locked
Incoming Email Configuration, Email Router and Security Issue RRS feed

  • Question

  • Hi everybody, its been a while since last post but I definitly need your help on this one.

    Running Dynamics CRM 4.0, use email router and outlook client.

    I have this "Issue":

    Lets say, I have "BusinessUnit1" and "BusinessUnit2" under "RootBusinessUnit"

    "User1" is in "BusinessUnit1" with email user1@domain.com
    "User2" is in "BusinessUnit2" with email user2@domain.com
    "User1"'s security role allows him to see Contacts and Activities from its business unit only. Same thing for second user.



    Lets say: "User1" creates a new Contact record, calls it "User2" with user2@domain.com in its email address field then save and close the new contact.

    We send a couple of emails to user2@domain.com

    When "User1" open the History of that new Contact record, he will see all emails activities that are related with this contact, AND ALSO all the emails activities related to the second user, even if "User2" is not in the same business unit...

    Do you have any clues why that happens? I'm sure I'm missing something...

    Its that a default behaviour that the email router send the email to CRM, then creates email activities for both Contacts and Users?

    TX ALL!

    Maxime
    Wednesday, June 17, 2009 7:44 PM

Answers

  • I could be missing something, but I don't see a security concern since User1 created the e-mail which means User1 is the owner and the e-mail will be visible to that user and to User2 since the e-mail was sent to that user. 
    Best Regards, Donna
    • Marked as answer by MaximeFortier Tuesday, June 23, 2009 3:56 PM
    Monday, June 22, 2009 8:28 PM

All replies

  • The apparent 'secutiy violation' is a consequence of the parentla relationship between contacts and activities. If a user owns the contact, they get to see all child records with a parental relationship to the contact record. To remove this, customise the relationship type.

    Leon Tribe
    Want to hear me talk about all things CRM? Check out my blog
    http://leontribe.blogspot.com/

    Want to hear me talk about all things CRM? Check out my blog http://leontribe.blogspot.com/
    • Proposed as answer by Leon TribeMVP Wednesday, June 17, 2009 8:10 PM
    • Unproposed as answer by MaximeFortier Thursday, June 18, 2009 12:50 PM
    • Proposed as answer by Dave0109 Thursday, July 21, 2011 2:06 PM
    Wednesday, June 17, 2009 8:10 PM
  • I think it working correctly :)
    Email router sends e-mails only once. Аnd email activities record in system only one, but related with contact and user2

    • Proposed as answer by sl_k83 Thursday, June 18, 2009 4:55 AM
    • Unproposed as answer by MaximeFortier Thursday, June 18, 2009 12:50 PM
    • Marked as answer by Donna EdwardsMVP Saturday, June 20, 2009 4:09 PM
    • Unmarked as answer by MaximeFortier Monday, June 22, 2009 12:11 PM
    Thursday, June 18, 2009 4:54 AM
  • Ok, both users are in different business units. The current roles are configured so that users only sees stuff from their respective business unit.

    "User1" only have to create a contact record with the "User2"s email address and he gets all the info i dont want him to see?

     I don't want "User1" to be able to see the emails that where sent to "User2".

    That's a normal behaviour? 
    Thursday, June 18, 2009 12:14 PM
  • As mentioned above, this is a result of how the default security in CRM works.  CRM makes the assumption that if you have access to the Account, then you should have access to the associated records (As the Account owner, you should have visibility into what is going on with the Account).

    To change this, you would need to modify the Cascade rules defined on the relationship from Account to the Activity records.  By default, this will be set to Parental which will cascade privleges from the Account to the Activity record.  You cwould need to change this to Custom and then modify the Cascade rules to meet your needs.
    Matt, MVP - Dynamics CRM
    Thursday, June 18, 2009 1:41 PM
  • Thanks for all of your replies!

    I understand the concept of associated records, but let me explain differently. 

    Each users belongs to different business units, and CANT see contacts/activities of other business unit. User1 dont have access to the Contact of the other business unit, but can see an incorrectly associated record. 

    User1 creates a contact, in its own business unit. He is the owner of the contact record. User1 will see all the associated records with that contact, no problem there. 
    When User1 is filling the new contact information, he adds the email address of User2 in the contact record. (User1 create a contact that corresponds to somebody in the other business unit) 

    If User2 receives emails, the email will appear
    - In User2 activities
    - In the contact associated activites in the correct business unit (User2 business unit)
    - In the contact associated activites in the wrong business unit (User1 business unit) 

    Why User1 can see that email activity, if its not related to its business unit?? 

    Thank for your patience! 


    Thursday, June 18, 2009 2:04 PM
  • I would like to see if anybody is able to reproduce that behaviour.

    Could that be a bug? 
    Friday, June 19, 2009 3:33 PM
  • User1 created the e-mail and should be able to view it.  this is working as designed.  The scenario provided doesn't sound like a real world scenario in that internal users don't generally create Contact records and apply other internal users e-mail addresses but I suppose it could happen.  In any event, the application appears to be working as expected.
    Best Regards, Donna
    Saturday, June 20, 2009 4:08 PM
  • Hi.

    I guess thats a real world scenario since we are facing that issue. We have thousands of users in dozens of business units, thats more than likely to happen. Even its not considered to be a normal usage, it allows users to intercept emails they should not see. And that raises concerns. 


    Monday, June 22, 2009 12:15 PM
  • Does anybody consider that a possible security vulnerability or a bug? 
    Monday, June 22, 2009 6:40 PM
  • I could be missing something, but I don't see a security concern since User1 created the e-mail which means User1 is the owner and the e-mail will be visible to that user and to User2 since the e-mail was sent to that user. 
    Best Regards, Donna
    • Marked as answer by MaximeFortier Tuesday, June 23, 2009 3:56 PM
    Monday, June 22, 2009 8:28 PM
  • You are right. I did the same exercice with 3 users and the third user can't see the email even if he creates a contact with the same email address.

    Thanks a lot all!!! 
    Tuesday, June 23, 2009 3:56 PM