Problem

In Microsoft Dynamics CRM, entity records can be hidden/restricted using its security structure with a combination of business units and security roles. However, if we have to allow Dynamics CRM users (not system customizers or system administrators) to decide when to hide or show a record, and in addition, allow other users to show only limited set of fields (selective field level security), it cannot be achieved with standard security structure. Hence, a certain level of customisation is required.

Explanation

The following steps demonstrate that this requirement can be easily achieved without any JavaScript or Plugin development.

Thanks to Gonzalo Ruiz for publishing MSCRM Workflow Utilities. One of the features presented in these utilities allowed for sharing and unsharing of CRM records with a team/user using a CRM workflow.

Steps involved

  1. Create two field level security profiles “Standard” and “Sensitive”.
hide show selective records

Figure 1: Field Level Security Profiles

 

  1. Create a team of “Standard” users who otherwise are not authorised to view sensitive data and add members to this team accordingly.
  2. Similarly, create a team of “Sensitive data” users who are allowed to view sensitive data. (If all authorised users belong to a single Business Unit, this team is not required.)

NOTE: It is important that all ‘unauthorised’ and ‘authorised’ users, when added to Dynamics CRM, are also added to these teams as a standard operating procedure when setting up a user in Dynamics CRM.

team dynamics crm

Figure 2: Standard Team

 

  1. Give these teams appropriate access under FLS profiles.
field security profiles standard team

Figure 3: Team added to FLS

 

  1. Create two forms for your target entity. One form (e.g. ‘Standard’ form) should contain non-secure fields only that are accessible by standard users. Another form (e.g. ‘Sensitive’ form) should contain both secure and non-secure fields.
two entity forms

Figure 4: Two different entity forms

 

  1. Give access of non-secure form to all security profiles except secure (Sensitive) security profile.
  2. Give access of other form to only one “secure” (Sensitive) security profile.

Standard Security profile setup

standard security role

Figure 5: Standard Security role

 

Sensitive security profile setup

sensitive security role

Figure 6: Sensitive data security role

 

  1. Apply some sort of trigger on Secure form (Sensitive form). For example, a “Publish this record” attribute which will share this record with Standard team (in this case ‘Standard’ team) if ‘Yes’ is selected and unshare this record if ‘No’ is selected using a workflow.
    1. Publish field value: “No”
sensitive entity form

Figure 7: Sensitive entity form – before publish

 

  1. Case not visible to the Standard users.
case not visible before publishing

Figure 8: Case not visible before publishing

 

  1. When Case is published by authorised users, i.e. Publish field value = “Yes”
case published

Figure 9: Case Published

 

  1. Case appears in Standard User’s view.
case standard user view

Figure 10: Case visible to standard user after publishing

 

  1. Though the Case is visible, Standard user can only see a limited set of fields.
case visible with limited fields

Figure 11: Case visible to Standard user with limited fields

 

  1. Behind the scenes, create a workflow that is using Dynamics CRM Workflow utilities to Share and Unshare this record with the teams.
mscrm utilitites workflow

Figure 12: MSCRM Utilities Workflow for Sharing/Unsharing records

 

share record standard user team

Figure 13: Share Record with Standard user team

 

unshare record standard user team

Figure 14: Unshare record with Standard user team