I have a situation where I want to use field security but only when an attribute on the record is a certain value. The entity is the contact and there is a bit attribute called VIP. When a user opens that record and the VIP value is true and they are not in the VIP team then the user cannot see the fields marked for field security.
Is it possible to write a plugin to do this, or is there a better solution?
You could connect to the form's onLoad event and check the user's teams and the VIP field and show other fields accordingly.
Not sure if there's an easier way to get the teams, an OData request would be an option:
http://msdn.microsoft.com/en-us/library/gg334767.aspx
Command would look like this:
var userid = Xrm.Page.context.getUserId();
var cmd = "/TeamMembershipSet?$select=TeamId&$filter=SystemUserId eq guid'" + userid + "'";
To set fields' visibility, have a look at this link:
http://danielbergsten.wordpress.com/2011/02/15/crm-2011-javascript-for-hiding-a-field-based-on-another-fields-value/
This can possible be solved with role based forms.
Create a new form for the VIP team
Choose a security role for the new form
Field level security in conjunction with role based forms is a good idea if the VIP field should never be accessible to lower privilege users; even through reports and other methods of accessing data. It is more work to manage field level security profiles as they are completely separate from security roles; they are assigned to users or teams.
Seems to me that you, the admin, had to be a member of the field level security role.
I also had to restart IIS/CRM site for it to bite.
Related
I have created a PowerView using a BISM connection in Enterprise Portal of AX. That PowerView report will be used by 100+ users. I want every user to his/her data in the PowerView instead of viewing the complete data. One option is to create 100+ security roles in SSAS (multidimentional) which is not a viable option. Please guide me how can i achieve dynamic security in PowerView so that every user sees its own view. Thanks.
Power View doesn't not offer any kind of security. You will need to do this in SSAS, but you don't need 100+ security roles. You will want to look into dynamic security. To create dynamic security, you will need some way to relate a user to the information they should see. This usually means adding a field to an existing table or creating new tables.
If all users are secured by the same attributes, they can be contained in a single role. If some users are secured based on one attribute and others based upon another attribute, then you may need multiple roles.
Here's how this might work.
Create a table that contains all users that will need access to your cube.
Create a bridge table that ties the users to the attribute on which you are securing their access. For instance, maybe users can only see certain products so you have a table of User IDs and Product IDs.
Add these tables to your DSV.
Create a user dimension.
Create a measure group based upon your security bridge table
Create a role for this user type and add an MDX statement to the Allowed Member Set. Also, set the Enable visual totals checkbox.
Populate the members for the role, preferably through an AD group rather than individually if you have 100+ users.
Your allowed member set will look something like
Exists(
{[Product].[Product ID].members},
STRTOSET("[Users].[UserName].[UserName].&[" + Username() + "]"),
"Bridge User Product"
)
You can find a good blog post here and a good video about SSAS security here (dynamic security starts around the 35 minute mark).
I am using SuiteTalk web services and trying to use SubsidiarySearch to retrieve all Subsidiary records:
SubsidiarySearchBasic srch = new SubsidiarySearchBasic();
srch.setIsInactive(new SearchBooleanField(false));
SearchResult res = stub.search(srch);
I login using a customized role based on NetSuite's standard "System Administrator" role, with various extra permissions added. In particular, this role has "Subsidiaries" permissions set to "Full". However, the above code returns the following status, using this Java code:
Type=ERROR
Code=INSUFFICIENT_PERMISSION
Detail=Permission Violation: The subsidiary restrictions on your role prevent you from seeing this record.
The above code succeeds when I use the standard "Administrator" role (internal id "3") but I would like to use a customized role. What permissions do I need for a successful result?
Make sure all the subsidiaries are exposed or the top most subsidiary is selected for this role, and also make sure the employee, department and location restrictions are set correctly.
It may be happening because of the restrictions in the employee record. if you have set the subsidiary or location in your employee record which is not the top most one then you will not be able to get all the subsidiary while searching. To resolve it, select the top most subsidiary in the employee record and do not select any location. Also, do not select any subsidiary in the role. Cheers
I have created a form for a specific group of users in my CRM 2011 system. I want only them to be able to see this form. I can copy their a security role and set the form for this security role only, but I will have a a problem:
they are currently in a security role with another group of users. If I copy the security role, the will not longer see the specific customization's all over across the system.
I only want one form to be different from the others. Is there any way I can find all the forms that are enabled for the specific security role (in order to give the new role this rights too)?
