locked
Security when viewing emails in Advanced Find RRS feed

  • Question

  • Hi all,

    I was hoping someone could help me with a query around security on the CRM system. As we use CRM to manage our HR and sickness processes, there's a couple of custom entities that are locked down pretty tight. This has been tested and we've found it to be fairly robust.

    However, I just performed an Advanced Find search through Email Messages and all this information is in there. OK, I can't open up the 'regarding' record but there's a lot of information in the email that's visible to all.

    I've had a look through the Security Roles to see if there's a way to restrict access to this entity but there's no option in there for Email Messages. I tried modifying Activities but they were still visible.

    Has anyone got any ideas about how I could restrict this?

    Friday, October 17, 2014 9:06 AM

Answers

  • Since I posted this, I've checked all the security roles applied to the test user account and I spotted that there was a custom role right at the very end of the list that gave full access to the Activity entity. Once I'd removed this, access was restricted.

    This was just a simple security role issue. Either way, it's solved now.

    Thanks for everyone's help.

    • Marked as answer by Jon_Evans Tuesday, October 21, 2014 9:26 AM
    Tuesday, October 21, 2014 9:26 AM

All replies

  • HI Jon,

    Remove read previlige of Activity entity. Or you can remove the columns of in advanced find view that you don't want to display.


    Regards, Saad


    • Edited by Mohd Saad Friday, October 17, 2014 9:35 AM
    Friday, October 17, 2014 9:32 AM
  • Hi Saad,

    Thanks for your reply. I've tried reducing the permissions in Activity down to user level only but the email messages are still appearing. Removing columns won't work as the users will just be able to add in whatever columns they want. I can make the various fields non-searchable but they can still be displayed.

    Friday, October 17, 2014 10:36 AM
  • hide the columns and make sure to remove the permission to create views of the user. Or you can give permission of Activity to None If you don't want the user to view activities anywhere.

    Regards, Saad

    Friday, October 17, 2014 11:05 AM
  • Hii,

    May be this link help you to solve your problem.

    http://mscrm-chandan.blogspot.in/2013/01/hide-entity-from-advanced-find.html

    Regards,

    Divyesh Sapovadiya

    Friday, October 17, 2014 12:00 PM
  • Which fields, and of which entity, contain the information that needs to be restricted ?

    If the information is in fields on the email entity, then it is very hard to restrict this, as the email entity has the same permissions as the activity entity. Your best option is to either not put sensitive information into the email entity, or move the sensitive information out of the email (probably via a plugin) and into a custom entity


    Microsoft CRM MVP - http://mscrmuk.blogspot.com/ http://www.excitation.co.uk

    Friday, October 17, 2014 9:29 PM
    Moderator
  • Hi Saad,

    Thanks for your reply. I've tried reducing the permissions in Activity down to user level only but the email messages are still appearing. Removing columns won't work as the users will just be able to add in whatever columns they want. I can make the various fields non-searchable but they can still be displayed.

    Hi Jon,

    Check whether any of the following options helps you.

    Are you still be able to see all emails(other than user owned) even after updating security role to "User" level? Is there a functionality which is sharing emails to certain users? Or user has more than one security role one of which is giving him Org level email(Actitity) access?

    If the fields to be hidden are custom fields then you can use field level security. There is a unsupported way to achieve the same for OOB fields as well - Try avoiding this option(http://weblogs.asp.net/gayanperera/crm-2011-field-level-security-for-oob-attributes)


    If above options are not working for you and if you want to completely remove access to emails for certain security roles then you can achieve it using "RetrieveMultiple" plugin on "EMail" entity. In the plugin, for users who has a specific security role you can update the filter criteria which will not return any values. Following blog post will give you info on how to write the plugin.

    http://blogs.msdn.com/b/ukcrm/archive/2011/03/10/using-plug-ins-to-modify-views.aspx


    Vikranth Pandiri Blog: http://howto-mscrm.blogspot.com Twitter: @TweetVikranth "Please Mark it as answer if it helps in resolving your query"

    Monday, October 20, 2014 5:42 AM
  • I dont understand the implementation suggestions.

    This is a textbook case on security roles.

    Your problem is not related to the functionality of advanced find, but to the way you have set up business units and security roles.

    So re-visit the business unit setup and security roles.. that way you can 100% remove the ability for people to read emails that they should be allowed to.


    Rune Daub Senior Consultant - Dynateam CRM http://www.dynateam.dk

    • Proposed as answer by RuneDaub Monday, October 20, 2014 12:28 PM
    Monday, October 20, 2014 12:28 PM
  • Since I posted this, I've checked all the security roles applied to the test user account and I spotted that there was a custom role right at the very end of the list that gave full access to the Activity entity. Once I'd removed this, access was restricted.

    This was just a simple security role issue. Either way, it's solved now.

    Thanks for everyone's help.

    • Marked as answer by Jon_Evans Tuesday, October 21, 2014 9:26 AM
    Tuesday, October 21, 2014 9:26 AM