Trying to limit field security to owner of record using PrincipalObjectAttributeAccess RRS feed

  • Question

  • I've got a field on an appointment entity - PrivateNotes. I only want to allow the OWNER of the field to be able to read & update this field. So, field security will not suffice.

    I googled this question, and found some code that uses PrincipalObjectAttributeAccess to restrict an individual field's security to just the owner, however I can't get the code to work, and I've tried several ways. PrincipalObjectAttributeAccess is new to me, I never heard of it before today.

    Here is the simplest version I found:

           private void ShareSecureFieldWithOwner(Entity record)
                // Any method that helps you find the AttributeMetadata Id
                var attributeId = FindSecuredAttribute();
                if (attributeId != Guid.Empty)
                    var userAccess = new PrincipalObjectAttributeAccess
                        AttributeId = attributeId,
                        ObjectId = record.ToEntityReference(),
                        PrincipalId = record.OwnerId,
                        UpdateAccess = true,
                        ReadAccess = true

    2 main problems with this:

    1. I don't know how I'm going to implement FindSecuredAttribute.

    2. It's telling me that I'm missing a reference or assembly, as it doesn't recognise PrincipalObjectAttributeAccess. I'm trying to find what using statement/namespace/reference I need for this, but can't find anything.

    Here are the current using statements I have:

    using Microsoft.Xrm.Sdk;
    using System;
    using System.Collections.Generic;
    using System.Linq;
    using System.Text;
    using System.Threading.Tasks;

    I REALLY don't know what I'm doing here, so I need the simplest explanantion possible!


    Wednesday, August 14, 2013 10:06 AM

All replies

  • As an alternative approach, you could add a new custom entity called something like 'Appointment Notes' or 'Private Notes' and then create a relationship to appointment so that users can create/read the notes against an appointment.

    You can then lock down security so that users can only read/write/update/append records they own. You can then give the relationship with appointment parental behaviour so that if it the appointment is reassigned, so are the notes.

    Hope that helps


    If my response helped you find your answer please show your thanks by taking the time to "Mark As Answer" and "Vote As Helpful".

    Twitter LinkedIn Facebook Blog Magnetism

    Thursday, August 15, 2013 6:57 AM