Customer Engagement & Dynamics CRM Forum

Expand all | Collapse all

Different outcomes for Users Security Roles

  • 1.  Different outcomes for Users Security Roles

    Posted Feb 27, 2020 05:52 PM
    First question here, so let's hope it's in an appropriate format.
    We have some custom security roles that were created. I need to add functionality based on a particular security role for the user that is logged in. So when I test it out (using Xrm.Page.context.getUserRoles()), it shows me the security roles IDs that I have assigned correctly (System Administrator among others). However, I had another user (not having a Sys Admin role) and an error is thrown saying that they do not have the permission to view it. When i print the role IDs to the console, some GUIDs show, but none of them correspond to any particular security role (not sure what they are). I gave the security role the Read access to Security Roles under the Business Management tab in the settings, however, the same GUIDs are displayed. I assume me being Sys Admin will make it always work for me, so the correct GUIDs are displayed.
    So does anyone know what would be the setting that needs to be changed for the Security Role to be able to have it be displayed correctly?





    ------------------------------
    Raphael Cal
    Belize Social Security Board
    San Ignacio
    ------------------------------
    The first step toward cloud success. - Migrate from CRM to D365 with expert guidance from Microsoft. I'm Ready


  • 2.  RE: Different outcomes for Users Security Roles

    SILVER CONTRIBUTOR
    Posted Feb 28, 2020 06:43 AM
    Each security role you create as a Sys admin creates that same security role in each business unit you have defined. The guids that you are seeing are the relevant guids of that particular user based on their business unit. 

    The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you.



    The first step toward cloud success. - Migrate from CRM to D365 with expert guidance from Microsoft. I'm Ready


  • 3.  RE: Different outcomes for Users Security Roles

    Posted Feb 28, 2020 09:58 AM
    Hello @Raphael Cal,

    I'm not sure of the specific setting that would fix your problem but it could partly be the JavaScript you're using.  "Xrm.Page" has been deprecated and should no longer be used, see this link for the other deprecated client APIs https://docs.microsoft.com/en-us/power-platform/important-changes-coming#some-client-apis-are-deprecated.  If you want to get the security roles then you should use Xrm.Utility.getGlobalContext().userSettings.securityRoles or if you want to go deeper and look into the privileges (which might help you find the root cause of your problem in the example you provided) then use Xrm.Utility.getGlobalContext().userSettings.securityRolePrivileges.

    ------------------------------
    Nate Varney
    Sr. Software Developer, MCSA - Dynamics 365
    Universal Technical Institute (UTI)
    Scottsdale AZ
    ------------------------------

    The first step toward cloud success. - Migrate from CRM to D365 with expert guidance from Microsoft. I'm Ready


  • 4.  RE: Different outcomes for Users Security Roles

    D365UG/CRMUG ALL STAR
    Posted Feb 28, 2020 10:50 AM
    @Raphael Cal - Have you looked into using the XrmToolBox for reviewing the user security? There are a couple of tools you could check out:

    There are other tools available, but give these a go.

    ------------------------------
    Aaron Back
    Microsoft MVP | Sr. Microsoft Dynamics 365 Consultant
    ACE Microtechnology
    _______________________________________
    CRMUG Board Member
    CRMUG Chapter Leader - Cincinnati, Ohio
    ------------------------------

    The first step toward cloud success. - Migrate from CRM to D365 with expert guidance from Microsoft. I'm Ready


  • 5.  RE: Different outcomes for Users Security Roles

    Posted Mar 04, 2020 03:19 PM
    **UPDATE:

    We have a custom WinForms application that is installed on every users machine, so from D365 we have JavaScript that basically builds some parameters, and pass it to the local application. The goal was to make it in such a way that if the Security Role that was chosen to do the functionality would change, then only the JavaScript code would need to be changed, since modifying the application would require deployment to all others. So, since the JS code was already passing the ID of the current user, we set the ID of the Security Role to pass as a parameter as well.

    Side Note: I came across this article that I found to be helpful since this was the same issue I was having: Dynamics 365 V9 - Verify Logged In User Security Role using TypeScript. When there are different business units, each security role created will have a different roleId for those BUs, so a solution would be to compare the Name of the role or to the ParentRootRole.

    My solution was to get the RoleId for a the custom role chosen (ID shown in the Url) and and that to the parameters passed to the application. Once there, using the IOrganizationService.Retrieve to get the Role Entity with that ID (the name). From there, passing the UserID and the Role Entity retrieved previously to a function that checks if the user has that role assigned. A fetchXML query such as below gets all users that has the security role assigned. So once the userId is in the collection retrieved, they have the necessary role.
    var fetchXml = $@"
                        <fetch>
                          <entity name='systemuser'>
                            <attribute name='fullname' />
                            <attribute name='systemuserid' />
                            <link-entity name='systemuserroles' from='systemuserid' to='systemuserid' link-type='inner' intersect='true'>
                              <attribute name='systemuserroleid' />
                              <attribute name='roleid' />
                              <attribute name='systemuserid' />
                              <link-entity name='role' from='roleid' to='roleid'>
                                <filter>
                                  <condition attribute='name' operator='eq' value='{fetchData.name}'/>
                                </filter>
                              </link-entity>
                            </link-entity>
                          </entity>
                        </fetch>";​
    So if the role were to change, the roleId could be updated in the JavaScript code, so that new ID would be passed to the application and into the fetchxml query (not something hardcoded into the application).

    ------------------------------
    Raphael Cal
    Belize Social Security Board
    San Ignacio
    ------------------------------

    The first step toward cloud success. - Migrate from CRM to D365 with expert guidance from Microsoft. I'm Ready


If you've found this thread useful, dive deeper into User Group community content by role