Syncing CRM 2011 and SharePoint Security - security

I have integrated our SharePoint site and our Dynamics CRM 2011 system so that we can upload documents from CRM. But i had a thought that through security in CRM users can only see records relevant to them, but if they just went to the SharePoint site they'll be able to see documents related to any record even if they couldn't see it in CRM.
So i was wondering if its possible in some way to 'sync' the security from CRM into SharePoint so that users can't see what they're not meant to in either system.
Thanks

It is possible out-of-the-box. There is a commercial CB Replicator solution that solves exactly this problem. It performs complex mapping of CRM security model into SharePoint groups and and folder level permissions.
Shortly described it deploys tiny plugin into CRM that collects all the events that could require change of permissions. There is a standalone service that gets these events and write proper permissions into SharePoint as item level permissions on referenced folders by sharepointdocumentlocation entity.
It support various action in CRM that lead into permissions change, e.g.s security roles, business unit hierarchy, privilege depths, team membership, access team, access team templates, sharing.

Unfortunately this isn't possible out of the box. SharePoint's security model is usually based on AD groups, whilst CRM uses in-app security roles applied per user.
To keep these in sync would require some custom development on the server side, that is if it's possible at all.

Related

Automatically show related contacts of accounts in dynamics CRM

One of my client want to allow their users to view the related contacts of an account, even if they are not shared with them. I've suggested some solutions that were including workflows, plugins or teams. But he is still insisting that if a user can access to accounts then he should have access to the related contacts.
Can anybody is there to share his views on it.
If upgrading is an option for you, 2013 and later have Access Teams which are meant for sharing permissions without messing the ownership.
Lots of useful info here http://garethtuckercrm.com/2013/11/24/crm-2013-new-features-access-teams/
Basically, once you enable Access Teams for an entity, you can relate Users to a specific record and those users will gain access to the record itself (in a manner similar to Sharing, but you can define templates) and child records too if you want.
Sharing through teams or directly to a user is the only answer you can give to your customer.

Dynamics CRM 2011 external web site vs ISV in CRM 4

I have to update code made for CRM 4. It consists of custom aspx pages which are in ISV folder.
I created a custom web site and hosted it on the same server where CRM is. It is configured with anonymous authentication and I pass a user id as query string parameter to set it as CallerId on the proxy. Code builds a hierarchy tree of an entity. Most of users have Business Unit level of privileges, but some records from other BU are shared with a team they are member of.
The problem is that the code runs far much slower than as ISV deployed. What could be the reason for this? When I run the code with crmadmin credentials, it goes faster, even if I run RetrievePrincipalAccessResponse for each product, it runs faster.
Appriciate any suggestion

CRM 2011 and SharePoint Integrations Permissions

I'm developing a document management based on the crm sharepoint integrations at the moment. It is realy a nice way to take advantage of the sharepoint document capabilities inside crm 2011.
BUT!:
I see a huge drawback with this attempt, because the sharepoint security model differs from the crm security model. This way, even if a user has no acces to a account entity, for example, it is possible for him to go to the sharepoint site and look at the documents of this entity, because he got permissions on the list for his own account entities.
Why the heck there is no thread about this big security problem? Is there maybe a simple solution to get around this problem?
I hope someone is able to help me.
Best regards,
Gerrit
There exists a commercial out-of-the-box solution solving this problem from Connection Software company (http://connecting-software.com/index.php/en/solutions/products/cb-dynamics-crm-privileges-to-sharepoint-permissions-replicator).
Basically they deploy tiny plugin into CRM that collects all the event that can possibly require change of permissions. There is a extra service that is processing these events and writes folder-level permissions into SharePoint accordingly.
Eugh. Sharepoint.
In my opinion there is no easy way around this and there are other problems with the way it integrates.
I was on a project where we discussed options around this very issue but was moved on before we came to a conclusion.
My suggestion was to use the Sharepoint Security APIs to assign permissions on SP based on roles/events in CRM. All users start with no permissions in SP.
e.g.
User is assigned as owner in CRM - use plugin to call SP API to give permissions to that specific folder. Previous owner has permissions removed.
Opportunity is created. Use SP security API to give permissions to owner of Opportunity to the folder associated with the opportunity.
And etc etc and so on.
It isn't too pretty and depending on requirements could become particular pain to maintain and test, but I didn't see many other options.
But there are plenty of problems with SP integration I think I was lucky that I was moved on to another project!

Enhance MS Dynamics CRM role based security model

I need to enhance MS CRM Role based security model with more criteria to filter on. I.e. in addition to Business Unit access level, I need to add location access level, team access level and some other access layers based on custom entities.
I brushed through internet and MS CRM 2011 SDK but haven't found an example, how I can enhance Role based security model. Is it possible?
If it is, can you point me on example how I can achieve this?
In CRM 2011 you have more options in security model:
You have the concept of teams, that can have users from different BUs
You have security-field, to enhance the security for a field
See here resume of all options in CRM 2011. See also this article.
Another option you have is using Javascript to add more criteria:
http://www.powerobjects.com/blog/2011/10/20/how-to-hide-a-button-on-the-ribbon-in-dynamics-crm-2011/
http://blogs.infinite-x.net/2010/11/16/retreiving-user-roles-in-crm-2011/
http://crmdm.blogspot.pt/2011/03/how-to-hide-show-tab-in-crm-2011-using.html
http://crmdm.blogspot.pt/2011/02/how-to-hide-control-in-ms-crm-2011.html

ADAM Administration from SharePoint

We're in the process of building a MOSS site and one of the 3rd party tools we're using has a requirement of AD/ADAM as the authentication provider. We would like the user's to manage their own accounts (e.g. resetting passwords, registering new users, etc) so we're going to need WebParts for administering users in an AD/ADAM/LDAP DB.
Are there any SharePoint WebParts out there already to do this?
I came across one today called AD User Editor. It states you can edit nearly any Active Directory property, and it works in multi-domain environments.
From the UI screenshot it appears to use a web part and take on the SharePoint look and feel.
Even better it's on CodePlex so any problems you can fix yourself!

Resources