Canada - National - D365/CRM

  • 1.  record level restriction to a case

    Posted Oct 07, 2020 12:02 PM
    hey everyone ,

    i have a issue with one of my application D365 application i'm building .  this application uses the CE module to track feedback.  we have multiple LOB (line of business) that are using the sane system to capture and work these feedback.  each of these LOB are separated in BU in dynamics to segregate update access but everyone in the system should have read access to all the cases.   the way the read access is done is that i created "read" teams in each BU instead of giving a global read in the CRUD . this enable me to turn on or off this view at the BU level.   here is the issue.  I've just gotten a new requirements that they want to essentially restrict sensitive cases to the BU .   the issue is that this goes agains the model.  I'm an old school Mainframe/Java programmer , to me this is row level locking . is there an easy (ish) way to do this.

    my initial though was to move the case to simply move the case to a "restricted" BU  but this is causing an other issue as i can assign the case to a user but to a team . this break the case update are at the user level not the BU level.  it also remove the feedback from reporting as it no longer shows up in reporting.

    i was looking at using access team or creating a plugin but I'm not completely familiar how they work ...

    does anyone have any suggestion on how to do this

    Martin Carpenter
    Senior It Specialist
    Canada Revenue Agency

  • 2.  RE: record level restriction to a case

    Posted Oct 18, 2020 03:29 PM
    What method you use to define a "sensitive case"?
    And do you really need to restrict the entire case record, or just some information on the record (e.g. field level security)?

    Nicolae Tarla -
    Business & Digital Transformation
    Toronto, ON

  • 3.  RE: record level restriction to a case

    Posted Oct 18, 2020 07:19 PM
    user woud identify it and a flag is to be set on the record and all of it's attached record (custom and activity).  as for could i "blank out fields" the answer is yes client is ok with this and i was going to use field level security but i cant seem to find a way to turn on field level security based on a field on the record.  it seem to be all or nothing accross all record that have the field.

    I am currently looking at 4 ways to do this . all have advantages and disadvantages

    1) move the record to a separate BU with access team to control access .  but since i wan to make sure all record 1-n and n-n record associated with it are restricted to will most likely have to create a plugin to make sure the  ownership stays with the team for all associated record after the "restriction". the otter issue is that fo restricted cases. the supervisors would have to use the  access team to managed who have access to the case or have everyone  that is  a member of that team have the same access. this is a complete different process that we are doing for 99% of the cases.

    2) change the access to the BU record from membership of a team( owner) with read access to membership to a team (access) and have a plugin share the records with the team every time they are created except if they are marked as restricted. this may be the best solution but if the client want to restrict to users within the  BU , it wont work. though i could modify the read access to all case to be handled by the share.  this  could become a logistic nightmare  for really 1 to 5% of the cases

    3) create a plugin attached to the retrieve / retrieve multiple that blocks/skip the retrieval of record that are marked as restricted .  with a plugin to mark any new associated records as restricted of course . if I was creating a custom application (java / mainframe)  this is what I would do, it would be backed into the DAO.  just not sure how well it will work in Dynamics

    4) create a plugin , business rule or javacscript that blank the field and subgrids that are deamed restricted . this would work if the client is ok with it but i would really be hacking  the UX and may have to fix it every time MS changes thing.  issue here is  that a) client as to agree that the record can be see just "redacted" and i have to make sure that the redaction is applied to both the form view and report/dashboards/advance find . the option will still have me  creating a plugin/WF that mark any new associated record as restricted if the parent is restricted

    5) force a restricted view form for users that are not allowed the restricted . this would be the perfect solution.  the only problem is there really is no way to tell dynamics to switch form based on  data . yes there is that JavaScript hack but  it doesn't meet WACG so i cant use it. and really this one would not work since you could still access the data using advance find

    lots' of work for a requirement that came in  at the last minute and goes against  the  primary that everyone can see all records.   right now i'm leaning between option 2 and creating ether a plugin or Entity level business rule to redact the record . any help or advise is appricated on this

    ps.  ironically i've build/maintained dozen of mainframe and java apps that do this. we just add the fuctionality to the DAO

    Martin Carpenter
    Senior It Specialist
    Canada Revenue Agency

  • 4.  RE: record level restriction to a case

    Posted Nov 20, 2020 09:48 AM
    Hey Martin,
    Just had a read of your challenge with the "restriction" of Case at record level. Wonder if you gotten any further since.

    I have done a security model for restricting cases at record level but in CRM2013 but with a single BU.
    So I have a security role with Case and Activities CRUD at user level.
    then all you really need to do is
    A plugin attached to create or update message on Case to share only the read permission with the one or more designated team if case is not restricted.
    If case is restricted then
    and if it should be read by a fixed group of users then share with that specific team.
    If that group of readers need to be dynamic depends on the case itself, then an access team template with desired privileges, the your plugin can simply add users to that access team template.

    Regarding related records ie accounts / contacts  and activities, suggest you to look into the OOTB cascading as part of the relationship configuration.
    So you can stop cascading Re-parenting,  Share / Un-share etc where necessary.

    Hope this is helpful in some way. if you already done your solution, I am all ears.


    Xun Dong
    Thomas Miller