Pages

Friday 31 May 2013

CRM 2011: Understanding Security Model - Part 1

Security Model is a very integral component of Microsoft Dynamics CRM 2011 platform.

This post gives an overview of the Security Model in Microsoft Dynamics CRM 2011.
  • Role based Security
  • Field level Security
  • Object based Security
  • Role based Forms
  • Security Principals
  • Security Dependencies
  • Authentication Methods

Role based Security

Users and Teams are assigned security roles in Microsoft Dynamics CRM 2011 which define their privileges and access level, or in other words it defines what user/team is authorised to perform in CRM. 

Role based Security has two components
  1. Privileges
  2. Access Level

Privileges

Microsoft Dynamics CRM platform validates the user request to perform a specific operation against the privileges (defined in security role) assigned to a user and accepts/rejects based on it.

Common privileges available per entity are 
  • Create - Ability to create entity records.
  • Read - Ability to read entity records.
  • Write - Ability to modify entity records.
  • Delete - Ability to delete entity records.
  • Append - Ability to associate a selected entity record to another entity record.
  • Append To - Ability to associate another entity record to this entity record.
  • Assign - Give ownership of entity record to another user/team.
  • Share - Give access to entity records to other user/team. 

Access Level

Access Level uses the ownership of the object to determine if a user can apply privileges on a specific object.

Microsoft has classified Access Levels as
  • None
  • User/Team
  • Business Unit
  • Parent: Child Business Units
  • Organisation

In short
  • Privileges determine "WHAT" a user can perform on an object.
  • Access Level determines on "WHICH" object a user can perform this action.

Field Level Security

Microsoft Dynamics CRM 2011 platform supports field level security which allows us to grant or restrict access to specific fields at three levels
  • Read - Read-only access to field's data
  • Create - Can add field's data when creating a record
  • Update - Can modify field's data
We can use combination of these three levels to grant/restrict access to specific users or teams.

for example, if a security profile is configured to grant "Read" and "Create" permissions to a specific field then users or teams added in that profile can add data to field when creating a new record but once record has been saved then it will become read-only field for them because they don't have update permission.

Likewise, you can choose to grant
  • No permissions - Users or Teams will not be able to see data in that field (it will appear as masked field with no visibility to data)
  • "Read" and "Update" permissions but not "Create" - Users or Teams will be able to read or modify data in that field but will not be able to add data to field when creating a record.
and so on ...

Field level security is always in force
  • User/Team accessing data through Application
  • User/Team accessing data through webservices or custom code
  • User/Team accessing data through reports
For example if a user does not have access to a specific field and custom code (under that user's impersonation) tries to access that field's data, CRM platform will return null so in this case custom code will not know if this field is actual null or data unavailable to this user because of field level security.

Easy steps to set up field level security
  • Enable "Field Security" for a specific field so that it becomes available to be configured in Security Profile(s)
  • Create/Configure Security Profile
  • Add Users/Teams to that Profile
Field level security is only available for custom fields/attributes - not for system or built-in fields/attributes.

Object based Security

Microsoft Dynamics CRM 2011 security model supports object or data sharing.

Users with "Share" rights on an entity can share entity records with other users or teams which can override their respective access level restrictions. It is important to understand that sharing cannot grant privileges if a user has no privileges on that entity.

If a user does not have some level of access on an entity then sharing cannot provide that privilege.
like for example, if a user's role does not grant him or her "Read" privileges on Contact entity then sharing a contact will not grant him or her read privileges on contact entity.

When sharing, user can grant certain access rights so that user or team (with whom the record is shared) can perform actions on that record or object.

Continued at Understanding Security Model - Part 2
Posted by at No comments:

Wednesday 22 May 2013

CRM 2011: Export to Excel and Bulk Edit Permissions

Quick post : Granting privileges to users for

  • Exporting CRM data in Microsoft Excel and/or
  • Bulk Edit records 

Modify security roles as shown below.

Under Business Management tab


Posted by at No comments:

Monday 20 May 2013

CRM 2011: Increase the import file size, error The import file is too large to upload

By default, Microsoft Dynamics CRM 2011 has set maximum file size limit of 8MB for the data import.

If you are getting an error
"The import file is too large to upload" as shown in this screen shot.


You can increase this limit by updating this limit at the database level, please keep in mind that this is an unsupported change because Microsoft does not support/recommend any interaction at the database level for a CRM solution.

I would classify this as low risk unsupported change.

Run the following query on your database server to check the current file size limit, the value should be 8 (default value set by Microsoft).


Now, you can run the following query to increase the maximum file size allowed for data import to 32 MB.
You can set it more than 32 MB but be very careful because it may impact performance.


Once you have updated the value, reset IIS



Posted by at No comments:

Thursday 16 May 2013

CRM 2011 : Security Role permissions to save Advanced Find View as a Personal View


Sometimes users run into an issue that they cannot save an Advanced Find View as a Personal View.

If  "Save" and "Save As" buttons are greyed out for the user(s) in an Advanced Find window as shown in this screen shot then follow the post.

 
Normally it will happen if you are using a custom security role and this permission was missed out because most of the OOTB security roles grant these rights anyway.


To grant permissions, you will need to update the respective security role.

You will see SavedQuery entity under core tab on the security role and grant permissions as shown below.


Once you have updated the security role, users will now be able to save Advanced Find View as a Personal View on an entity.


Posted by at No comments:

Wednesday 15 May 2013

Export 10000+ rows out of CRM 2011 in an Excel spread sheet - Increase the default limit of 10000 rows


By default Microsoft Dynamics CRM 2011 allows 10000 records to be exported from CRM in an Excel spread sheet.  We can change this maximum row limit by doing one of the following.

Unsupported by Microsoft
As a principal, In CRM world any direct interaction with the database except for reporting using Filtered views is unsupported by Microsoft.
 I will classify this change as low-risk unsupported change.


  • Open SQL Management Studio on your database server
  • Run a new query on <OrganizationName>_MSCRM
  • Select MaxRecordsForExportToExcel From OrganizationBase where Name = ‘OrganizationName’
  • This query will show you the value of MaxRecordsForExportToExcel in the organization database. It will be 10000 (by default) if it has not been updated
  • Run update query to update this value to 65000 (if you want to export 65000 records in an excel spread sheet). 
  •  Update OrganizationBase Set MaxRecordsForExportToExcel=65000 where Name = ‘OrganizationName’

If you now run the select statement again, you will see the value as 65000. This should now allow you to export 65,000 records out of CRM in excel spread sheet.

Supported by Microsoft
This modification can also be done in a supported manner by using CRM SDK. You will need developer’s help to do that. Use the following code in your utility

organizationObject. MaxRecordsForExportToExcel = 65000;
service.Update(organizationObject);

Registry Settings on CRM Server
Try now if it allows you to export 65000 records, if not then you will need to add/modify registry settings on CRM Server.

Start -> Run -> type regedit and then press enter
Navigate: HKEY_LOCAL_MACHINE -> SOFTWARE -> Microsoft -> MSCRM

Look for registry entry (DWORD) with the title “maxrecordsforexporttoexcel” and modify the value to 65000.

If you are unable to find the registry entry then create it as shown below.

From Edit Menu -> Click New -> DWORD value and select it to be “Decimal” and specify value 65000.

Once you have modified/created this registry entry, reset IIS by doing the following

Go to your CRM server, Start -> Run -> type iisreset and press enter

Now you should be able to export 65000 records out of CRM in Excel.

If you are doing IIS reset on Production environment then make sure you do it when users are not live otherwise it will/may interrupt users from using CRM application.

Posted by at No comments:
Subscribe to: Posts (Atom)