I'm programming a new application with many users, a few roles and specific permissions for those roles. For that I want to create the following tables:
Users (ID,Login, password,..)
Roles(ID,Rolename)
User_Roles(User_ID, Role_ID)
Permissions(ID,PermissionName)
Permission_Roles(Permission_ID, Role_ID)
My idea was to build a function, which allows to check if a user has a specific permission to access a form. I would do that by creating Permissions/Rules like 'canReadFormX', 'canEditFormX' which would allow me to use one main function to check and perfom those specific rules and a function per form to call it.
Is that a way to go (or rather did I understand everything correctly regarding RBAC) or is that just far to complicated? Any advise is very appreciated!
It seems fair to me, and similar to what we have already set, for the first 3 tables.
You then have to solve the 'action' problem, ie to distribute permissions to use your appl's actions. I am not sure that your 'Permissions' proposal will cover all the situations, as you have to deal with 2 major categories of actions:
The 'Open form' actions, that you already have identified: you effectively have to define 2 levels of authorisation for each form: the 'view' right, and the 'update' right.
All other actions, such as form specific buttons or menus, that will allow you to run a specific action other than just opening a form (execute a report, make a specific calculation, automatically import or update data, etc).
One solution/My advice is to maintain 2 tables for this:
A 'Forms' table
An 'Actions' table
And the corresponding link tables:
A 'Form_Role' table
An 'Action_Role' table
With such a configuration, you are fully covered. You can even decide which role has the right to see a specific report on a specific form, as long as the corresponding action is accessed through a specific control or menu on the form.
Both Forms and Actions tables are very interesting as they both participate in your application metamodel...
EDIT: By the way, if you are on a domain, you can use user's domain credentials to control his\her access rights to your system. In this case you do not need to store a password in your RBAC system.
Related
I have recently inherited a very messy Dynamics CRM system from my predecessor. I want to clean up the way our company navigates around Accounts. At the moment, there are 3 views and one form with about 2000 (exaggeration) lines of javascript code!
We categorize accounts into three types; TypeA, TypeB, TypeC. This is controlled by an Option Drop Down. Once selected, the screen hides/shows depending on it. This has meant we have a very wide AccountExtensionBase table. I am accepting I will have to live with this as I am have been led to believe that building a 1..1 extension is not as easy as it seems?
What I would like to do is change the 'Workplace -> Customer' menu on the right hand side of CRM. I'd like to add three clickable options so it would read
Customers
Accounts
TypeA
TypeB
TypeC
Contacts
Upon clicking, for example, 'TypeA' it would take the user to the 'TypeA' accounts which are filtered by a pre-defined view. Then, any request for the Account Form from this view would redirect the user to a specific 'TypeA' form, which I have yet to create.
I have read this article here Crm 2011 - How to set a default form depending on attribute value (without using Javascript)? which is a good example of how to re-direct the forms. However, I am unsure how to handle this from a 'New' request, as the drop down is not yet populated.
Is there a way of building this concept cleanly in CRM? I am finding it hard to get any decent Google results as I am unsure of what terminology I should be using.
Any help or links to suitable guides would be hugely appreciated.
Thanks.
I think these are the droids you are looking for:
http://www.powerobjects.com/blog/2013/03/08/displaying-filtered-view-in-site-map-crm-2011/
Granted it is for CRM 4, however it may work in 2011.
You might also look at:
http://mscrmtools.blogspot.com/2011/06/new-tool-sitemap-editor-for-microsoft.html
I've created my own solution with a custom entity of type activity. I'd like to show a message whenever a new instance of it is created using an existing contact but not allow the user to create one, if only attempting to do that without going via contact.
Basically, my aim is that it won't be impossible to just create that activity (the form will be hidden directly at any attempt except for one way only). The user will have to go to contacts (or leads etc.) and in there add and create an instance of the custom activity entity. That way, I can assure that the field "regarding" will be filled out already.
I'm guessing that I need to detect somehow that the opening of the form is a creation attempt. How can I do that?
Also, as it is now, the user can't create a contact-less activity of the custom type because it doesn't appear on the menu with other activities. I must have disabled it somehow but I have no idea how. Anybody who has one?
You could do this a bunch of ways but the easiest would probably be to:
Make the regarding field read only.
Make the regarding field mandatory.
That way if a user opens a create new form they wont be able to set the regarding and because its mandatory they wont be able to save the record. When they open via an existing contact the regarding field will be mapped automatically. That said in this case just making it mandatory my be enough.
(As a side JavaScript can be used to identify the current form state, but I'm not sure how useful that is here).
In terms of where custom activities appear, by default mine show in a number of locations, for example:
CRM > Workplace > Activities > Ribbon > Other Activities > XXX.
CRM > Workplace > Activities > View Selector > XXX.
They don't show under the left hand navigation of the workplace because they are grouped under 'Activities'. I'm pretty sure these are all the default settings.
You can exercise greater control by editing the sitemap, where you can put pretty much anything, anywhere.
In addition to Mr Wood, I'd like to show you some code. It works as supposed to but I'm not sure if it's optimal.
var foo = function () {
var whatIsGoingOn = Xrm.Page.ui.getFormType();
if (whatIsGoingOn === 1)
alert("Let there be an entity!");
else
alert("Not a creation...");
}
The other states' (deletion, update etc.) numeric values are listed here.
Answering the second part of your question:
When you create a custom activity you can choose whether to have it appear in 'normal' Activity menus or not by checking the box at the top right of the entity form. This is a once-only choice as far as I know and can't be changed later.
