CRM 2011 and SharePoint Integrations Permissions - sharepoint

I'm developing a document management based on the crm sharepoint integrations at the moment. It is realy a nice way to take advantage of the sharepoint document capabilities inside crm 2011.
BUT!:
I see a huge drawback with this attempt, because the sharepoint security model differs from the crm security model. This way, even if a user has no acces to a account entity, for example, it is possible for him to go to the sharepoint site and look at the documents of this entity, because he got permissions on the list for his own account entities.
Why the heck there is no thread about this big security problem? Is there maybe a simple solution to get around this problem?
I hope someone is able to help me.
Best regards,
Gerrit

There exists a commercial out-of-the-box solution solving this problem from Connection Software company (http://connecting-software.com/index.php/en/solutions/products/cb-dynamics-crm-privileges-to-sharepoint-permissions-replicator).
Basically they deploy tiny plugin into CRM that collects all the event that can possibly require change of permissions. There is a extra service that is processing these events and writes folder-level permissions into SharePoint accordingly.

Eugh. Sharepoint.
In my opinion there is no easy way around this and there are other problems with the way it integrates.
I was on a project where we discussed options around this very issue but was moved on before we came to a conclusion.
My suggestion was to use the Sharepoint Security APIs to assign permissions on SP based on roles/events in CRM. All users start with no permissions in SP.
e.g.
User is assigned as owner in CRM - use plugin to call SP API to give permissions to that specific folder. Previous owner has permissions removed.
Opportunity is created. Use SP security API to give permissions to owner of Opportunity to the folder associated with the opportunity.
And etc etc and so on.
It isn't too pretty and depending on requirements could become particular pain to maintain and test, but I didn't see many other options.
But there are plenty of problems with SP integration I think I was lucky that I was moved on to another project!

Related

DropBox to SharePoint migration

I'm currently working on migrating a big company's data from DropBox to SharePoint and i can't quite decide on how to structure the whole SharePoint environment.
So as you may know DropBox has an admin section where you add your members, groups and content to share and it is pretty straightforward on how to implement simple things and by that, i mean that you get your members on some groups and then you share specific folders (from your content) to that group directly.
As of SharePoint now, i found out that it has more or less the same functionality but it really gets pretty inconvenient on how to implement this. I created a new site, then i created my groups and added some users to them, then i created as many document libraries as my shared folders were on DropBox, i stopped inheritance from the site and added groups directly to the document libraries. All that, took me quite a while, more than 8 hours, for 30 document libraries and 20 groups mostly due to the back and forth i had to go through settings, permissions, libraries etc.
Would it be, let's say, more practical or rather make more sense to create a new site for every shared folder i have on DropBox and add members directly from the site's homepage?
What would you do for such a case?
Thanks in advance
PS. The migration tool that SharePoint admin center provides it comes pretty handy and it works good, but transfers data quite slowly.
TLDR: Use sites, not libraries, for different user groups.
SharePoint makes the following things easy:
Sharing a whole site (by inviting people as members (edit) or visiors (read))
Sharing a single file (with a person that you don't want to have access to the other stuff on the site)
SharePoint makes the following very hard:
sharing specific libraries with distinct groups of people. This requires a lot of setup work and is a maintenance nightmare. You also need to be an administrator of the each site and know where in the depth of the SharePoint settings you can find the switch to break permissions and invite other people to a library.
It is not recommended practice to share libraries like that.
In your scenario, you would be served better with individual team sites using O365 groups. Then add members via the home page sharing button. The site should be the permission boundaries and these permissions should not be broken for any site content.
If the need arises to break permissions for certain content, it's time to move that content to a separate site with its own membership groups.
Using O365 groups, any site membership can then be viewed, managed and audited in the SharePoint admin portal and the M365 admin portal. No SharePoint knowledge or SharPoint site access is required for admins to manage membership. Membership assignment can also be automated with various tools like PowerShell or Power Automate.
Users can see only the sites they have access to, and will not suffer the bad user experience of clicking a library, only to get an error message for "You do not have access".

Is Microsoft SharePoint the right tool to share documents with external users?

