locked
Restrict Delete without using Security Roles (2) RRS feed

  • Question

  • Hi,

    I need to implement a requirement that states: Users should have read and write privileges on an entity, but would have the delete privilege if only the user is the creator of the record or if the user is the System Administrator.

    The implication is that the entity would be visible by default, but a delete operation triggers the evaluation of the user's security role and privileges, to check whether it is the user who created the record or the user is the Administrator.  This would be achieved without using security roles, but with plugin. 

    I created the Journey entity, and here is my code which is not giving me the desired result. 

    namespace JourneyTeam.Xrm
    {
        //Generated fromm the Dynamics 365 Plugin project templates
        public class RestrictDeleteIfUserNotAdministrator : IPlugin
        {
            public void Execute(IServiceProvider serviceProvider)
            {
                IPluginExecutionContext context = (IPluginExecutionContext)serviceProvider.GetService(typeof(IPluginExecutionContext));
                IOrganizationServiceFactory factory = (IOrganizationServiceFactory)serviceProvider.GetService(typeof(IOrganizationServiceFactory));
                IOrganizationService service = (IOrganizationService)factory.CreateOrganizationService(context.UserId);
                ITracingService tracingservice = (ITracingService)serviceProvider.GetService(typeof(ITracingService));
                if (context.InputParameters.Contains("Target") && context.InputParameters["Target"] is Entity)
                {
                    Entity entity = (Entity)context.InputParameters["Target"];
                    if (entity.LogicalName != "journey" || entity.LogicalName != "roleprivileges")
                        return;  
                        try
                    {
                        Entity journey = new Entity("task");
                      
                        Entity roleprivileges = new Entity("task");
                        // if (context.User != context.Attribute("createdby") || context.User != context.Role("administrator"))
                       // if (journey["user"].role != "systemadministrator")
                       if (journey["user"] == journey["createdby"] ||
                            journey["user"] == journey["administrator"])
                        {
                            roleprivileges["delete"] = "deep";
                            roleprivileges["read"] = "deep";
                            roleprivileges["write"] = "deep";
                        }
                        else
                        {
                            roleprivileges["delete"] = "none";
                            roleprivileges["read"] = "deep";
                            roleprivileges["write"] = "deep"; ;
                        }
                    }              
                        catch (FaultException<OrganizationServiceFault> ex)
                        {
                        throw new InvalidPluginExecutionException("You do not have the security role to delete this record. Please, contact the Administrator.", ex);
                        }                 
                    }
                    }
                }
            }
       

    I'll appreciate any help, please.

    Thanks.

    Longinus.


    LOE

    Monday, February 13, 2017 3:41 AM