I have some users accessing CRM directly and some others trough a web portal. I want to disable the access to CRM of some users depending of their security role.
I can't disable users or remove the security roles they have because won't be able to read/write/own i.e Case entity.
Is there any permissions of the security role I can remove for deny this access? I research for it and can't find anything, I suppose the answer is No.
Any workaround for accomplish this?
If you are on UR12 or above, you can try use similar logic as Microsoft has implemented for Control browsers which organization supports. Only difference is that instead of checking what browser user has, you would have to check his roles and decide if he can access CRM vie browser or not.
Look at 'How Does the Solution Work?' section for details.
Removing these permissions:
Core Records: User Entity UI Settings
Business Management: User Settings
Customization: Customizations, System Form, View, Web Resource
Will deny move through CRM, but as #MarioZG says the user will see the UI with a warning message of 'Insufficient Permissions' to see the records.
Related
I have a SPFx webpart which is a form for users to submit requests which will run the group and teams provisioning code.
The code works fine when the user is logged in as a 'Global Admin', but when a normal user with minimum permission levels uses the form, the provisioning is not allowed and is faced with these errors:
Creating group is not allowed:
Tenant admin has not enabled Unified group creation error
Creating teams is not allowed:
Teams disabled in user license admin error
Is there a way to run the code regardless of the user context? or any ways to elevate the privilege of the webpart or block of code with admin permissions?
https://learn.microsoft.com/en-us/sharepoint/dev/spfx/use-aad-tutorial
You will need to specify that specific api permissions your application needs.
basically starting from here: https://learn.microsoft.com/en-us/sharepoint/dev/spfx/use-aad-tutorial
specifically, the graph api permissions that you will need is at least Group.ReadWrite.All, Directory.ReadWrite.All in order to create a team.
Hopefully this helps a bit.
Is there a way to run the code regardless of the user context?
Yes. You could implement Get access without a user to use Application permission to create the resources. It will allow you to create a group without a user.
You can also check with your admin if the ability of creation Groups for users has been disabled. See Manage who can create Groups.
And it's strongly recommended to check if the Teams license is assigned to the user.
I have created multiple apps in SPEAK UI and placed all quick access shortcuts on the Sitecore Launchpad.
Now, how can I restrict access for some applications while creating Users, because we have Content Area in Access Viewer?
There are a couple of ways to do this. First you need to open the desktop and switch from the Master to the Core database.
If you just want to restrict access to the shortcuts on the Launchpad - you can do this by setting access rights on the shortcut items:
Create a role that should have access to the users and give that role Read access to the button item.
Another option would be to allow access to the application. If you look at the Path Analyzer you can see that some roles are denied and some granted access:
So add security rights to roles for your SPEAK apps.
Finally when you create users make sure you give them the correct roles to match what they are able to view.
I'm building a sitecore 7.2 using asp.net MVC 5.0. The site will have login and each user will be roles.
We need to show/hide the site menu items based on logged in user Roles. The user detail and roles are stored in SAP backend.
Could someone please advise what's the best way to achieve above?
Essentially you will want to map the roles stored in your backend system to Sitecore Roles. Potentially look into creating a custom Role Provider (see in document below)
Once logged in, requests are made to Sitecore are made in context of that logged in user. Therefore if the user, or their role, does not have permission to view an Item, it will not be returned in the request. This effect means that your Menu will not display items they do not have permission to access.
You and Content Editors can control what users and roles can access via the Security Editor and view their access rights via the Access Viewer in the Content Editor.
This documents will have everything you need - http://sdn.sitecore.net/upload/sitecore6/sc61keywords/security_api_cookbook_usletter.pdf
http://sdn.sitecore.net/upload/sitecore6/securityadministratorscookbook-usletter.pdf
Its also worth noting that Sitecore's seucirty manages roles as Ors. So if one of the user's role has permission to see an Item, then the user can see it.
If you require the roles to be Ands; every role must have permission before its displayed to the user, check this post out - http://www.sitecore.net/learn/blogs/technical-blogs/john-west-sitecore-blog/posts/2015/03/require-membership-in-multiple-roles-in-the-sitecore-aspnet-cms.aspx
You need the roles for the current user from SAP? There is an Odata API for that: http://help.sap.com/saphelp_nw73ehp1/helpdata/en/4c/5bde6197817511e10000000a42189b/content.htm
You could query the API in real-time, but it would of course require a login to SAP for the current user.
Or - you could use another API and connect via a service user.
What is the best Way to disable all users in Dynamic CRM except System Administrators?
I assume that by "System Administrator" you mean user with System Administrator role assigned, and that you are using CRM on-premise
Go to Users list, select everyone and disable (if you have more than one page of users, you need to do this for every page). Don't worry, you account will not be disabled, even if selected
go to advanced find and run query:
Look for: Users
add relationship: Security roles
add condition: Security role equals "system administrator"
results will contain users that have "system adminstaror role". Shouldn't be much of them, so you can enable them one by one.
Now you have everyone, except Admins, disabled
You can disable the users you want programmatically through SetStateRequest.
Here you can find an exmaple how to disable a crm user:
http://msdn.microsoft.com/en-us/library/jj602914.aspx
I have a requirement to deactivate a user for a particular organization.In liferay we deactivate the user directly by control panel under users tool.if i deactivate,The user will deactivate in portal level so it is applicable to all organizations not to particular organization.so can i do manual code for this or is there any alternative by default?
User Management in Liferay is global - to the whole portal. You authenticate to the portal, thus a deactivated user can't be authenticated to the portal.
You can make users members of Organizations or site - and this membership (or other organization- or site-level roles) can be used to provide them with permissions.
If you want them to be able to sign in, don't deactivate them. If you don't want them to access a certain organization, make the content of that organization available to members only - and exclude the user from the members of that organization.
OK you could do this in code level ,
User singleUser=UserLocalServiceUtil.getUser(userId)
singleUser.setStatus(WorkflowConstants.STATUS_DENIED);
UserLocalServiceUtil.updateUser(singleUser);
So basically setting User Status to either WorkflowConstants.STATUS_DENIED, WorkflowConstants.STATUS_EXPIRED or WorkflowConstants.STATUS_INACTIVE will do the work of deactivating particular User.
But you need to research on the aftermath effect of these status field.