Customer Engagement & Dynamics CRM Forum

Expand all | Collapse all

User see records he shouldn't see

  • 1.  User see records he shouldn't see

    TOP CONTRIBUTOR
    Posted Apr 09, 2019 12:06 PM
    I am seeing a really puzzling issue.  Our opportunity records are owned by business unit teams.  Our security roles allow a user or team to opportunities in their own business unit or below (Parent: Child Business Units).  I have a user who is seeing some Opportunity records owned by other business units which are not below his own BU or his Team's BU.  He is not seeing all records from other BUs so I don't think it could be an unexpectedly inherited permission.  I checked for sharing on several individual records, as far as I can tell, the records are not shared with the user or with the team.  They don't even have the permission to share Opportunity records, and I thought maybe they did in the past, but I see recently created records and there have been no recent changes to security.

    What else could I be missing?

    ------------------------------
    Jill Vazquez
    Technical Specialist - CRM
    Bioventus, LLC
    Durham NC
    ------------------------------
    Conference-CRMUG_200x200


  • 2.  RE: User see records he shouldn't see

    Posted Apr 10, 2019 01:45 AM

    Hi Jill

     

    This is tough to trace, especially sharing. I believe inherited shares for example won't show in the sharing dialog box for the record, and this is likely where its happening, I'd look to parent record relationships, it could be caused by the parent being automatically shared with the original owner for example.

     

    I think there are some security checking tools in XrmToolBox that may help you with this.


    Cheers

     

    image001.png@01D05BED.A697FE20

    James Abraham
    Practice Lead – Dynamics 365

    james.abraham@empired.com | T +61 8 7333 4214  | M +61 439 873 354

    Level 2, 8 Leigh St, Adelaide SA 5000 | empired.com  Twitter blue 100px image012.png@01D15E8F.9AB013E0 image016.png@01D15E8F.9AB013E0

     

     




    Conference-CRMUG_200x200


  • 3.  RE: User see records he shouldn't see

    TOP CONTRIBUTOR
    Posted Apr 10, 2019 11:37 AM
    James - thanks for the suggestion!  I hadn't thought to check inherited sharing and I did fin some cases where the parent account for the opportunity was shared, but, unfortunately, it didn't help.  I've been testing by using in-private browsing and logging in as my test user with the same security role and BU as the user who reported the issue.  After previously seeing many opportunities int he view which weren't owned by my BU team, today, I looked at accounts and found about 52 accounts which aren't owned by my BU.  Some of them were shared - although not with my BU - and some of them were not.  Removing the sharing didn't remove the account from my view, nor did it remove the opportunities from my other view so something else is responsible for allowing these records to be visible, but I can't spot any sort of pattern.  None of the accounts had a parent account that they could be inheriting sharing from either.

    ------------------------------
    Jill Vazquez
    Technical Specialist - CRM
    Bioventus, LLC
    Durham NC
    ------------------------------

    Conference-CRMUG_200x200


  • 4.  RE: User see records he shouldn't see

    Posted Apr 10, 2019 08:18 AM

    Hi Jill,

     

    You may want to try using the XrmToolBox with the plugin "Privileges Discovery".  Using this plugin, simply select the "Read" privilege for the Opportunity entity, and it should show you all of the security roles that grant this privilege.  Once you know which roles are granting the privilege, just check to make sure that neither the user or any of the teams that user belongs to has been granted a role that would allow him/her to read the entity.

     

    Pheng Yang

    |

    Senior Programmer Analyst

    Phone

    |

    952-928-5863

    |

    6800 France Ave. So, Suite 600, Edina, MN  55435

     

     

     

     



    ER Alert
    ALERT! Edina Realty will never send you wiring information via email or request that you send us personal financial information by email. If you receive an email message like this concerning any transaction involving Edina Realty, do not respond to the email and immediately contact your agent via phone.




    Conference-CRMUG_200x200


  • 5.  RE: User see records he shouldn't see

    TOP CONTRIBUTOR
    Posted Apr 10, 2019 11:40 AM
    Pheng -

    Thanks for the suggestion, but I'm still not able to solve it.  I should only be able to see records in my BU or in child BUs, so in order to see records from other BUs that have the same parent as mine, I think an inherited security permission would allow me to see records for the whole org - but I am not seeing the whole org.  I am only seeing some records from other BUs and I'm not able to spot a pattern.

