Security Nuances with Manager Based Hierarchy in Dynamics 365

Security Nuances with Manager Based Hierarchy in Dynamics 365

Manager Hierarchy was introduced way back with 2015 Online Update 1. And you might be wondering why this blog after years this feature has been introduced?

Well I can assure you, you won’t be disappointed after reading this blog. In this blog I will explain in detail the manager security nuances from my personal experience with project implementations and training. I am not going to explain how Manager security works. I am just going to explain the security nuances and how it works in multiple scenarios.

To explain my point, I have the below data set-up in my environment.

1. Business Unit Set-up

  • Americas –> Child BU of Root BU
  • North America –> Child BU of Americas

2. User Set-up

  • User A belonging to Americas BU
  • User B belonging to North America and reporting to User A
  • User C belonging to North America

3. Created Custom Entity named – Manager Hierarchy Test

4. Security Roles

  • Manager Role – having User level access on all privileges on the entity Manager Hierarchy Test
  • Reportee Role – having BU level access on all privileges on the entity Manager Hierarchy Test

5. User A is assigned Manager role and User B and User C having Reportee Role

So Manager Hierarchy affects which record? To put in my words

  • Owned by Reportee
  • Shared to Reportee
  • Owned by a team to which Reportee is a team member
  • Shared by a team to which Reportee is a team member

Which records are not affected by Manager Hierarchy ?

To put in simple terms, any of the records which does not meet the above four conditions is not affected by Manager Hierarchy. So the records which the reportee gains access due to his security prvileges (Business Unit/ Parent child/ organization) are not affected by this. Confused? Don’t worry. We will come back to this.

 

So let’s take these scenarios one by one.

Scenario 1:

Record owner = Reportee

User B creates a record – ‘Record for User B’. So this record is being owned by User B.  As per Manager Hierarchy, user A is able to read/ write this record since User B is direct reportee of User A. No surprises here right. After all everyone knows that.

First of all, to have write access to the reportee record, User A should be having at-least user level write privilege on the entity through his security role. Otherwise he won’t be able to write the reportee’s record even through Manager Hierarchy.

Also another point –Delete” privilege is not part of Manage security. Hence Manager won’t be able delete the reportee’s record.

 

Scenario 2:

Record shared to Reportee

Another user shares a record with User B with all the privileges – Read/ write/ append/ append to/ share. User A will now see this record because of Manager Hierarchy. However although the reportee have all the privileges on this record by virtue of sharing, through Manager Hierarchy, User A will only have read-only access to this record.

 

Scenario 3:

Record owned by a team which the reportee is member of

this behavior is same as Scenario1

 

Scenario 4:

Record Shared to a team which the reportee is member of

This behavior is same as Scenario 2

 

Now say for example User C goes ahead and creates record. Since User B and User C are both in the same business Unit (North America in example here), by virtue of their business unit read privilege on security role, User B would be able to see the record. However since User B is not the owner/ not shared to him/ not owned by the team to which he belongs/ not shared to the team to which he belongs, this record is not affected by Manager hierarchy and hence User A is not able to view this record.

 

Hope this clears out any doubt with Manager Hierarchy.

Debajit Dutta

(Dynamics MVP)

For corporate training/ consulting, please reach out to us at info@xrmforyou.com or visit our website – xrmforyou.com

Advertisements

Published at Tue, 15 May 2018 17:03:31 +0000

Headless Authentication with Dynamics CRM online and External Web App which requires Client Secret

Headless Authentication with Dynamics CRM online and External Web App which requires Client Secret

As promised, I am back to my second post on this topic. In my previous post, I showed you on how to generate Authorization token of D365 online from Native Console App using the Client_ID.

https://debajmecrm.com/2018/04/29/headless-authentication-with-dynamics-crm-online-web-api-without-user-login-screen-without-using-adal-part-i/

We did that using simple HttpWebRequest and Response and did not use the ADAL (Active directory authentication library) as well.