I would like to be able to supply external users (customers, potential leads, suppliers) across organisations and internal users inside my organisation with documents.
The documents should be organisable per user individually. E.g. Customer A should be able too see documents for the product he bought, not more and not less documents.
No further functionality is currently needed besides that.
Is SharePoint the right tool for that job?
If not what other tools can you recommend from your experience?
I see you tagged SharePoint 2019, I'd advise against using on-prem SharePoint for Sharing documents externally. It is possible, but to do it securely is complex and expensive.
O365 on the other hand is pretty simple and the security is already implemented for you. You can determine the level of access that your external users have and you can extend that by using additional tools provided by Microsoft Information Protection.
You can secure access by forcing guests to login or simply have anonymous links. To add to that you can automate your publishing processes using Power Automate, the O365 workflow.
Take out a trial subscription and make sure it meets all your requirements first.

Configuring Group site with harmon.ie

We are using Harmom.ie for Outlook to save e-mails and documents in SharePoint sites. Recently we started to use the Planner and Groups and we want to use Harmon.ie to save documents and emails into group sites. In Harmon.ie there is an option to enable groups sites. We have done that. When doing this an Office 365 Global admin must give consent. We also done that. However when a user try to access they are not allowed to access. According to the documentation something need to be set up on Azure giving the add proper Graph access.
The question is. How do we do this??? has anyone else got this to work? When we access the app on Azure there is not much we can do?
We are stock! any help will be much appreciated.
There are different ways to solve this. Harmon.ie also allows you to connect to teams & groups - and I suppose this is what you tried to do. We also did this. It was a little bit complex - but after some communication with the harmon.ie support, we got it working.
However, I am proposing a different way to solve your problem. Why? Currently, the problem with this teams and groups connection is, that you are not getting all the functionality of normal site connection (if you connect a SharePoint site to: https://www.harmon.ie). You are only going to see the documents library of your office group - and nothing else. But as an office group just uses a normal SharePoint Site, you could also have other libraries created.
What you can do is, get
1. get the site url (every office group has a SharePoint-Site behind)
2. and book it into harmon.ie manually
You will than have access to the document libraries.
for this solution, you do not need any additional configuration of teams and groups access.

Automatically show related contacts of accounts in dynamics CRM

One of my client want to allow their users to view the related contacts of an account, even if they are not shared with them. I've suggested some solutions that were including workflows, plugins or teams. But he is still insisting that if a user can access to accounts then he should have access to the related contacts.
Can anybody is there to share his views on it.
If upgrading is an option for you, 2013 and later have Access Teams which are meant for sharing permissions without messing the ownership.
Lots of useful info here http://garethtuckercrm.com/2013/11/24/crm-2013-new-features-access-teams/
Basically, once you enable Access Teams for an entity, you can relate Users to a specific record and those users will gain access to the record itself (in a manner similar to Sharing, but you can define templates) and child records too if you want.
Sharing through teams or directly to a user is the only answer you can give to your customer.

Syncing CRM 2011 and SharePoint Security

I have integrated our SharePoint site and our Dynamics CRM 2011 system so that we can upload documents from CRM. But i had a thought that through security in CRM users can only see records relevant to them, but if they just went to the SharePoint site they'll be able to see documents related to any record even if they couldn't see it in CRM.
So i was wondering if its possible in some way to 'sync' the security from CRM into SharePoint so that users can't see what they're not meant to in either system.
Thanks
It is possible out-of-the-box. There is a commercial CB Replicator solution that solves exactly this problem. It performs complex mapping of CRM security model into SharePoint groups and and folder level permissions.
Shortly described it deploys tiny plugin into CRM that collects all the events that could require change of permissions. There is a standalone service that gets these events and write proper permissions into SharePoint as item level permissions on referenced folders by sharepointdocumentlocation entity.
It support various action in CRM that lead into permissions change, e.g.s security roles, business unit hierarchy, privilege depths, team membership, access team, access team templates, sharing.
Unfortunately this isn't possible out of the box. SharePoint's security model is usually based on AD groups, whilst CRM uses in-app security roles applied per user.
To keep these in sync would require some custom development on the server side, that is if it's possible at all.

Resources