Programmatically Controlling Security in Dynamics CRM

Roshan Mehta, 01 July 2010

Security in Microsoft Dynamics CRM 4.0 is controlled by Security Roles. Security Roles determine which entities a particular user can access, and which records for those entities a user can interact with. If a user does not have the privileges to interact with a particular entity, they will not see the entity appear anywhere in the system – it is as if the entity doesn’t exist at all!


Sometimes the security role privileges that you set up in CRM don’t work exactly as planned. For example, one of our clients requested that some sensitive information be stored as Task records which will be related to a Case. Initially this was a problem, because CRM doesn’t allow you to specify privileges for separate activities – you must specify privileges for the Activity entity as a whole. This means that if we set some Security Roles so that certain users only have read access for Activities that they own, they will not be able to view organization-wide phone calls, e-mails, appointments etc , and will not be able to have an insight into the full interaction history with their customers. This could ultimately lead to “bad customer relationship”. However, I managed to find a way around this issue. All security roles will have full access to Activities, and a plugin will determine which Tasks the current user will be able to access.

How it works
The plugin is registered on the pre-retrieve event of the Task entity. When the user opens up a Task record, the plugin reads the ID of the Task being opened, and checks whether or not it’s regardingobjectidtype field is set to “Incident”. If it is set to “Incident”, an additional check is made to see if the current user belongs to the correct set of Security Roles required to access the Case entity. If this second check is successful, the user may open the Task record. If the check is unsuccessful, an InvalidPluginExecutionException is thrown which displays an error message to the user.