Dynamics 365 On-Premise (, User getting access to CRM Form which they do not have access. RRS feed

  • Question

  • I am having multiple forms on CRM entity, one for External User and one for Internal User. Forms are customized in such way that External Users can access only External Form and Internal User can access both Internal and External Form.

    Now, here is scenario where even External User is able to access Internal Form

    1. Internal User logged into CRM and Open the Internal Form. 

    2. Browser window is closed and now on same m/c and same browser type, external User logs in, now by default he is shown Internal form and more worst part is External User don't even get option to select External Form from Form selection drop down list.

    For us this is posing big security threat.

    Has anybody have similar problem and if yest please share the workaround that is working for you




    Friday, September 1, 2017 8:29 PM

All replies

  • Hi,

    I assume you have set form level security to the appropriate user role to get this to work.

    The only issue I can see, if form level security is applied, is possibly your definition of logging in. If the same machine is used and no username and password is entered, then yes the external user will get the internal users access as AD takes care of this. Relogging on the machine itself as a external should sort it out.

    Otherwise, browsers can be set to request authentication every time. This should force anyone using the machine to relog using their own credentials.



    Sunday, September 3, 2017 11:01 PM
  • We haven't changed anything with respect to security roles and its access on form. We have recently upgraded to CRM 2016 from CRM 2015 and in CRM 2015, it works without this behavior.

    So I guess, this behavior is not related to any security setting but the CRM 2016 platform related. I noticed that CRM is wrongly updating column LastViewedFormXml of UserEntityUISettingsentity. 


    Tuesday, September 5, 2017 2:40 AM
  • I have also seen this behavior in Dynamics 365. New environment and new forms in our case, but security roles have been verified to be accurate.

    I would submit this to ideas.dynamics.com or open an incident with MS.

    Tuesday, September 5, 2017 6:55 AM