Customer Engagement & Dynamics CRM Forum

Expand all | Collapse all

Yet Another Dynamics / SharePoint Question

  • 1.  Yet Another Dynamics / SharePoint Question

    Posted Jul 02, 2019 03:31 AM
    We have Dynamics CRM v8.2.2 (on premise) and want to use SharePoint Online as our document repository.

    For the most part, we want to limit most CRM users to storing and retrieving the documents only via Dynamics (we don't want them to use -- or be able to use -- SharePoint to access the documents, with a very few exceptions).

    It appears that it is necessary for each CRM user to have a SharePoint account, which would make sense if we wanted the documents to be accessed by either approach. Given that we do NOT want access via SharePoint, can we avoid having a SharePoint account for each CRM user?

    And if we must have a SharePoint account for each user, can we give them "no" access via SharePoint but still have them able to upload and retrieve stored documents via Dynamics?

    Many thanks for your help!

    Brian

    ------------------------------
    Brian Fischer
    Portola Valley Consulting Group
    ------------------------------
    Conference-CRMUG_200x200


  • 2.  RE: Yet Another Dynamics / SharePoint Question

    SILVER CONTRIBUTOR
    Posted Jul 02, 2019 04:41 AM
    Hi Brian,

    So having read this a few times.  Are you saying that you want to use SharePoint integration so that the CRM shows the document from SharePoint and users can upload/download the documents to SharePoint from within CRM but you don't want users to be able to press the Open Document Location button or to directly navigate to the SharePoint site?

    If that's what you're asking then I'd say that it's not really possible.  If you turn on SharePoint integration then what you see when you navigate to Documents in a CRM entity is, essentially, a view of a folder (and subfolders) in a library in SharePoint based on the user in CRM having access to those folders in SharePoint .  If you can access the files one way round you'll be able to access them the other.

    Andrew


    ------------------------------
    Andrew Wolfe
    Head of CRM Practice
    Technology Services Group
    United Kingdom
    ------------------------------

    Conference-CRMUG_200x200


  • 3.  RE: Yet Another Dynamics / SharePoint Question

    Posted Jul 03, 2019 01:32 AM
    Andrew-

    Thank you for your response -- alas, you understood exactly what we want to do and the fact that we can't do it now adds the complexities that others have identified (synchronizing the rights and privileges for access by CRM and by SharePoint).

    If anyone has a suggestion for an alternative document management tool that would come closer to meeting our desire for allowing access primarily via CRM only, we would love to hear about it!

    Again, many thanks.


    ------------------------------
    Brian Fischer
    Portola Valley Consulting Group
    ------------------------------

    Conference-CRMUG_200x200


  • 4.  RE: Yet Another Dynamics / SharePoint Question

    SILVER CONTRIBUTOR
    Posted Jul 03, 2019 03:52 AM
    Hi Brian,

    If the issue with SharePoint is really around the security structure then my suggestion would be to persist with it rather than buy in another DMS that may then need custom integration.  I think that your concern here is that a user might open a document location, find themself in SharePoint and play with the navigation to expose folders that they're not mean to see.  If that's the case then that can be solved without too much expense.

    There is a third party product (maybe they'll jump in here and promote themselves) that can do security synchronisation between CRM and SharePoint.  I'm concerned about the number of breaks in security inheritance that might create.  What we did on one of our projects was to create a structure of sites/libraries/folders in SharePoint that matched the structure in CRM.  If we think folders we had folders similar to:
    EMEA
    USA
    RoW

    The EMEA folder then had subfolders for: France, Spain, UK etc.  Windows/Azure security groups were associated with each folder in SharePoint and we set the security that way.
    We used a little bit of custom code in CRM that would check what Business Unit the Opportunity was and then create a folder for it in the right country in the right region and set that folder as the document location.  As long as the customer makes sure that a user who is in a BU in CRM is also in the correct AD group to access the SharePoint folder then everything works.  If the user jumps over to SharePoint they can only see the bits of SharePoint that they're meant to be able to access.

