, I do not want the person with the role [Finance] to have Editor rights in mainDB.nsf but only in PurchaseReq.nsf. If I assign the role to a person in the MainDB.nsf with say Reader rights and duplicate the ACL entry in the PurchaseReq.nsf with Editor rights the user opens a document in PurchaseReq.nsf will they have reader or editor rights.
Seccondly, do I even have to have the role [Finance] in the mainDB.nsf.
I read somewhere about this sort of setup with a design database and multiple data repositories but I can't find that reference.
Access is determined on a per database level - and not across databases.
So if you assign a role to a person in MainDB.nsf with Reader rights and assign a role with the same name with Editor rights in another database, then the person will have reader rights to MainDB.nsf and editor rights to the other database.
The role is not necessary in MainDB unless used for access control to documents/design elements in that database.
Related
I'm developing an application, where users are able to store their notes.
The roles hierarchy is the following:
user role could create, read, update and delete their own
notes.
admin role inherits user role and has access to
all users notes.
The issue is, that most of ACL tutorials, are describing generic cases, regarding how to declare permissions for a roles like user, admin, manager etc.
There is a lack of information regarding the cases, when we need to protect specific user notes from changing by other users. How to handle this in the scope of ACL?
I created a new role called medical administrators
My motive is to allow the user role to create/edit/delete the medical records
I went to the custom entities tab and selected "Create, Read, write, Delete, append, append to" against the custom entity.
But when the user tries to access the CRM environment they get the below message
Insufficient Permissions
You do not have permission to access these records. Contact your
Microsoft Dynamics CRM administrator.
What else should I add for the particular user group?
I provided create,read,write,delete to entities like contacts, notes etc and it started working
It is because, there are look up fields to contacts in the entity form of the medical case
Also in the customizations section give read access for Process and the below fields
In the Security in the MSCRM , there are different security implement in MSCRM, could anyboday define,what is diff between Privileges and acces level in MSCRM Dynamics 2011 ?
A Privilege is a permission to perform an action on a specific entity type in Microsoft Dynamics CRM. Privilege is MS CRM 2011 we are providing the privilege Read, Write, Delete, Assign, Share, Append and append to.
Access level is provides accessibility in particular Entity in Microsoft CRM includes four distinct access levels presented in order in MS CRM User Level, Organization level and Business Unit etc.
Here is a good start: how-to-interpret-accessrights-numbers.
Basically there are lots of different privileges. Certain tasks can require multiple privileges. Some privileges also involve access levels that control a users rights to that privilege depending on the ownership of the entity in which they are acting upon.
Example:
So you can grant a user the Read privilege on the Contact entity with an access level of Owner BU, and they will have access to read all Contacts that are in the same BU as they are.
Privileges
Privileges are the most basic security unit in MSCRM, it define what actions a user can perform on each entity in the system.(Example Create, read update,delete,Append, Append To, Assign, Share)
Access level
The Access level indicates which records the user can perform that action upon for that entity like None , user , BU , Parent child BU , Organization
I learned that the Silverlight Business Application template allows you to create users.
But you can also create users with the Web Site Administration Tool.
What I see is that the Administration tool allows you to create roles, and allows assigning users to those roles, whereas the pre built interface that the template offers only allows to create users which assigns them to the "Registered Users" role automatically.
I guess that if I want to offer the ability of creating roles and managing the relationship "roles-users" from the application, I should program the interface in the application. is that so?
I see that the pre-built interface the business template offers is very limited.
The built-in interface of the SL business application aims to allow a new user to create an acount and log on/off. It doesn't concern itself with actual user rights. You have to implement this separately.
I usually implement this by adding a "Settings" view in the SL app where I put a datagrid and populate (from the aspnetdb.mdf) the registered users as rows and the role names as columns.
Then for each row I put a checkbox to allow a "PowerUser" to assign each new user to roles.
To do this you have to first create (through SL or Web Site Administration Tool) at least one user ("PowerUser") and 2 roles: "NormalUserRole", "PowerUserRole".
Then you assign PowerUser to the PowerUserRole and grant him access to the Settings Page.
So:
Anone (no assigned role)-> can create a new user account and log on/off. No other rights
UserRole -> can work on site
PowerUserRole -> can assign roles to users
I basicall do not understand the privileges of a reader and a contributor. Whats the difference.
Any authenticated user(added to the list) is a reader or a contributor?
In a system engineer-manager scenario, who will be the reader and who the contributor
A reader has read only rights, a contributor usually have crud access (create, read, update and delete) but cannot administer settings.
Contribute and Read are default site roles in SharePoint
Read grants the rights to view list items\document, open list items\document, View versions of list items\document, View Pages, browser user info, view form pages, use client integration (open documents from directly from sharepoint), Create certain kinds of sites, and use remote apis.
Contribute grants all those rights plus:
Edit list items\documents, add list items]\documents, edit their own user info, create Alerts, Update personal web parts, add/delete private web parts, browse directories, and manage personal views.
Neither of these permissions map directly to an engineer-manager scenario - rather I would say it would be better to model it as producer - consumer. If the manager only needs to consume what the engineer produces, the manager should have read, and the engineer contribute. If the engineer only reads what the manager produces you can reverse the relationship.