What are Role Based forms
Microsoft Dynamics CRM allows configuration of security roles in Entity forms. It is quite a common requirement for organizations where they want users of two different security roles to see different fields and sections.
For ex, a Sales person would want to see only the Sales details on the form and a CEO/ Director wants more details in the form.
Also, there is a possibility that there are 2 product lines which have different set of fields for the same entity.
Alternative approaches
From the above requirements, most users will think that the above can be achieved using form customizations or JavaScript on the form.
While this is true, this approach is not a feasible one when the 2 versions of form which we create are a lot different from one another.
JavaScript should be used when there are only few fields which we need to show/ hide on the form based on Security Roles.
How to enable/ implement Role based forms
Using/ enabling security roles in forms is very straight forward, but we have to be careful to set/ remove the roles carefully for each form.
- I have created two contact forms as below. As you can also see, there is a button on the top of Form section “Enable Security Roles” which we will use to configure form security
Figure 1
- By default, both forms are accessible to all the security roles. We will now change the security roles for each of the form
- For “Contact Form”, we will provide access to only CEO – Business Manager, CSR Manager and Marketing Manager. So Users with roles other than these will not be able to access this form.
Figure 2
- And similarly I will configure the security roles for the “Contact v2” form. We will assign roles Salesperson and Marketing professional for this form.
Figure 3
So we have now created 2 forms which users with different security roles will access. But there are few OTHER things which we need to address before we complete this entire process
Things to consider
When we implement Role based forms, the following questions pop up in our mind, for which I have also mentioned the solutions
Q1. What if the User has 2 security roles and thus have access to both the forms?
A: The User will see both the forms and there is an option for user to choose one of the forms in the Top left corner. Refer screenshot below:
Figure 4
The answer to Q1 will pop up another question:
Q2. If the user has access to two forms, which form will be visible by default to the User?
A: There are 2 parts:
- User access the Entity form for the very first time
When a User access the entity form for the very first time, the default form which User will see will depend upon the Form Ordering. This can be checked in Entity customizations like below:
Navigate to Form Order à Main form set
Figure 5
Figure 6
- When User changes the Form from the Dropdown
Whenever user changes the Form from the Dropdown, CRM stores the user preference. So when the user logs in next time or navigate to the same entity form next time, CRM shows the form that the user has used previously and will ignore Form ordering for the particular user.
Q3: What if a User has access to the entity but has no Access to any of the forms for his Security Role?
A: CRM is very smart and handles this by using “Fallback” mechanism. When we configure the Security Role for a form, there is a checkbox at the bottom à “Enable Fallback”
As you can read from the Description in the screenshot, this form will be shown to the Users with roles that don’t have any forms assigned.
CRM makes it mandatory to select at least 1 form for fallback.
Figure 7
Q4: What if I don’t want to make any of my forms as Fallback forms?
A: This is a valid scenario as we don’t want the users who are not explicitly assigned any role on the form to see the form.
- As a workaround, we can create one form as a “Default Fallback” form which will not have any form fields (or 1-2 fields) and configure this form to be a fallback form.
- Additionally, we can add a web resource (HTML) in this form which says something like this:
“If you are seeing this form and do not have access to any other form for Contacts, Please contact Administrator.”
- Also, we should keep the Fallback form last in the Form Order.
This is how the fallback form would look like:
As for Forms, Dashboards in Dynamics 365 can also be enabled for only a set of selected Security Roles.
Unique ID
As for all records in Dynamics 365, each Security Role is assigned with a unique identifier and can be accessed through the Web API for example. The GUID can be found in the URL when opening a security role in Dynamics 365.
There is also an entity called “Privileges” in Dynamics 365. When an entity is created, there are 8 new “Privileges” records that are created – one per security role privilege. Each of these records has a GUID. When a user encounters an issue related to security roles privileges, the GUID is printed in the error log file.
Security in Microsoft World
Security Roles with privileges and access levels are specific to Dynamics 365. Security in other products of the Microsoft Family is managed differently, with each application having its one way to deal with data security and management.
For example, Sharepoint’s security contains Groups, Sites, and sharing capabilities and PowerBi makes usage of “Row-level security (RLS)”.
When combining such products together, the way to handle data security should be analyzed, defined, and discussed.
[1] When changing the business unit of a user, the associate security roles are removed. The user will not have access to Dynamics until a new role is assigned.
[2] While configuring hierarchical security, the parameter “Hierarchy Depth” controls direct manager’s access to the subordinate’s records of their subordinates. Configuring this depth above 5 can impact negatively the performance of the system. Microsoft recommends keeping the effective hierarchy security to 50 users or less under a manager/position.
[3] This Job Position Hierarchy is also used by the button “View Hierarchy” 
in the User entity.
No comments:
Post a Comment