Customer Engagement & Dynamics CRM Forum

First question here, so let's hope it's in an appropriate format.
We have some custom security roles that were created. I need to add functionality based on a particular security role for the user that is logged in. So when I test it out (using Xrm.Page.context.getUserRoles()), it shows me the security roles IDs that I have assigned correctly (System Administrator among others). However, I had another user (not having a Sys Admin role) and an error is thrown saying that they do not have the permission to view it. When i print the role IDs to the console, some GUIDs show, but none of them correspond to any particular security role (not sure what they are). I gave the security role the Read access to Security Roles under the Business Management tab in the settings, however, the same GUIDs are displayed. I assume me being Sys Admin will make it always work for me, so the correct GUIDs are displayed. 
So does anyone know what would be the setting that needs to be changed for the Security Role to be able to have it be displayed correctly?





------------------------------
Raphael Cal
Belize Social Security Board
San Ignacio
------------------------------

Original Message------

First question here, so let's hope it's in an appropriate format.
We have some custom security roles that were created. I need to add functionality based on a particular security role for the user that is logged in. So when I test it out (using Xrm.Page.context.getUserRoles()), it shows me the security roles IDs that I have assigned correctly (System Administrator among others). However, I had another user (not having a Sys Admin role) and an error is thrown saying that they do not have the permission to view it. When i print the role IDs to the console, some GUIDs show, but none of them correspond to any particular security role (not sure what they are). I gave the security role the Read access to Security Roles under the Business Management tab in the settings, however, the same GUIDs are displayed. I assume me being Sys Admin will make it always work for me, so the correct GUIDs are displayed. 
So does anyone know what would be the setting that needs to be changed for the Security Role to be able to have it be displayed correctly?





------------------------------
Raphael Cal
Belize Social Security Board
San Ignacio
------------------------------

Hello @Raphael Cal,

I'm not sure of the specific setting that would fix your problem but it could partly be the JavaScript you're using.  "Xrm.Page" has been deprecated and should no longer be used, see this link for the other deprecated client APIs https://docs.microsoft.com/en-us/power-platform/important-changes-coming#some-client-apis-are-deprecated.  If you want to get the security roles then you should use Xrm.Utility.getGlobalContext().userSettings.securityRoles or if you want to go deeper and look into the privileges (which might help you find the root cause of your problem in the example you provided) then use Xrm.Utility.getGlobalContext().userSettings.securityRolePrivileges.

------------------------------
Nate Varney
Sr. Software Developer, MCSA - Dynamics 365
Universal Technical Institute (UTI)
Scottsdale AZ
------------------------------

Original Message:
Sent: Feb 27, 2020 05:52 PM
From: Raphael Cal
Subject: Different outcomes for Users Security Roles

First question here, so let's hope it's in an appropriate format.
We have some custom security roles that were created. I need to add functionality based on a particular security role for the user that is logged in. So when I test it out (using Xrm.Page.context.getUserRoles()), it shows me the security roles IDs that I have assigned correctly (System Administrator among others). However, I had another user (not having a Sys Admin role) and an error is thrown saying that they do not have the permission to view it. When i print the role IDs to the console, some GUIDs show, but none of them correspond to any particular security role (not sure what they are). I gave the security role the Read access to Security Roles under the Business Management tab in the settings, however, the same GUIDs are displayed. I assume me being Sys Admin will make it always work for me, so the correct GUIDs are displayed.
So does anyone know what would be the setting that needs to be changed for the Security Role to be able to have it be displayed correctly?





------------------------------
Raphael Cal
Belize Social Security Board
San Ignacio
------------------------------

@Raphael Cal - Have you looked into using the XrmToolBox for reviewing the user security? There are a couple of tools you could check out: 

• https://www.xrmtoolbox.com/plugins/Daggen.Xrm.UserTeamSecurityRoleReport/ ​
• https://www.xrmtoolbox.com/plugins/PKM.XRMToolBox.UserSecurityManager/

There are other tools available, but give these a go.

