Create a truly personal field with Field Level Security

Since Microsoft Dynamics CRM 2011 was released, I never had the chance to really use Field Level Security feature. Last week, I was asked to implement a secured field that should be accessed only by the owner of the record, even if the record itself can be accessed by anyone.
 
This can be achieved with one field level security profile and one plugin.
 
Field Level Security Profile
The field level security profile basically restrict Read and Update of the field to all users (or all teams) but allows Create. This way, anyone can create a record with access to the secure field. When created, as all users can’t read or update, the field is not accessible anymore.
 
Plugin
The plugin will handle this problem. On PostCreate event, it will share the secured field with the owner. For this, we use the entity PrincipalObjectAttributeAccess to give Read and Update access to the secured field to the owner of the record.

public void ShareSecureFieldWithOwner(Entity record)
{
    // Any method that helps you find the AttributeMetadata Id
    var attributeId = FindSecuredAttribute();

    if (attributeId != Guid.Empty)
    {
        var userAccess = new PrincipalObjectAttributeAccess
                             {
                                 AttributeId = attributeId,
                                 ObjectId = record.ToEntityReference(),
                                 PrincipalId = record.OwnerId,
                                 UpdateAccess = true,
                                 ReadAccess = true
                             };

        context.AddObject(userAccess);
        context.SaveChanges();
    }
}

VoilĂ ! You have now a secure field accessible only for the owner of the record!

Comments

Charles Prat-Filloz said…
Thank you for this tutorial.

Can you tell me how FindSecuredAttribute() gets the attributeId?

Thank you :)
April 18, 2013 at 10:51 AM
Tanguy said…
Hi, it just performs a RetrieveAttributeMetadataRequest which uses the entity logical name and the attribute logical name, then read the AttributeId on the resulting AttributeMetadata
April 18, 2013 at 10:56 AM
Charles Prat-Filloz said…
Thank you for your fast answer!
April 18, 2013 at 3:11 PM
Charles Prat-Filloz said…
Ok I almost reached what I wanted but I did it differently.

I am using CRM online and I saw that I needed to use entities like that :

Entity poaa = new Entity("principalobjectattributeaccess");
poaa["attributeid"] = attributeId;
poaa["objectid"] = objectIdReference;
poaa["readaccess"] = true;
poaa["updateaccess"] = true;
poaa["principalid"] = principalIdReference;
service.Create(poaa);

I have a problem. I can't create a new principalobjectattributeaccess because the service I use is connected to the user creating the new entity. Or this user does not have the rights to modify PrincipalObjectAttributeAccess. Therefore I have a privilege problem. Do you have any ideas about that?
April 22, 2013 at 11:55 AM
Tanguy said…
Execute the plugin as an administrator,then no privileges problem
April 22, 2013 at 12:00 PM
Charles Prat-Filloz said…
OK thank you for everything I managed to do a working plugin thanks to your help!

I have one last question. When I create a Field Security Profile, if I do not connect it with any users or teams, it does not work. I have to explicitly select all users or all teams to make it work.
The thing is that in my solution, if I want to add a new team or user, I also have to add it to the security profile which is a huge constrain, do you have any idea to make it work? Or maybe it should work without connecting the Field Security Profile but my solution is not working properly...
April 26, 2013 at 9:44 AM
Tanguy said…
No, that's a requirement... But you can also write a plugin that will add the new user or team (post operation create) to this field level security
April 26, 2013 at 10:21 AM
Charles Prat-Filloz said…
Yes I thought about that solution too but I wanted to be sure I could not do it differently...

Thank you anyway :)
April 26, 2013 at 10:23 AM
Unknown said…
@Charles Prat-Filloz, did you have any luck implementing this in CRM online? I've got the exact same requirement and would appreciate some help if you're willing to share your plugin.
March 25, 2014 at 7:34 AM
Tanguy said…
This is only supporter SDK code so it works with CRM Online too.

Everything is explained in the post and the comments
March 25, 2014 at 11:29 AM
Unknown said…
Not having any luck implementing it. PrincipalObjectAttributeAccess isn't a recognised type - is there an assembly reference I need in the code?
April 11, 2014 at 7:55 AM
Tanguy said…
This comment has been removed by the author.
April 11, 2014 at 8:50 AM
Tanguy said…
Hi Philippe, you have to generate EarlyBound classes with crmsvcutil (included in the SDK) or use class "Entity" instead:

Entity poa = new Entity("principalobjectattributeaccess");
April 11, 2014 at 8:51 AM
mfairouz said…
Hi,
can you explain how to create the plugins step by step.
Message
Pipeline
Class

appreciate your support

thanks
April 13, 2014 at 10:44 PM
Anonymous said…
Iam really satisfy by your information. It's well-written, to the point, and relative to what I do. I like it very much for giving information on
Sharepoint Online Training | Microsoft Dynamics CRM Online Training
June 23, 2015 at 11:42 AM
Post a Comment

Popular posts from this blog

New XrmToolBox plugin : Import/Export NN relationships

Image
Two plugins in one day! wow! This one was, in fact, developed a couple of months ago. One of my colleague was using a solution from my fellow MVP Andrii Butenko which allows to import/export NN relationships in a silverlight web resource. This was nice but my colleague was using other attributes than primary key to do the mapping and Andrii’s solution does not support this. So he asked me to develop a XrmToolBox’s plugin that could do this. And, here it is! You can select entities and relationships and moreover, choose mapping attributes on both enitities. I only let text and number attributes selectable as other does not really make sense for mapping purposes. Then you can import or export NN relationships! Here is a preview As usual, this plugin, among other, is available with XrmToolBox on CodePlex
Read more

Searchable Propery Attribute Updater

Image
Hi, The previous post was not the last one... :) You can find in this post the first tool that will make your life easier: Just remember when you customer asked you to remove all these unused attributes form the attribute list of the advanced find form... You navigated through all attrbutes form to modify the Searchable property of each attributes for hours... (maybe am I exaggerating a bit...) The program I give you allows you to update all attributes in a single winform application! Yes it can be! Do not hesitate to give me your comments about this program if you think improvements can be done... Download:
Read more

Full featured CRM grid in HTML/JS

Image
In last December, I was asked to write a web resource to display a grid with CRM records. I was quite frustrated because I didn’t succeed to manage some grid features easily like fixed header with horizontal scrolling among others. I delivered a fixed table which was not so bad but absolutely not something that look like the application grid views. So I decided to work harder to find a way to do this CRM style grid view. After some works (almost two full days), I have succeeded to create a full featured CRM grid view by using only JavaScript. Here is a screenshot: And this is how I can create a grid view from only a div in a HTML page < html > < head > < title > Page de test </ title > < script src ="json2.js"></ script > < script src ="jquery.js"></ script > < script src ="XrmServiceToolKit.js"></ script > < script src ="sdk.metadata.js"></ script > ...
Read more