    ------------------------------
    Jill Vazquez
    Technical Specialist - CRM
    Bioventus, LLC
    Durham NC
    ------------------------------

    Conference-CRMUG_200x200


  • 6.  RE: User see records he shouldn't see

    Posted Apr 10, 2019 11:41 AM
    Hi Jill,

    Are there any sharing/assigning or changing of parent records of oppty like accounts? Check the default options on Account-Opportunity relationship (Share/Reparent). Reparent especially. For example if potential customer is changed, the owner of that customer (account) would also get access to subordinated opportunities. Not sure if it will help but I had something similar with cases.

    BR,
    Antonio

    ------------------------------
    Antonio
    Span d.o.o
    ------------------------------

    Conference-CRMUG_200x200


  • 7.  RE: User see records he shouldn't see

    TOP CONTRIBUTOR
    Posted Apr 11, 2019 08:48 AM
    Antonio -

    There have been some changes in ownership of records and merging of account records which could have impacted the share of subordinate records if the parent had been shared.  I'm beginning to think there is some sort of glitch with the sharing when ownership and/or merging happens since un-sharing a record didn't remove it from my view.

    ------------------------------
    Jill Vazquez
    Technical Specialist - CRM
    Bioventus, LLC
    Durham NC
    ------------------------------

    Conference-CRMUG_200x200


  • 8.  RE: User see records he shouldn't see

    Posted Apr 11, 2019 09:40 AM
    With reparent sharing that happens is in the background (shadow, dirty, implicit sharing whatever the term). It will happen if you change the parent customer, then the owner of that parent customer will be given implicit right (with sharing in the background) on the child opportunities. Does that fit somehow in your scenario?
    Btw. is your system online or on premise? If it is on prem there are some queries you can execute on DB and see exactly how a certain user can access a certain record...

    BR,
    Antonio

    ------------------------------
    Antonio
    Span d.o.o
    ------------------------------

    Conference-CRMUG_200x200


  • 9.  RE: User see records he shouldn't see

    TOP CONTRIBUTOR
    Posted Apr 11, 2019 10:28 AM
    yes, that might fit our scenario but removing the sharing on an account, for example, which has no parent, is not removing my ability to see that account even though it is owned by another BU team.  I think I had one account where I removed sharing and it disappeared from my view, but others did not.

    We are online

    ------------------------------
    Jill Vazquez
    Technical Specialist - CRM
    Bioventus, LLC
    Durham NC
    ------------------------------

    Conference-CRMUG_200x200


  • 10.  RE: User see records he shouldn't see

    TOP CONTRIBUTOR
    Posted Apr 11, 2019 02:17 AM
    Hi Jill,
    Maybe you should reset the business unit for that user. Note the team and the security roles. Remove the team from the user and change the business unit to the root business unit, that will remove all security roles. Than change back to the original and check.
    I have seen that solving security role issues.

    ------------------------------
    Axel Girgensohn
    Dynamics CRM Specialist
    Aller Media AB
    ------------------------------

    Conference-CRMUG_200x200


  • 11.  RE: User see records he shouldn't see

    TOP CONTRIBUTOR
    Posted Apr 11, 2019 08:55 AM
    Axel - thanks for the suggestion.  I've essentially already done that.  Each time I use my test user account, I am changing the BU, which wipes out the security roles, so I can use the same BU in which I want to test a particular scenario.  Most of our users only have one security role and only inherit permissions they already have from one security role that is at the parent BU team.  I have all but ruled out a security role issue since the records seen which should not be seen don't fit into any pattern we would see if the account was inheriting org-level access to accounts or opportunities - they only see a relatively small number of the records from other BUs.

    ------------------------------
    Jill Vazquez
    Technical Specialist - CRM
    Bioventus, LLC
    Durham NC
    ------------------------------

    Conference-CRMUG_200x200


If you've found this thread useful, dive deeper into User Group community content by role