    Of course there are many different ways that you can go on your project but this worked for one of ours and has been in use for several years.  Hope this info helps

    Andrew

    ------------------------------
    Andrew Wolfe
    Head of CRM Practice
    Technology Services Group
    United Kingdom
    ------------------------------

    Conference-CRMUG_200x200


  • 5.  RE: Yet Another Dynamics / SharePoint Question

    TOP CONTRIBUTOR
    Posted Jul 03, 2019 09:48 AM
    Hi Brian,

    Without going the custom code route the 3rd party option mentioned is from Connecting Software. The product is called "CB Dynamics CRM – SharePoint Permissions Replicator". It works really well and I know of several companies that are using it.

    CB Dynamics SharePoint Permissions Replicator - Synchronization
    Connecting Software remove preview
    CB Dynamics SharePoint Permissions Replicator - Synchronization
    A major problem of storing Dynamics CRM documents in SharePoint is the missing synchronization of privileges and permissions. This allows unauthorized SharePoint users to access private documents and sensitive data even if they don't have CRM privileges to do so. CB Replicator, is the only out-of-the-box solution that remedies this issue by automatically synchronizing Dynamics CRM privileges with SharePoint permissions.
    View this on Connecting Software >
    https://www.connecting-software.com/dynamics-crm-sharepoint-permissions-replicator/


    ------------------------------
    Mike Hammons
    Director, Business Intelligence
    AKA Enterprise Solutions
    ------------------------------

    Conference-CRMUG_200x200


  • 6.  RE: Yet Another Dynamics / SharePoint Question

    Posted Jul 04, 2019 01:22 AM
    Many thanks again to Andrew and Mike!

    Andrew: Thanks for your idea regarding the structuring of the folders and using that mechanism to mirror the structure we have in Dynamics. I will share that with the team! Also appreciate your warning regarding using another DMS.

    Mike: Also thanks -- we will be contacting Connecting Software soon.

    Brian

    ------------------------------
    Brian Fischer
    Portola Valley Consulting Group
    ------------------------------

    Conference-CRMUG_200x200


  • 7.  RE: Yet Another Dynamics / SharePoint Question

    Posted Jul 09, 2019 04:26 AM
    Hi, we currently use Connecting Software to help support our SharePoint integration security. Works really well and was easy to set up but I do hope Microsoft support this out of the box in the future.

    ------------------------------
    Anthony Crook
    Compass Group
    Chertsey
    ------------------------------

    Conference-CRMUG_200x200


  • 8.  RE: Yet Another Dynamics / SharePoint Question

    SILVER CONTRIBUTOR
    Posted Jul 10, 2019 05:39 AM
    Hi @Andrew Wolfe,

    We are trialling CB Dynamics SharePoint Permissions Replicator - Synchronization at the moment, can you please elaborate  on, "I'm concerned about the number of breaks in security inheritance that might create" and how it might manifest itself. We would like to look into this and see if it impacts any of our use cases. Currently we are planning to let CRM create a new folder for each case to store documents relating to that case. We are looking to replicate the case access privileges to to the document folder on sharepoint.

    Regards,
    Kevin


    ------------------------------
    Kevin Harrington
    CRM Product Manager
    Universtiy College Cork
    ------------------------------

    Conference-CRMUG_200x200


  • 9.  RE: Yet Another Dynamics / SharePoint Question

    Posted Jul 10, 2019 06:19 AM
    Edited by Anthony Crook Jul 10, 2019 06:24 AM
    Hi, I did quite a bit of analysis around this risk as well. Each SharePoint site can have a maximum of 50,000 unique security scopes. By default if your whole site only has one permission (says full CRUD), then you'd only be using 1 security scope for the whole site.

    Connecting Bridge however creates one unique security scope per folder, with one folder per CRM record. Therefore if you have one security scope of folder of account 'Business A' and one security scope for the folder of opportunity 'Business A Opportunity', you would have 2 of your 50,000 used. Within each of those unique security scopes it defines the correct membership (I.e. owned by John but shared with read only to Jane) but I don't believe it matters how much custom security is within each scope, just the fact that there is a unique scope for that folder.

    To mitigate this we have a sub site per business unit (via custom code), therefore giving each business units their own 50,000 limit. This doesn't fully mitigate the risk but reduces the probability.

