locked
Does the MetadataService apply roles and permissions? RRS feed

  • Question

  • I am trying to retrieve the "regardingobjectid" targets on the "task" entity using LookupAttributeMetadata. I'd expect this target list to be different for each user based on roles, but it appears to be the same list returning independent of the authenticated user.

    I set the user on the service

    mdSevice.Credentials = new System.Net.NetworkCredential(user, password, domain);

    For one user who does not have "leads" and can not access leads in the crm application the metadata target list is still returning leads.

    Does the metadata service not apply roles? Is there something I am missing?

    Thanks

    Jason

     

    Friday, July 2, 2010 5:59 PM

Answers

  •  

    Maybe too late for the original poster, but I think the MetadataService does not filter the entities returned based on security role. I.e. If a user has Read permission on Entity, then a RetrieveEntityRequest will return a list of all entities, irrespective of their other permissions


    Microsoft CRM MVP - http://mscrmuk.blogspot.com  http://www.excitation.co.uk
    Friday, July 30, 2010 2:20 PM
    Moderator

All replies

  • Hi Jason,

    if you use this.

    mdSevice.Credentials = new System.Net.NetworkCredential(user, password, domain);

    it will use the username you specified  (above) to reterive/execute the request on  CRM. so you  will  always get  the same results.

    instead of above use this.

    mdSevice.Credentials = System.Net.CredentialCache.DefaultCredentials;


    Muhammad Ali Khan
    http://malikhan.wordpress.com
    Friday, July 2, 2010 6:16 PM
  • Hi Muhammad,

     

    Sorry if I was not clear. I am using different user/password combinations for the tests. For one test I pass in an admin user, for another i pass in a user with a much lesser role who does not have access to the entities specified, but the meta service is still returning them as if I had access to them.

    Tuesday, July 6, 2010 1:41 PM
  • HI,

    A user does not have access to the Metadata Service by default. You need to assigne read access to Entity, Attribute and Relationship in the Customization tab of security role and than it will work fine. Only the System Administrator and the System Customizer role have these privileges set
    by default.

    I think you must have the above 3 permission set for some of your roles. could u check it.

    Also read this.

    http://www.techtalkz.com/microsoft-dynamics-crm/384992-crm-4-what-roles-does-user-need-read-metadata-service.html

    http://social.microsoft.com/Forums/en-US/crmdevelopment/thread/a95e7165-67bc-4b84-b236-08b427e0612d

     


    Muhammad Ali Khan
    http://malikhan.wordpress.com
    Tuesday, July 6, 2010 1:51 PM
  • Muhammed,

    I appreciate your responses but maybe my question was not clear enough. Your are responding as if i have not authenticated with a different user and as if i do not have access.

    My specific question is I am not seeing different target list on "regardingobjectid" of the task entity for each authenticated user. I was wondering if this is normal or if I am possibly doing something incorrectly or looking in the wrong spot.

    Admin user i see:

    contact,invoice,opportunity,campaign,account,quote,lead,contract,salesorder,incident

    Normal user with no access to leads and other entities i see the same target list (id expect to see a subset).

    contact,invoice,opportunity,campaign,account,quote,lead,contract,salesorder,incident

    Thanks again

    Jason

    Tuesday, July 6, 2010 2:21 PM
  • Hi

    My above answer  was on how your user  have the access on  the mata data.

    If any user have to have access on the meta data. he need access on the these three.  open your security role  ==> go to the customization  tab

    1) Entity (Check if the roles has access on the read/write here or not)

    2) Attribute (check if hte role has access on the read/write here or not)

    3)Relationship (check if hte role has access on the read/write here or not).

    Now regarding yoru problem, you said that the role doesn't have permission on the contact entity (and others), this means he cannot read the DATA (meaning the contact entity instances) of the contact entity, BUT if he has the permission on the 3 things i described above he can still aceess the contact entity META DATA.

    So in brief, your role has access has NO Acess on contact Entity Records But they have access on contact Entity Meta Data because of hte above three settings.

    i hope  it is clear,

     


    Muhammad Ali Khan
    http://malikhan.wordpress.com
    Tuesday, July 6, 2010 3:07 PM
  • Yes, I understand everything you are saying. Salesforce.com api meta data calls apply profiles/roles/permissions, I was expecting microsoft to do the same.

    From your comments it appears it doesnt and there is no way via the api for me to tell that userA can only have "contact,invoice" added to the "regardingobjectid" of the task entity

    The issue is that i want to show only the valid options to each user i.e. userA would only see "contact,invoice" instead of "contact,invoice,opportunity,campaign,account,quote,lead,contract,salesorder,incident". obviously the crm application does this but maybe the api doesnt expose this.

    Tuesday, July 6, 2010 5:55 PM
  • I think MS CRM  will only shows you (whether data or meta data) on which you  have the access to. Secondly, as i said data and meta data access are separately configured on the role.

    So yes if you don't want the API to reterive  the meta data then you  have to remove  the three permission as described above.


    Muhammad Ali Khan
    http://malikhan.wordpress.com
    Tuesday, July 6, 2010 6:12 PM
  • Muhammad is right, but the availability is defined by the "Append To" privilege for any of the target entities.  If you can't "append to" it, you can't select it as a valid record type for Tasks/Activities.  This also controls any other form of "child" record, so be careful.
    Dave Berry
    Tuesday, July 6, 2010 6:19 PM
    Moderator
  • I have tested many times and I am convinced the MetaDataService does not apply user roles when returning the meta data. I have a user with access to only Contact and Account yet the MetaDataService returns everything.

    Muhammed you said "I think MS CRM  will only shows you (whether data or meta data) on which you  have the access to."

    This does not appear to be the case. Please tell me if you are able to get that working.

    Monday, July 12, 2010 3:00 PM
  •  

    Maybe too late for the original poster, but I think the MetadataService does not filter the entities returned based on security role. I.e. If a user has Read permission on Entity, then a RetrieveEntityRequest will return a list of all entities, irrespective of their other permissions


    Microsoft CRM MVP - http://mscrmuk.blogspot.com  http://www.excitation.co.uk
    Friday, July 30, 2010 2:20 PM
    Moderator