locked
extending the security role entity RRS feed

  • Question

  • I want to extend the security role entity to include some custom permissions relating to my business.  
    For instance, I might want to add things like 'Can approve an order of up to X $' or 'can update leads whose name begins with Y' (just some examples, of course).  
    I will then use these permissions in workflows, plugins and iframes which I will develop.  

    I haven't found a good way to do it- as far as I can tell, the `security role` entity is not customizable, so I can't add any fields to it.  
    I thought about creating a custom entity `Role exstension` which will hold this data for me and will have a 1:1 relationship with `security role`. However, I haven't been able to find a way to create a relationship with the `role ` entity.  

    Anyone has any thoughts?
    Thursday, June 20, 2013 9:14 AM

All replies

  • Hi,

    You are right the role entity cannot be customised and nor can it be linked to through a relationship.

    You will have use a convention for your custom permissions and I think the key differentiator is down to if you want to include your custom permissions in a solution export.

    Option 1 - (Most flexible, easiest to configure and query but will not be included in solution export)

    Create a custom entity that contains boolean fields for all of your custom permissions and create a N:N relationship to User. This way you can simply associate a custom role record to each user specifying their permissions. You can then query the permissions using the SDK. The custom role could also be searched via Advanced find etc - but role definitions can't be included in a solution export.

    Option 2 - (Can be included in a solution export)

    Create custom entities, and use them only to define your permissions (no records would be created for these entities). Each custom entity will appear in the role config page and you can designate each privilege (Create, Read, Update, Assign etc.) as a different function. So you could say if the user can Create the custom entity, they can approve order up to X$, if they can Update, they can approve up to Y.

    These role definitions would then be included in your solution - but obviously it makes it a bit cryptic to configure for administrators since they would always need to know the mappings. You could create a separate entity for each unique permission, but it might create lots of entities that would clutter up your solution depending on the number.

    hth


    Scott Durow
    Blog www.develop1.net    Follow Me
    Rockstar365
    If this post answers your question, please click "Mark As Answer" on the post and "Mark as Helpful"

    Thursday, June 20, 2013 10:07 AM
    Answerer
  • Thanks for the reply, Scott.

    Unfortunately I don't think any of these solutions can work for me; firstly, the ability to export these permissions is a must-have, so option #1 is not possible for me.

    Option #2 is also not possible, since these permissions need to be configurable- i.e 'can approve up to X$' where X is configurable for each role in each organization (salesperson in org. 1- 700$, team lead in org. 1 - 5000$, salesperson in org 2. - 250$ etc..).

    The best idea I came up with so far was to create a new entity 'security role extension' which will hold the field 'X', and all other configurable permissions stuff, and the role ID as a plain text field which will hold the role id (Guid), and try to 'mimic' a lookup behavior on the client-side using javascript.

    Thursday, June 20, 2013 11:10 AM
  • Hi,

    Ok. That option would effectively still be same as my option 1 since your custom entity records won't export with your solution - you would need to import the records separately via data management or the sdk.

    hth


    Scott Durow
    Blog www.develop1.net    Follow Me
    Rockstar365
    If this post answers your question, please click "Mark As Answer" on the post and "Mark as Helpful"

    Thursday, June 20, 2013 11:28 AM
    Answerer
  • But with one important difference- it will be related to 'role' and not to specific users, making it much easier to manage.
    Thursday, June 20, 2013 12:44 PM
  • You can meet both of your requirement using JS.

    On load of Order form check the security role and make approval section of order visible/hidden based on the role.

    On load of Lead form check the security role if the name of lead start with Y than make form editable/readonly based on role.


    Regards Faisal

    Thursday, June 20, 2013 3:55 PM
  • Yes, I see - since you only need to assign to a role and the roles are assigned to users.

    That doesn't get round the issues about exporting/importing with solutions. Option #2 is the only way to do that unless you create a plugin to automatically create records when the solution is imported.

    hth


    Scott Durow
    Blog www.develop1.net    Follow Me
    Rockstar365
    If this post answers your question, please click "Mark As Answer" on the post and "Mark as Helpful"

    Thursday, June 20, 2013 4:16 PM
    Answerer