I have two users.
user1 - pkj#abc.com - user group and access level - Business Owner
Business Owners access level is only Business Owners
user2 - pkj#xyz.com - user group and access level - Registered
access level is registered, manager,super users
Now user1 can access the contents of both registered and business owner
and user2 can access the contents of only registered and not business owner(which is correct as expected)
What I expect is that since business owner(user1) has not been given access for registered, he should not be able to access the contents of Registered
Am I missing something?
it happens because Business owners group is a sublevel of Registered, you put Registered as its father group , so this group inherit alll the privileges from Registed, try putting as father group Public from Business owners
Related
Today I have a very specific problem.
I have four accounts in my organization:
Account_000 - normal account
Account_001 - normal account child
Account_002 - Administrative Account
Account_003 - Root account
I have set set up a cross account Role in Account_002 (administrative) with following permissions:
"organizations:ListAccounts",
"organizations:ListAccountsForParent",
"organizations:ListParents",
"organizations:ListChildren",
"organizations:ListRoots",
"organizations:ListTagsForResource",
"organizations:DescribeOrganizationalUnit",
"account:GetContactInformation">
The Account_001 has a lambda function that uses the cross account role from Account_002 to pull data about all accounts (except root account) into the organization. It pulls following information: tags, account ID, join type, join time, account ARN number and Contact Information
When I execute function on Account_001 lambda gets error not authorized to get contact information.
I can get contact information from each of the accounts in organization using CLI from the root account.
I am unable to get contact information from any of the accounts using any other account than root.
How do I make sure that the Administrative account can access contact information about other accounts?
How do I make sure that the lambda function in Account_001 can access contact information from other accounts?
This will hopefully help to demonstrate what I am trying to accomplish.
I wanted to know on which entities does an user have by default a read access initially when no security role is assigned to the user?
I wanted to know because any user who do not have any security role can still access case & accounts entity through advanced find! Is this expected behavior? If yes then is this documented any where?
All users must be assigned to at least one security role in order to have access to Dynamics 365. The security roles can be assigned to the user directly or to the access team he belongs to.
Can you double-check the security roles assigned to the user and verify team's security roles ?
The user has to have a security role assigned to get into CRM. Check existing teams to see if the user is a member of and also he/she will have access to the records shared to him/her. Which entities user can access to are based on the roles/team he/she has been assigned. Check role/team setting for details.
CRM 2015: I want to be able to create a role for local IT to be able to add user accounts and assign roles.
Regarding the 'adding roles' portion, is it simple enough just to create a role for local IT to 'write' to 'security' roles in the'business management' tab of 'security roles' at the user level?
No, this is not that simple. User cannot give another user privilege higher than he has (it would be a serious security hole). So for example you have role to edit Security roles and you have Read access for Accounts in your Business Units. If somebody in your Business unit has no Read access and only User access, you can add him Read access for Business Unit (the same you have), but you will not be able to give him Organizational access (so higher than yours). You could imagine that if this would be possible, you will be able to basically give yourself Admin privilege and do whatever you want in CRM.
Knowing that, it should be possible for you to create a role that for example have full access to Accounts, Contacts, Custom entities etc. and Security Roles. This role would be able to modify other users access levels to Accounts, Contacts etc. but no other entities that they don't have privilege to.
Exactly the same logic applies to assigning the Security Roles. So user A cannot assign a Security Role to user B, if it gives user B privileges higher than has User A.
In the end, it is very hard to properly implement the scenario that you described, because there are so many privileges and user needs to have a lot of them to even use the CRM. I've tried this once but could not satisfy the business requirement - it always ended up with using System Admin role, because there was always some scenario that could have not been handled by a user only with this "specific" security modification role.
Assigning 'System Administrator' security role and changing Access Mode in user record to 'Administrative' helped me to achieve this. User still cannot access any transaction data. So, I think you can go for this approach.
In our system we are currently using UAA for user authentication. There is also a need to put in place access control for resources. A resource is defined as a runtime entity created by user. The access to the resource is dependent on which group he belongs too. In order to achieve that I want to create custom groups and roles in UAA and attach privileges to the groups and roles. Is there provision to add custom groups and roles in UAA? If not how can it be done?
You can always add custom groups with Rest APIs or commands.
Here is the command line example.
-Get the token for an admin client
uaac token client get admin -s adminsecret
-Create the group
uaac group add custom.group
-Add a user to the group
uaac member add custom.group user1
The user1 token will start showing the custom.group in its scope list.
You must of course also need to add the custom.group entry in the scope of the client you are requesting token with. If the client does not have it in its scope list, the user1 token returned will also not show the custom.group in its scope.
I have configured a custom entity with two filed and visibility: business unit / parent child and without other relations ship.
I've setup permission of a customer Role (ROLEA) to use new entity (Business unit / parent child permission).
I've loggen in with an user (USERA) belong that Role (ROLEA) and I can create a new entity but when i come back to the list it's empty.
I've loggen in with an administrator user and i see the new record.
The new record has owner USERA.
What I miss ?,
thanks Ale
Soveld!
After hours of trials I've try to remove the user USERA from the security role (ROLEA) and add again to the same security role.
After that, login with USERA and in the list of new entities was correctly displayed my data.
Ok, I've starter with a couple of users but if i've have thoussnd of users? is there a method to refresh Security Role membership ?