Security Role is not Reflecting the changes to User - dynamics-crm

Question is regarding the Dynamics CRM 2011. Let suppose for User 'A' we change the security role from 'SR1' to 'SR2'. But, when I login with User 'A', it still show all the access and priviliges of 'SR1'.
If after changing the security role from 'SR1' to 'SR2', then do 'IISReset' and login with User 'A'. Now User 'A' can have an access and priviliges of 'SR2'.
Why it is not working w/o 'IISReset'? Any idea.
Thanks in advance.

Have you tried clearing the browser cache after you switch the roles?

Related

On which entities do any user have read access when access is given to crm org?

I wanted to know on which entities does an user have by default a read access initially when no security role is assigned to the user?
I wanted to know because any user who do not have any security role can still access case & accounts entity through advanced find! Is this expected behavior? If yes then is this documented any where?
All users must be assigned to at least one security role in order to have access to Dynamics 365. The security roles can be assigned to the user directly or to the access team he belongs to.
Can you double-check the security roles assigned to the user and verify team's security roles ?
The user has to have a security role assigned to get into CRM. Check existing teams to see if the user is a member of and also he/she will have access to the records shared to him/her. Which entities user can access to are based on the roles/team he/she has been assigned. Check role/team setting for details.

Spring how to make password on admin panel

I have spring security with 2 roles (ROLE_USER, ROLE_ADMIN).
Now, I want to implement admin panel. I have already done access to panel url only for users which have ROLE_ADMIN. But I want to make extra secure.
When user with ROLE_ADMIN open admin panel pages first time, he will have to enter a admin panel password. So, my question is What the good way to implement this feature?
Your suggested idea, by making user with role 'ROLE_ADMIN' re-enter his password is used to secure in case of leaving your device unlocked. It used for critical high potential actions like changing your mail password, which require something like token renewal. I think implementing Two-factor authentication add a second security layer.

Creating a security role to be able to only create roles and users without having system admin role

CRM 2015: I want to be able to create a role for local IT to be able to add user accounts and assign roles.
Regarding the 'adding roles' portion, is it simple enough just to create a role for local IT to 'write' to 'security' roles in the'business management' tab of 'security roles' at the user level?
No, this is not that simple. User cannot give another user privilege higher than he has (it would be a serious security hole). So for example you have role to edit Security roles and you have Read access for Accounts in your Business Units. If somebody in your Business unit has no Read access and only User access, you can add him Read access for Business Unit (the same you have), but you will not be able to give him Organizational access (so higher than yours). You could imagine that if this would be possible, you will be able to basically give yourself Admin privilege and do whatever you want in CRM.
Knowing that, it should be possible for you to create a role that for example have full access to Accounts, Contacts, Custom entities etc. and Security Roles. This role would be able to modify other users access levels to Accounts, Contacts etc. but no other entities that they don't have privilege to.
Exactly the same logic applies to assigning the Security Roles. So user A cannot assign a Security Role to user B, if it gives user B privileges higher than has User A.
In the end, it is very hard to properly implement the scenario that you described, because there are so many privileges and user needs to have a lot of them to even use the CRM. I've tried this once but could not satisfy the business requirement - it always ended up with using System Admin role, because there was always some scenario that could have not been handled by a user only with this "specific" security modification role.
Assigning 'System Administrator' security role and changing Access Mode in user record to 'Administrative' helped me to achieve this. User still cannot access any transaction data. So, I think you can go for this approach.

How to allow AD users the ability to change password if expired?

If you have an application that is being authenticated with Active Directory using Forms Authentication in MVC, how can you allow the user to change his password after it expires?
From what I am observing, if a user's password has expired, Membership provider will simply refuse to let you authenticate, thus not allowing the user to access the page. However, if I modify the page, to allow the user to go to it, and enter a user name, old password, and new password, it still seems to not work, just returning 'false' from the change password function.
Any insight or solutions on this?
Any insight or solutions on this?
Insight refering to scripts. if yes so please have a look at these links
http://blogs.technet.com/b/heyscriptingguy/archive/2010/08/17/how-to-change-a-user-s-active-directory-password-with-powershell.aspx
http://community.spiceworks.com/scripts/show/1889-reset-ad-user-password
Moreover there are many self rest solution. Please update so that a name would be explained to you
Thanks.

Dashboard is not loading for user with non-admin role

When I logged in with the user who has non-admin security role the dashboard is not loading and browser will get hanged. But when I logged in with user who had Admin role its working good. So, whats the issue in this scenario..?
It seems a security issue. You will have to check the permissions for the role that the non-admin user has and check if there are limitations on the entity that is being displayed in the dashboard.
maybe this link will help you: http://www.dynamicscrmtrickbag.com/2011/07/15/dynamics-crm-2011-charts-and-dashboards-who-can-see-what/
Hope this will be helpfull
EDIT: Maybe another role conflicts with the one of system admin that might also be possible

Resources