locked
CRM 2011 Privileges: Read (Basic) and Write (Global): Will it work? RRS feed

  • Question

  • I'm looking for a quick fix to a CRM 2011 issue between my custom plug-ins and security privileges.

    Our CRM has only been live a couple of months.  Up until now, security privileges (sadly) have pretty much been educated guesses, followed by repeatedly bumping our collective noses when the privileges are too strict for the users to do their work (e.g. "Oh, another Access Denied/AccessCheckEx error?  Here, let me increase your security role's privileges and push those annoying privileges out of our way again.")

    Now, though, we are trying to get serious about preventing access to entities that users don't own (e.g. setting "Basic" privileges).  The problem is, because I wasn't thinking about security when I wrote my custom plug-in code, much of it does things that violate the "Basic" privilege.  Here is a typical example of my plug-in code, in pseudocode:

    1)  Validate the contents of an entity; exit if not valid.

    2)  Assign the entity to another user.

    3)  Attach a Note (Annotation) to the entity showing the date/time that the current owner assigned this entity to the other user.

    In this example, step 3 explodes, because the current user does not have privileges to edit an entity owned by another user.

    Of course, I can go back through all my plug-in code and rearrange it, but as I said, I need a quick fix now.  Also, I'd prefer not to rearrange the above pseudocode if possible; I would not like to add the Note to the entity before actually trying (and possibly failing) to assign the entity to the other user.

    The thing is, maybe I'm not looking at security privileges correctly.  I'd like to try giving my users Basic Read privileges, but Global Write privileges.  It seems to me that if the users can't view an entity, they won't be able to edit it, even if they have Global Write privileges.  But if my plug-in code (or CRM) goes "behind their back" and edits a record, that will be allowed.  Will this solve my problem?

    I know I could just "test" it myself, but I don't know CRM well enough to test every possible situation sufficiently, to ensure these users can only view and edit entities they own.  What can you tell me?



    • Edited by EliW Thursday, December 19, 2013 3:25 PM
    Thursday, December 19, 2013 3:12 PM