locked
Assigning same security role to team and user (team member) RRS feed

  • Question

  • Thanks for your answers.

    I've created custom entity, EntityA.  I've created a security to access the custom entity, EntityARole.  The rights/privileges for the custom entity are read business unit level, create user level, write user level. 

    I've set my users up on teams in an attempt to limit access to the custom entity, TeamA and TeamB.  When a record is created, I assign ownership of the record to the team.  To ensure the team can own the record, I gave the team the same role as the user.  This appeared to work.  The record is owned by the team and the team members can update the record.

    TeamA has UserA1, UserA2.  TeamB has UserB1, UserB2.  All users and teams have EntityARole.

    Again, the privilege on EntityARole is user write for EntityA.  

    The issue, UserB1 and UserB2 can update records owned by TeamA and UserA1 and UserA2 can update records owned by TeamB. What appears to be happening, the EntityA write privilege has been set to Business Unit.  

    Is it possible adding the same security to a user and the team the user is own, upgrades the privilege. Ie, from user to business unit?  

    Monday, June 18, 2012 1:31 PM

Answers

  • Hi,

    If all users and teams have the same role, then all will be able to access the same entities.

    See if this article helps you with the design around security:

    http://quantusdynamics.blogspot.co.uk/2012/03/dynamics-crm-data-driven-security.html

    Hope this helps


    Visit my blog for CRM material, improving performance, kerberos, IFD, development tips, etc. :) http://quantusdynamics.blogspot.com

    • Marked as answer by mosbySE Wednesday, June 20, 2012 8:25 PM
    Monday, June 18, 2012 7:56 PM
    Answerer
  • Thanks nrodri.

      While this is informative, and shows you the disadvantage of teams, I think there are a few advantages.  The sharing of records.  

      Here's the example.  

      You have users assigned to a team.  The user creates a record.  A workflow then assigns the record to the team.  The team has write privilege to the record, and, by membership, so do all the members on the team.  Add this to the organizational structure, you now a have team based security

      However, my question is what happens when you have a security role for a team and the same security role used on the team member.  In my above example, the security role had write privilege set to User for a given entity.  The security role was added to the user. The same security role was added to the team.  The user was a member of the team.  At this point the user was able to update all records in the business unit which included records not owned by the user nor the team the user was a member of. 

      Is this an undocumented feature of CRM?

    • Marked as answer by mosbySE Wednesday, June 20, 2012 8:25 PM
    Tuesday, June 19, 2012 4:15 PM

All replies

  • Hi,

    If all users and teams have the same role, then all will be able to access the same entities.

    See if this article helps you with the design around security:

    http://quantusdynamics.blogspot.co.uk/2012/03/dynamics-crm-data-driven-security.html

    Hope this helps


    Visit my blog for CRM material, improving performance, kerberos, IFD, development tips, etc. :) http://quantusdynamics.blogspot.com

    • Marked as answer by mosbySE Wednesday, June 20, 2012 8:25 PM
    Monday, June 18, 2012 7:56 PM
    Answerer
  • Thanks nrodri.

      While this is informative, and shows you the disadvantage of teams, I think there are a few advantages.  The sharing of records.  

      Here's the example.  

      You have users assigned to a team.  The user creates a record.  A workflow then assigns the record to the team.  The team has write privilege to the record, and, by membership, so do all the members on the team.  Add this to the organizational structure, you now a have team based security

      However, my question is what happens when you have a security role for a team and the same security role used on the team member.  In my above example, the security role had write privilege set to User for a given entity.  The security role was added to the user. The same security role was added to the team.  The user was a member of the team.  At this point the user was able to update all records in the business unit which included records not owned by the user nor the team the user was a member of. 

      Is this an undocumented feature of CRM?

    • Marked as answer by mosbySE Wednesday, June 20, 2012 8:25 PM
    Tuesday, June 19, 2012 4:15 PM
  • the user can update records owned by other users or tems if it has business unit level or Organization level access to those entities.

    Can you take a screenshot and paste here for us to have a look?


    Visit my blog for CRM material, improving performance, kerberos, IFD, development tips, etc. :) http://quantusdynamics.blogspot.com

    Tuesday, June 19, 2012 6:54 PM
    Answerer
  • It seems.  I have been misled.  The issue wasn't the ability to update (write privilege) on all records in a business unit without having the privilege being set to business unit.  Even with the same security role assigned to the user and the team the user is a member of. 

    Thanks nrodi. For your time, I'm going to mark your response as answer.   But just to note, to restrict access above the user level and below the business unit, you can use teams. A team can own a record. A user can be a member of the team and therefore has rights to the record. 



    Wednesday, June 20, 2012 8:25 PM