I have users in a team having access to particular fields on lead, opportunity and account entities. I have few users who are in team they just need access to fields on lead and Opportunity entity not on account ?
I thought Ill use field level security on the fields to achieve this, having field level security will have effect other functionality in the system. Any thoughts on how to achieve this ?
Breaking down CRM security levels:
Role level - Entity level (e.g. access to Lead but not marketing list)
Record level - Read/Write/Access (e.g. read lead record but not modify them)
Field level - Field level show/hide (e.g. hide a lead's account field for certain users or team).
In your case, it depends on what defines having access (is it more of a don't need to see or a should not see scenario). If it is just a case of a set of users don't have to deal with certain fields use different CRM forms for different teams, if it is a case of they should not be seeing the data use field level security.
This also would hopefully answer "having field level security will have effect other functionality in the system?" questions, if field level security is implemented, the fields which are restricted read won't show up in the advanced find queries or reports for the users who are not assigned the field level security profiles. Also once you have secured the field, every new user or team needs the field level security profile assigned, else they won't be able to see the field.
Related
In my application the users are split in 2 macro categories: Customer and Backoffice, every category has a subset of role, for example MANAGER and USER for Customer type and different ones for the Backoffice type.
So a user could be a Customer with a MANAGER role or a Backoffice with, for example, a SALES role.
Every Spring + Cognito guide on web uses cognito:groups to map the Spring ROLE, but for my case I would need to nest groups which is not possible on Cognito.
I've been thinking to use 2 custom attributes ( writable only by the admin) to set the category and role of the user respectively.
My question is, is there any disadvantage to using attributes instead of the groups?
One major concern is, those custom attributes won't be available as claims in the access token. But groups are available. So If you plan to use acces_token you may have to consider that.
There are some other minor considerations that I can think of, which may or may not be related your implementation:
Maximum number of custom attributes per user pool is 50.
Once created, you can not edit the name, min/max length and mutable property of the custom attribute. Also we can not delete that.
Even though nested groups are not supported in Cognito, is it not an option to create groups like: category_role? example: Customer_ MANAGER?
I have created a custom entity in common data services(CDS) that streams in data from a survey.
I'll however need to give access to the data to various people. In my dataset, I have a column called community, which should represent which people have access to what data based on the community they've entered the column.
How exactly can I filter the data, after it has streamed in to ensure I only give access to people of a particular community. And yes every community is exclusive, no two people can be in two different communities.
I want to filter by the community, such that those in community A see only A and not B or C.
There’s no straight one step OOB configuration to achieve this. Because the row level security depends on the column value ie. community field value of each record.
One way is to create owner teams and add the users to right teams, then the custom entity record has to be owned by respective team - owner team of each custom entity record can be filled/assigned automatically based on the community field value on create using plugin/workflow/Flow.
Most important, in security role for that custom entity - read privilege has to be given only for user level. Assign the security role to Teams.
I will have two or 3 types of users on the front (Clients, Providers, and Manufacturers) and each user will have different set of features and data profile.
Which is the best strategy you imagine for creating the content types for each type of user?
In my head, I have in mind to create 3 content types related to Users and set a field for USERTYPE, and the front requests the rest of the profile on the other content type.
What do you think?
Also related to security, is it possible to set access to contents according to different user types?
Thank you.
It's depending of you want to do and depending of your application need.
You can also create roles, one for Clients, one for Providers and one for Manufacturers. You will be able to manage who can do what.
I have a Account Relationship entity with two lookup fields called Recipient Account and Guide Account. I would like to be able to go on an Account and see all records where the Account Relationship's Recipient Account and Guide Account are set to the account I'm viewing.
In CRM, I can definitely create a view to fetch all account relationships on the Account Relationship entity and then inside the Account entity's form I can include the view with the data source set to Related Records Only and the entity set to Account Relationship (Recipient Account). But I can't do both in a single view.
Through what mechanism can I have it all be in one view? One thing I was considering was creating separate grids, one for Recipient Account and another for Guide Account. But I want to know if there is a mechanism where I can combine all records that have "Recipient Account = Current Account or Guide Account = Current Account" that is basically the query I want to run.
You could use connections. It's pretty flexible and will fulfill your needs as long they stay simple. That's the only viable option I see aside from using two views.
Keep only one subgrid of Account Relationship N:N intersect entity (either Guide account or Recipient account relation)
Register RetrieveMultiple pre-operation plugin to intercept the query & pass the custom fetchxml query by incorporating or filter
Fetchxml has to be built something like explained
Try this unrecommended if you wish but two grids are better choice. This alternate solution also you can try.
For the accounts entity I have different account types.
However I need to make some of these records read only only based on the account type, as these records will be slaved in CRM.
However the user should still have ability to create other types of accounts that will be mastered in CRM.
I was thinking to do this via security role however when giving create or edit permission on the account entity user can still create accounts of any type or edit existing slaved data.
What would be the best way to make slaved data read only?
Use business rules to lock all fields based on the type?
Like you said, this cannot be achieved with security role, since the requirement is based on a field value.
Disabling all the form fields in bulk - You can do this in javascript quickly, or may be with Business rules one by one. Verify the field value on form load for your certain slaved value account type, then disable the controls by iterating each one of them.
Still subgrid, webresource, iframes will be editable.