------------------------------
Aaron Back
Microsoft MVP | Sr. Microsoft Dynamics 365 Consultant
ACE Microtechnology
_______________________________________
CRMUG Board Member
CRMUG Chapter Leader - Cincinnati, Ohio
------------------------------

Original Message:
Sent: Feb 27, 2020 05:52 PM
From: Raphael Cal
Subject: Different outcomes for Users Security Roles

First question here, so let's hope it's in an appropriate format.
We have some custom security roles that were created. I need to add functionality based on a particular security role for the user that is logged in. So when I test it out (using Xrm.Page.context.getUserRoles()), it shows me the security roles IDs that I have assigned correctly (System Administrator among others). However, I had another user (not having a Sys Admin role) and an error is thrown saying that they do not have the permission to view it. When i print the role IDs to the console, some GUIDs show, but none of them correspond to any particular security role (not sure what they are). I gave the security role the Read access to Security Roles under the Business Management tab in the settings, however, the same GUIDs are displayed. I assume me being Sys Admin will make it always work for me, so the correct GUIDs are displayed.
So does anyone know what would be the setting that needs to be changed for the Security Role to be able to have it be displayed correctly?





------------------------------
Raphael Cal
Belize Social Security Board
San Ignacio
------------------------------

**UPDATE:

We have a custom WinForms application that is installed on every users machine, so from D365 we have JavaScript that basically builds some parameters, and pass it to the local application. The goal was to make it in such a way that if the Security Role that was chosen to do the functionality would change, then only the JavaScript code would need to be changed, since modifying the application would require deployment to all others. So, since the JS code was already passing the ID of the current user, we set the ID of the Security Role to pass as a parameter as well.

Side Note: I came across this article that I found to be helpful since this was the same issue I was having: Dynamics 365 V9 - Verify Logged In User Security Role using TypeScript. When there are different business units, each security role created will have a different roleId for those BUs, so a solution would be to compare the Name of the role or to the ParentRootRole.

My solution was to get the RoleId for a the custom role chosen (ID shown in the Url) and and that to the parameters passed to the application. Once there, using the IOrganizationService.Retrieve to get the Role Entity with that ID (the name). From there, passing the UserID and the Role Entity retrieved previously to a function that checks if the user has that role assigned. A fetchXML query such as below gets all users that has the security role assigned. So once the userId is in the collection retrieved, they have the necessary role.

var fetchXml = [email protected]"
                    <fetch>
                      <entity name='systemuser'>
                        <attribute name='fullname' />
                        <attribute name='systemuserid' />
                        <link-entity name='systemuserroles' from='systemuserid' to='systemuserid' link-type='inner' intersect='true'>
                          <attribute name='systemuserroleid' />
                          <attribute name='roleid' />
                          <attribute name='systemuserid' />
                          <link-entity name='role' from='roleid' to='roleid'>
                            <filter>
                              <condition attribute='name' operator='eq' value='{fetchData.name}'/>
                            </filter>
                          </link-entity>
                        </link-entity>
                      </entity>
                    </fetch>";​

So if the role were to change, the roleId could be updated in the JavaScript code, so that new ID would be passed to the application and into the fetchxml query (not something hardcoded into the application).

------------------------------
Raphael Cal
Belize Social Security Board
San Ignacio
------------------------------

Original Message:
Sent: Feb 28, 2020 10:50 AM
From: Aaron Back
Subject: Different outcomes for Users Security Roles

@Raphael Cal - Have you looked into using the XrmToolBox for reviewing the user security? There are a couple of tools you could check out:

• https://www.xrmtoolbox.com/plugins/Daggen.Xrm.UserTeamSecurityRoleReport/ ​
• https://www.xrmtoolbox.com/plugins/PKM.XRMToolBox.UserSecurityManager/

There are other tools available, but give these a go.

------------------------------
Aaron Back
Microsoft MVP | Sr. Microsoft Dynamics 365 Consultant
ACE Microtechnology
_______________________________________
CRMUG Board Member
CRMUG Chapter Leader - Cincinnati, Ohio

Original Message:
Sent: Feb 27, 2020 05:52 PM
From: Raphael Cal
Subject: Different outcomes for Users Security Roles

First question here, so let's hope it's in an appropriate format.
We have some custom security roles that were created. I need to add functionality based on a particular security role for the user that is logged in. So when I test it out (using Xrm.Page.context.getUserRoles()), it shows me the security roles IDs that I have assigned correctly (System Administrator among others). However, I had another user (not having a Sys Admin role) and an error is thrown saying that they do not have the permission to view it. When i print the role IDs to the console, some GUIDs show, but none of them correspond to any particular security role (not sure what they are). I gave the security role the Read access to Security Roles under the Business Management tab in the settings, however, the same GUIDs are displayed. I assume me being Sys Admin will make it always work for me, so the correct GUIDs are displayed.
So does anyone know what would be the setting that needs to be changed for the Security Role to be able to have it be displayed correctly?





------------------------------
Raphael Cal
Belize Social Security Board
San Ignacio
------------------------------