Assumptions based on your question: You already have default form for the entity that is used by all users (All Users). You want to add an additional form to that entity that is only available to some of the users (Select Users). All Users are currently assigned a security role that gives them the necessary access to the system.
Create a new security role (Form Specific Role). You don't have to give this role any privileges just a name.
Assign the Select Users the Form Specific Role. Do NOT remove their other security role(s).
Add the new form the entity, Restricted Form.
Highlight the new form and click Enable Security Roles. Select the option Display only to these selected security roles and select the Form Specific Role you created in step # 1. Make sure Enabled for fallback is unchecked. Click Ok.
From the forms list Form Order and select Main Form Set (or the appropriate form type if you are working on a Mobile or Quick Create Form.
Use the Up/Down arrows to make the new, Restricted Form, the top choice.
Save and Publish all changes.
Now whenever a user that has been assigned the security role accesses this entity their default form choice will be the Restricted Form. There will be NO impact to any other forms they are accessing or any of their privileges in the rest of the system, as required by your problem statement.
My company is using Microsoft Dynamic CRM 2011 and want to customize some features. A customization as described below:
“There is the password field of the Account ( used to login our company website). The password is only visible to account’s owner or to sale manager or to sales admin.”
How can I do that, that seem Field Security in MSCRM 2011 only support for User and Team. Please tell me how to do ( even by programming).
Field Security would be great for particular roles (sales manager etc) but not for "context aware" scenarios eg for the owner of the record.
Your best bet would be to create a custom entity for Password, make the primary field (name by default) NOT business required.
Create an N:1 relationship to Account, make the relationship "Parental" and make the lookup field Business Required.
You will now see "Password" in the left navigation of the Account.
Edit Password form to have lookup to Account, and add text field for the password itself, and make the "name" field not visible by default so you can ignore it.
Create a security role (or edit existing ones) to give User level access rights to Password for the read, create, update, assign, and append privileges. Amend sales manager role to allow to read all Password records.
The parental relationship will mean that if an Account is re-assigned then so will the child Password record.
But, someone could create a password record (so they own it) and link it to an Account (even one they don't own, possibly), without changing the owner to match the parent. So, create a workflow on the Password record create, re-parent or re-assign which will change the owner to the same as the parent account to tidy up this situation.
Edit the associated view for passwords to show the password field. Edit other views as required. (If you really want password visible on the Account form directly, use an inline grid set to use a minimum of space, no view selector etc. Still takes up far too much though, in reality.)
Hope this helps
This would be possible by using javascript.
Firstly, set the password field to not be visible by default - this will stop it appearing initially so that a user without permissions might see it (even briefly).
Secondly, provide a javascript function to look up the logged in user's roles. There are many ways of doing this, each with its own advantages and disadvantages. This link has a couple of ways you could use.
Thirdly, use this function and some extra javascript to check for the owner field to make the field visible/invisible.
As an example:
function CanUserSeePassword() {
var loggedInUserGuid = USER_ID;//USER_ID is built in CRM constant
if (RetrieveUserRoles(loggedInUserGuid)) {
SetPasswordFieldVisibility(true);
}
else {
var ownerGuid = Xrm.Page.getAttribute('ownerid').getValue()[0].id;
SetPasswordFieldVisibility(ownerGuid == USER_ID);
}
}
function SetPasswordFieldVisibility(isVisible) {
Xrm.Page.getAttribute('new_password').setVisible(isVisible);
}
function RetrieveUserRoles() {
//use code from link above to return a bool, either user is in appropriate security role, or is not
}
Bit rough 'n' ready, but will do the job.
Is user profiles an appropriate place to store things like number of items per page in a custom grid user selected? (I you can store it in the view, but it won't be per user this way).
My first though was to store these settings in user profiles, but there are problems with access permissions for programmatically creating user profile properties boiling down to you either have to give every user 'Manager User Profiles' permission in SSP or you have to run the application pool under a domain user, not NETWORK SERVICE. Both scenarios are unrealistic for me, so I'm now looking for another way to store such 'per user' settings.
Thanks!
Edit: I'm now considering ASP.NET profile mechanism with an additional DB to store user properties.
Given that the information is not sensitive a simple database with values stored against AD login should suffice.
And as you have the ASP.Net user database already, storing the information there would be the best option.
Maybe a Global List, that is only accessible for the SHAREPOINT\SYSTEM User and that you can then Query in a SPSecurity.RunWithElevatedPrivileges Function.
Disadvantage: You require Custom code to read/write to that list.
Cookie?
Sure they have limitations, but it is fairly easy to create the control to run javascript to add/edit the value