For your setup, I would suggest NOT checking this box, so it does not appear in the activity menus to avoid users even being tempted to do it that way.
Instead, add an explicit relationship to the activity N:1 to Contact, and another N:1 to Lead. Use this relationship to add your activity to the left navigation of Contact and Lead forms, or add a grid for them (depends on how you want to use this and if you need to filter the view to something other than the default "Associated View").
When a user navigates to this section they will see if any previous activities of this type exist, and be able to add a new one. BUT this means that the child record is a child via this relationship, not using "regarding", so use a script on the form for the activity so that if Contact is filled in, it is copied to Regarding, and if Lead is filled in then that is copied. If neither, then use an alert or other means to warn the use that something is wrong (see comment earlier). If you want Regarding to be read-only but filled in by script, you will need to make sure to use the force the value to be saved:
Xrm.Page.getAttribute("regardingobjectid").setSubmitMode("always");
You must have the lookups for Contact and Lead on the form to be able to use them in your scripts, but you can make them not "visible by default" so they are there but not seen by the user (and taking up no space).
What I need
I have a custom Entity with that with multiple fields. Admin Role has "god" access. All other roles except for one have read only. The one non admin role with update access, should only be able to update a single field.
What I believe to be true
I believe I have three main options to implement this requirement:
Enable Update Access to the role for that entity then write Javascript to disable all fields on the form for that role, except for the one that I want that role to be able to edit
Enable Update Access to the role for that entity then create a new form that disables all fields on the form for that role, except for the one that I want that role to be able to edit.
Enable Update Access to the role for that entity then turn on field security for each field, disabling access using the field security, for each field except for the one I want them to edit.
What's the Best Practice?
What options should I choose?
If I go with options 1 or 2, will the user be able to edit the field on the bulk edit form?
From a user perspective, I think it's confusing when a form opens up with things enabled, then they get locked down. Plus someone could possibly get data in there before the fields get locked. I'd say you'd have to combine this with a plugin to prevent changing fields you don't want changed.
I like this option better, although again, the field can be unlocked if someone knows what they're doing, so a plugin to double check would be nice.
This would avoid having to double check in a plugin, but you also have to rely on the admin correctly setting up security for new fields going forward. If that's not a concern, this might be best.
Bulk edit is a global privilege, so they'd have bulk edit for all entities. Also, the bulk edit form does not load scripts, so that knocks out option 1. I'd say if it's just this one field, I might leave the privilege locked down and provide my own Bulk edit button on the grid that would show a custom page that just has that one field on it, then handle the updates though script.
2 is most likely best, or as an alternative put the fields in the header or footer rather than as read-only fields on the form.
This also means the fields won't be available to bulk edit, but other methods such as data import or workflows would let users get round this if they know how and have rights to do such things.
3 Field Security is the most robust and works for all scenarios
Possible option 4: create another entity to contain those fields and apply different security to that entity. If created as a child, show the record in a grid on the form with the values included in the view. If it is a parent then you could use methods such as showing the values via an HTML webresource page included on the form.
1.) I had an implementation for user registration for which I needed to make two extra tables and used "users" table as well(I've made a custom module for this purpose). I've collected the information while user is registering and put them in appropriate tables. Now I need to provide user with an interface where he can update his profile(this includes tables which I mentioned above).
2.) Further more, I need to make filters that admin can see the list of users e.g. who have salary more than $10,000. I need to provide two predefined filters and facility to make more filters for admin.
How can I do both of the above question? is there any module?
Thanks for your reply.
1) You could use hook_user "form" operation to add fields to the user account edit form. You could then use the "submit" operation to write any changes to the database.
2) I recommend using the Table Wizard module to expose the data to Views. Then use Views to do the reporting. That would give you the ability to easily add more filters later, as needed.
I've got a custom list with a custom content type. I'm aware that when you create a new item you can see a drop down for the different content types on that list which I assume all have their own NewForm.aspx somewhere. I can specify in the content type definition which columns are shown on the New form and that I can replace the new form with a custom one of my own design.
What I'm trying to achieve is to have multiple New forms but for the same content type listed on the New drop down. I would like each new form to expose different fields of the content type. Additionally I'd like to make particular New forms only visable by users with particular permissions although this isn't critical.
Scenario:
I've got a content type with all the fields I need for a risk assessment. When a new item is created it only exposes fields to enter contact details. Once this is created a workflow with infopath forms then drives the gathering of the rest of the risk assessment information through booking, the inspection itself and approval of the data. I want the ability to have a second option to easily enter all this information on a different new form for an inspection that's already been done and needs logging in the system.
You could customize the NewForm.aspx (e.g. via SharePoint Designer) for the initial submission case. Obviously, all of the required fields will need to be populated in some fashion.
The EditForm.aspx is the out-of-box page for updating existing list items. You may be able to customize this to meet your update an existing risk assessment case. From the post above it's not entirely clear to me whether this distinction between these pages is fully understood.
In both of these cases, you can add code-behind to the .aspx pages. However, it's usually best to start as simply as possible, keep it as simple as possible and only add complexity as necessary.
Hope this makes sense and helps. Good luck!
Dan,
Per your scenario, I have done something similar by creating one content type per actor/stage. Consider using a simple SharePoint Designer workflow to change your content types onChanged (simply by setting the Content Type) column so that the perspective actors only see the columns you want them to see in the edit/newforms. As long as the proper content type is set, your users will only see the fields you want them to see. Furthermore, with creative use of views and audience targetting of pages you can somewhat prevent these users from seeing columns.
Also, you can prevent users from seeing the different content types (under the new button) in the advanced content type page.