I have a secured field on Dynamics CRM
I was wondering when I select “share secured fields” button from record and share secured field with another user.
1)Does this share the secured field for that particular record ONLY or does this share the secured field to ALL records that have that secured field?
2)Also if user has update permissions to the secured field can they share the field to other users or teams if they can what is the best way to restrict?
Does this share the secured field for that particular record ONLY or does this share the secured field to ALL records that have that secured field?
Not for all records, user will be sharing the secured fields of that particular record with their peers they want. The popup header clearly calls this out. Read more
Also if user has update permissions to the secured field can they share the field to other users or teams if they can what is the best way to restrict?
There is a separate privilege in security roles to control users from sharing the secured fields. Remove that privilege to restrict them. This is different from FLS rights in fields. Read more
Related
I wanted to know on which entities does an user have by default a read access initially when no security role is assigned to the user?
I wanted to know because any user who do not have any security role can still access case & accounts entity through advanced find! Is this expected behavior? If yes then is this documented any where?
All users must be assigned to at least one security role in order to have access to Dynamics 365. The security roles can be assigned to the user directly or to the access team he belongs to.
Can you double-check the security roles assigned to the user and verify team's security roles ?
The user has to have a security role assigned to get into CRM. Check existing teams to see if the user is a member of and also he/she will have access to the records shared to him/her. Which entities user can access to are based on the roles/team he/she has been assigned. Check role/team setting for details.
In Dynamics-365 crm, I want to grant read-write access request to an user of D-365 to a specific record of an entity if the user is not privileged with that privileges.
I did that by assigning some sort of security roles to that user. But I can't do that by modifying security role.
So how can I do that without assigning security role?
You can achieve the same share functionality in code using GrantAccessRequest, refer my another Stack Overflow answer for C# plugin example.
For web api, your org has to be greater than v9.0 as GrantAccess message was not available in web api till v8.2
Still to achieve this object based security model, you should give users privilege to read-write that entity records through role based security model. Without user having entity edit privilege in security role they cannot edit by getting record sharing.
Read more: Use record-based security to control access to records
If you do not wish to change/update your security Roles, then you can do so by sharing a particular Record with Either Team or User.Below 2 images will help you explain how to share a Record.
Now this process below is manual and you could achieve this process programmatically as well using C# i.e server side coding
Note:
If this solves your problem do mark this answer as solved.
As I understand, we can access records created by Portal users and their respective Entity Permissions apply for them. However, I wanted those users to be able to even access records which were created by CRM users within Dynamics 365 (and not records created from Portal by a Portal user which is assigned to System)
Is this possible? If yes, how can I achieve that?
Thanks in advance!
It does not matter who created the record, what matters is if that user has access to it. It would not make much sense to show only records that were created by the portal users - how would you then handle something like Customer Service (on one end users use portal, but on the other they are using CRM, bot are creating records).
So basically I'm not sure how aware are you of the configuration of permissions, but let's say that you configured that a Contact (which is a portal user) has access to all records "Cases" that are referencing this contact (this is simply configuration in Entity Permission record). If yes then contact will see records created by him and all other cases that are referencing him as a contact, so if you as a CRM user will create a Case for a Contact, this Contact will see the case.
I'm building an employee self service portal via Dynamics 365, and when I use the lookup field to display my name in a form other employee names are displayed too:
I've been fiddling with the security roles for a while now and still cant seem to get it to display a single employee name.
I'm also planning to do it a different way by filling up the employee name based on the username on the upper right.
How do you guys suggest I go about this?
First things first. Portals won't use any CRM Security role concepts as it's for CRM users. Portal is built on top of Contact entity. Contact is Portal user & Web role will control his/her access.
You have to Entity Form Metadata to populate the fields per your need. The contact lookup can be filled in by current login Portal user this way. Even you can implement something like manage/restrict the Contacts only from your parent Account in that lookup easily.
I am working with the ServiceNow Rest Api. When a user provides username and password to connect to the rest api I need to validate whether the user can add/remove (Manage users) users in sys_user table. How can I do that check?
I was referring to following Get table Rest api request, to check user whether he has nessasary roles,
https://.service-now.com/api/now/table/sys_user_has_role?sysparm_fields=role%2Crole.name%2Cuser%2Cuser.name%2Cuser.sys_id%2Cuser.department&
sysparm_query=role%3D3d43716d0f6002003a2d47bce1050e0d%5EORrole%3Dac73b52d0f6002003a2d47bce1050eec&sysparm_display_value=true
What roles do I need to check? or is there an easier/better way to perform this (look for table permissions)?
Assuming an OOB configuration, your API User would need the user_admin role in addition to any soap / web services roles.
See these OOB ACLs on sys_user:
Create:
https://YOURINSTANCE.service-now.com/sys_security_acl.do?sys_id=f802c1d44f230200712553418110c752
Delete:
https://YOURINSTANCE.service-now.com/sys_security_acl.do?sys_id=93c234f1072200000ca55720e1021e5f