So after my testing with role based security, it became obvious that the entities that are newly created should be given team or user based ownership to ensure the security would be used correctly.
However what if you already have entities created and are unwilling to drop and recreate the entity?
I have to preface this by saying this is unsupported by Microsoft but will do the trick.
The key is updating not only the customizations xml file but also the EntityView in the SQL database.
To do this you will need the proper role such as System Administrator.
Steps:
1. Gather the necessary xml needed to add owner columns and a team relationship. I find this easier if you can create a sample entity that is user or team owned and copy the specific xml. Always keep a backup of your initial solution to ensure you can roll back.
2. Locate the EntityView inside your database. Navigate to the specific entity in question. Notice the OwnershipTypeMask column. This will be set to 8 and will be updated to 1.
3. Update the EntityView record to OwnershipTypeMask to 1.
4. Once this is done, you can now push your updates to CRM using the solution. The next steps will help you attempt to locate the nodes you need to update.
5. Add the atrributes you gathered from the test entity. These include
OwnerId
OwnerIdName
OwnerIdType
OwnerIdYomiName
OwningBusinessUnit
6. Scroll to the <OwnershipTypeMask> node. If you are using a solution exported from before your sql change, you will have to change the value to say UserOwned.
7. Add to the EntityRelationship section of the file. Again, if you have the test entity do a search for team_ and it should find it. Duplicate this and insert accordingly.
I would only attempt this if you are familiar with modifying the customizations file extensively. One wrong move and you will have to try various routes to revert back.
It can be done but the road is slippery when wet! :)
Showing posts with label teams. Show all posts
Showing posts with label teams. Show all posts
Monday, April 9, 2012
CRM 2011: Utilizing Role Based Security to hide and show records
One of the interesting features of CRM 2011 is the expansion of the team concept in role based security.
In the past, ownership of a record was on a user or organization basis. However now, a team can now own a record which can affect everything from adding roles to teams instead of users to adding multiple teams to a user.
After testing out various theories using role based security, I have found that for a standard end user, implementing and maintaining roles for each is cumbersome. By removing roles from the user and adding them to the team, maintainability is often easier.
A useful way of implementing teams is allowing access to individual records in an entity. Each team can have certain access, such as read or write, but also you can hide individual records from users who shouldn't have access.
Example:
So say your three records consist of Photoshop, Final Cut Studio and Microsoft Office.
You would want Photoshop accessible by both since it runs on both Apple and MS software.
However you wouldn't want to see Final Cut Studio as a MS Employee not MS Office as an Apple Employee.
By following the above example, you can add users to teams associated to each record and they will only see the two specific records.
The reason they both see Photoshop is because its owned by the master BU which both BUs are a child of.
If implemented correctly, this feature can be utilized and all facets of CRM; including xRM, dashboards, reporting, etc.
Also if you have a developer or system admin user and want to see all records, simply add the system administrator role to the user.
If a role is set to a user, it will override any team roles.
Happy Coding!
In the past, ownership of a record was on a user or organization basis. However now, a team can now own a record which can affect everything from adding roles to teams instead of users to adding multiple teams to a user.
After testing out various theories using role based security, I have found that for a standard end user, implementing and maintaining roles for each is cumbersome. By removing roles from the user and adding them to the team, maintainability is often easier.
A useful way of implementing teams is allowing access to individual records in an entity. Each team can have certain access, such as read or write, but also you can hide individual records from users who shouldn't have access.
Example:
1.
Create 2 entities.
2.
Create 2 Business units.
a.
These
business units represent a client such as Apple and Microsoft.
b.
When
creating a business unit, you must declare a parent. The parent in this case
will be the master data. An example would be something like software.
3.
Create 2 Teams.
a.
These
teams are assigned to their respective Business Unit. This step is optional since creating a Business Unit above also creates a Team with the same name.
4.
Update a standard role in CRM to only show business unit when reading.
a.
This
is represented by the yellow half circle.
5.
Remove role from user.
a.
If
a role is set to the user, it will override roles implemented in the team.
6.
Add update role to the each team.
a.
This
step and the before mentioned are gotchas.
7.
Add three records to the team owned parent entity.
a.
Three
records were created, one owned by the master data team. One owned by Apple and
one by Microsoft.
b.
Ideally
in this step we should only see 2 records. Master and whatever team(s) the user
is a part of.
So say your three records consist of Photoshop, Final Cut Studio and Microsoft Office.
You would want Photoshop accessible by both since it runs on both Apple and MS software.
However you wouldn't want to see Final Cut Studio as a MS Employee not MS Office as an Apple Employee.
By following the above example, you can add users to teams associated to each record and they will only see the two specific records.
The reason they both see Photoshop is because its owned by the master BU which both BUs are a child of.
If implemented correctly, this feature can be utilized and all facets of CRM; including xRM, dashboards, reporting, etc.
Also if you have a developer or system admin user and want to see all records, simply add the system administrator role to the user.
If a role is set to a user, it will override any team roles.
Happy Coding!
Subscribe to:
Comments (Atom)