In Microsoft Dynamics CRM, entity records can be hidden/restricted using its security structure with a combination of business units and security roles. However, if we have to allow Dynamics CRM users (not system customizers or system administrators) to decide when to hide or show a record, and in addition, allow other users to show only limited set of fields (selective field level security), it cannot be achieved with standard security structure. Hence, a certain level of customisation is required.
Thanks to Gonzalo Ruiz for publishing MSCRM Workflow Utilities. One of the features presented in these utilities allowed for sharing and unsharing of CRM records with a team/user using a CRM workflow.
- Create two field level security profiles “Standard” and “Sensitive”.
- Create a team of “Standard” users who otherwise are not authorised to view sensitive data and add members to this team accordingly.
- Similarly, create a team of “Sensitive data” users who are allowed to view sensitive data. (If all authorised users belong to a single Business Unit, this team is not required.)
NOTE: It is important that all ‘unauthorised’ and ‘authorised’ users, when added to Dynamics CRM, are also added to these teams as a standard operating procedure when setting up a user in Dynamics CRM.
- Give these teams appropriate access under FLS profiles.
- Create two forms for your target entity. One form (e.g. ‘Standard’ form) should contain non-secure fields only that are accessible by standard users. Another form (e.g. ‘Sensitive’ form) should contain both secure and non-secure fields.
- Give access of non-secure form to all security profiles except secure (Sensitive) security profile.
- Give access of other form to only one “secure” (Sensitive) security profile.
Standard Security profile setup
Sensitive security profile setup
- Apply some sort of trigger on Secure form (Sensitive form). For example, a “Publish this record” attribute which will share this record with Standard team (in this case ‘Standard’ team) if ‘Yes’ is selected and unshare this record if ‘No’ is selected using a workflow.
- Publish field value: “No”
- Case not visible to the Standard users.
- When Case is published by authorised users, i.e. Publish field value = “Yes”
- Case appears in Standard User’s view.
- Though the Case is visible, Standard user can only see a limited set of fields.
- Behind the scenes, create a workflow that is using Dynamics CRM Workflow utilities to Share and Unshare this record with the teams.