    ------------------------------
    Anthony Crook
    Head of Client Business Solutions
    Compass Group
    Chertsey
    ------------------------------

    Conference-CRMUG_200x200


  • 10.  RE: Yet Another Dynamics / SharePoint Question

    SILVER CONTRIBUTOR
    Posted Jul 10, 2019 07:28 AM
    Thanks @Anthony Crook,

    That is very interesting, we were not aware of this and I believe the 50,000 limit would be a problem for us as we have a large volume of cases. We would hit the 50,000 threshold mark for some business units within 3 to 5 years, so we would need to have it more granular than Business Unit but I am not sure how this could be modelled. Maybe Azure Blob might be a better way to go.

    Regards,
    Kevin

    ------------------------------
    Kevin Harrington
    CRM Product Manager
    Universtiy College Cork
    ------------------------------

    Conference-CRMUG_200x200


  • 11.  RE: Yet Another Dynamics / SharePoint Question

    TOP CONTRIBUTOR
    Posted Jul 10, 2019 08:42 AM
    Brian (and Andrew),
        Have you considered _not_ using SharePoint for document storage? There are alternatives, such as Azure Blob storage. This free app in the AppSource takes documents that are attachments in D365 and moves them to Azure Blob storage with a GUID+filename format. The only user interface to end users is through Dynamics.  The cost for Azure Blob Storage is a fraction of what MS charges for SharePoint document storage. My customers love it.

    ------------------------------
    If this answered your question, please click on the arrow button next to Reply Inline and choose 'Make Best Answer.'
    Thanks.
    Nelson Johnson, Solution Architect
    BroadPoint, Inc., Bethesda MD
    Link with me! https://www.linkedin.com/in/nelsonjohnson/
    ------------------------------

    Conference-CRMUG_200x200


  • 12.  RE: Yet Another Dynamics / SharePoint Question

    SILVER CONTRIBUTOR
    Posted Jul 11, 2019 03:34 AM
    There's a lot of good insights in this thread so a couple more thoughts from me:
    The other side to the 50,000 limit is that I have also been taught over many years as a SharePoint consultant to have as few security breaks as possible.

    Azure blob is an option but SharePoint integration is just so easy, you get 1TB of storage for free and you're getting a DMS, not just a file store.  Creating a hierarchy like I described and getting some bespoke to create folders in the correct path (or using North52 formula) is really only a few days work.  You then get version controlled files and the option for all sorts of templates.  We can now assign CRM roles based on Azure AD groups that can, in effect, be the same groups that can be used inside SharePoint groups to control the SharePoint security.

    Andrew

    ------------------------------
    Andrew Wolfe
    Head of CRM Practice
    Technology Services Group
    United Kingdom
    ------------------------------

    Conference-CRMUG_200x200


  • 13.  RE: Yet Another Dynamics / SharePoint Question

    SILVER CONTRIBUTOR
    Posted Jul 11, 2019 04:52 AM
    Hi all,

    Given our dynamics security model, it would be quiet a challenge to replicate this on Sharepoint using AD roles. In effect, we would probably have to move files to the relevant document library on sharepoint every time a case is reassigned.

    Interesting: https://www.connecting-software.com/blog/elegant-workaround-for-sharepoint-security-threshold/

    Back to considering Azure Blob:
    How searchable are attachments/files moved to Azure Blob, e.g., can you search the content of say a document using relative search once synced to Azure blob?

    Our understanding, open to correction, is that both relative search and sharepoint cover the document content but content can't be searched if the doc. is synced Azure blob.

    Regards
    Kevin
    Conference-CRMUG_200x200


  • 14.  RE: Yet Another Dynamics / SharePoint Question

    TOP CONTRIBUTOR
    Posted Jul 11, 2019 11:16 AM
    Kevin,
       I believe you are correct that you lose out on the ability to search documents in Blob storage if you use the method I proposed above, but anything is possible if you are willing to write code. As far as I know, you can only search for documents in SharePoint through the SharePoint UI or using an API call, therefore using the OOTB SharePoint integration will not permit D365 users to search for them either.

    With respect to @Brian Fischer's original question - he did not want users to have access to SharePoint and he only wanted people to have access to the documents through the D365 UI.
    ​​

    ------------------------------
    If this answered your question, please click on the arrow button next to Reply Inline and choose 'Make Best Answer.'
    Thanks.
    Nelson Johnson, Solution Architect
    BroadPoint, Inc., Bethesda MD
    Link with me! https://www.linkedin.com/in/nelsonjohnson/
    ------------------------------

    Conference-CRMUG_200x200


If you've found this thread useful, dive deeper into User Group community content by role