Tuesday, November 20, 2012

Flexible record access rights management using CRM workflows

Managing access to the data in CRM is paramount to any organization. Fortunately Dynamics CRM has a powerful user role system to handle this. In addition, by using the CRM user interface not only you can easily control the ownership of a record (Assigning) but also able to control the different types of access privileges (Delete, Read, Share, Create, etc.…) to each user or team for each record (Sharing). However, the built-in set of workflow steps fail to exploit all these capabilities. One such notable missing capability is the record sharing capability with a user or a team.
In this post, we will introduce a custom workflow activity step to implement this capability. That is, by using this workflow step, we will be able to grant/revoke a given set of access rights to/from a target team or user. In case we want to manage access rights for more than one user (without defining teams) or more than one team, we can simply use a set of steps in the workflow with relevant configurations.
Figure 1: Custom Workflow step input properties window
The above figure shows the input parameter window of the workflow step. Basically, we can see 4 categories of input parameters.
  1. Reset existing access: By selecting True for the  Revoke All Access to Record, we can revoke all access to the current record for all users, except the user running the workflow.
  2. Target team and/or user: Here we will select the target team and/or user to grant/revoke access rights.
  3. Reset existing access to target team and user:  By selecting True for the Initially Revoke Existing Access, we can revoke all access to the current record to selected user and team.
  4. Grant Permissions: Select whether to grant or not different types of access rights (Read, Write, etc..). Unless you have selected the Initially Revoke Existing Access option, any existing access rights that you are not going to newly grant will remain unchanged. E.g. Suppose User A has only Read & Delete access rights to the record. As part of this workflow step you are going grant User A share permissions (by selecting True for Grant Share Permissions and False to everything else). Then as a result of this now user has Read, Delete & Share access rights. 
As you can see, by carefully configuring the above parameters, we can control record access rights at a very granular level.
The workflow step is available for both CRM 4 and CRM 2011. Bellow I attach a snapshot of the plugin projects, how ever the latest source code is available in TFS (please contact me for get access).

For Dynamics CRM 4 - CRM4.zipCRM4.zip
For Dynamics CRM 2011 -CRM2011.zipCRM2011.zip