locked
Security - Ownership of records RRS feed

  • Question

  • ** sigh ** Everytime I think I have a handle on security, it turns out I don't.

    I have two business units.  For simplicity call it BU1 and BU2.

    I have an entity that only members of BU1 should be able to own, but BU2 should be able to read the records (but not own them).

    So I have permissions on a team in BU1 set up so users can assign those records, and then users in BU2 can view them.

    Is there a security permission around who can actually own the record?  As far as I've been able to tell, as long as members of BU1 can assign these records, they can assign them to anyone who has the rights to read the record (regardless of what BU that person is in).

    This is causing me headaches.  Basically they can assign the record to someone who should only be able to read it, as well as assign them to a user in a higher/parent BU, which effectively makes the record disappear for them (because they can only view records within their own BU).

    Is there a way to lock this down so they can't assign records to anyone or any team outside of the BU?  Do I need a plugin for that or does the OOTB security model support it?


    Monday, March 24, 2014 4:51 PM

All replies

  • Hi MProper,

    Not sure if I understood it correctly but if the concerned entity has ownership as 'User or Team' and the Security Roles for the users (who are supposed to be able to read only) has 'Assign To' permissions blanked out, they cannot be assigned the records.


    Admin QuikView Solution for CRM 2013

    Monday, March 24, 2014 5:03 PM
  • Restricting the User's assign privileges by tightening the security roles would affect all the entities. This will need a lot of testing to ensure your existing functionality doesn't break. Would prefer doing this check in a pre-assign plugin. In the plugin, retrieve the BU of the AssignedTo user and take required action.


    If my response helps you in finding your answer then please click 'Mark as Answer' and 'Vote as Helpful'

    • Proposed as answer by Mamatha Swamy Monday, March 24, 2014 5:57 PM
    Monday, March 24, 2014 5:57 PM
  • Thanks.

    Just to clarify, this is how it's set up currently.,

    • User1 is in BU1 and has Read/Assign To functionality, both at the BU (half-circle) level.
    • User2 is in BU2 and has Read rights only to the entity.

    User1 is still able to assign the records to User2.  So even with Read Only rights User2 can still own these records.

    Mamatha - are you saying there's more of a global "Assign" permission that I might be missing?  I'm ok doing the plugin, but don't want to go down that road if I don't have to.

    Monday, March 24, 2014 6:12 PM
  • Hi MProper,

    One more thing to clarify, are both B1 and B2 at the same level or is one the parent of another?


    Admin QuikView Solution for CRM 2013

    Monday, March 24, 2014 6:27 PM
  • They are both at the same level (under the same parent)

    Monday, March 24, 2014 6:39 PM
  • There is no global Assign privilege. What I meant was to limit the users Read access on 'User' entity so that they can only see users from same BU.., this would prevent assigning records to users from other BUs

    If my response helps you in finding your answer then please click 'Mark as Answer' and 'Vote as Helpful'

    Monday, March 24, 2014 11:35 PM