Well, let’s dive deep here. Nothing big in my previous topic as the same thing can be done using ADAL and in a clean way as well. Then why use that construct?

We are talking of headless authentication here which means authentication without user intervention. Using ADAL, it was fine to generate the token from a Native console APP using the Client ID. However situations become complex when we try to do the same from an external Web Application which required the Client_Secret as well for generating the token.

So I created a ASP.NET web application and registered in Azure. I got the client id and client secret after registering the Web App. How to do that? Well you have many wonderful blogs out there and I am not going to repeat the same.

Now comes the code part. Below is the code for the same. Look at highlighted line to check how I am passing the client id and client secret

My CRM URL is – https://xrm4u1.crm.dynamics.com

 

public string GetCRMToken()
/oauth2/token"”>https://login.microsoftonline.com//oauth2/token”,
azureTenantId);

var url = “https://xrm4u1.crm.dynamics.com”;
            var userName = “<username>”;
var password = “<password>”;

            // Connect to the authentication server

            var request = (HttpWebRequest)WebRequest.Create(requestUrl);
request.Method = “POST”;

            using (var reqStream = request.GetRequestStream())
&client_secret=&resource=&username=&password=&grant_type=password”,
clientId, clientSecret,url, userName, password);

var postBytes = Encoding.ASCII.GetBytes(postData);
reqStream.Write(postBytes, 0, postBytes.Length);
reqStream.Close();
}

            var accessToken = default(string);
using (var response = (HttpWebResponse)request.GetResponse())

}

            return accessToken;

        }

And delight is when you get the access token back. Now with the access token in your hand, you have the trump card. You can query Web API and what not.

Great isn’t it? To be honest with my readers, after this method without using ADAL worked out in my previous post, I just tried out sending the client secret in exactly the same way and it worked like a charm. Serendipity you can say!

Hope this helps.

Debajit Dutta

(Dynamics MVP)

For corporate training/ consulting please write to us at info@xrmforyou.com

Advertisements

Published at Mon, 30 Apr 2018 08:41:46 +0000

{Quick Tip} Restrict From Lookup in Dynamics 365 email to only queue–Without addCustomFilter or Unsupported Jscript

Restrict From Lookup in Dynamics 365 email to only queue–Without addCustomFilter or Unsupported Jscript

This is an old topic which is getting discussed since CRM 2011 or I think even before that. You must be wondering, why I am digging out history here. Well there has been so many blogs written about this.

So what’s the problem statement here?

Recently my customer wanted that whenever an email is being sent from Dynamics, it only needs to be sent through Queues. In other words in the From Lookup of the email, the user should not be able to select self or any other user from CRM.

So there are basically two steps to it. Since from is a multi-entity lookup, it shows both the user and queue when user tries to select.

So the first thing needed is to stop the user from selecting the user entity and the next is to stop the user from selecting any user record in from.

To achieve the first problem statement, so many blogs have been written but they use unsupported Javascript to meddle with the UI element and disable the dropdown. We will not do that here.

The other option, supported way, is to use the addCustomFilter. But with that, even though you stop from selecting a user, still the Entity selection of User/ Queue is available.

So wanna try something new? Let’s do this.

  • Create a solution and add the Email entity to it. While adding the entity, to keep the solution simple, just add the from field to it (only for CRM 2016 and above. Prior versions, you are not luck to choose the options)
  • Export the solution as Unmanaged
  • Unzip the solution. You should see three file
    • Customization.xml
    • Solution.xml
    • [Content_types].xml
  • Open the Customization.xml in a XML editor of your choice and navigate to the section where the From field is present.

image

  • You may find the unmodified=”1” in the attribute element as well as Email entity element. Remove the tags. Otherwise any changes you make here may not reflect in CRM once you import back.
  • Scroll down a bit and you will see the section with the LookupType tag.

image

  • Remove the entire element corresponding to 8 (Type code for user). Your final XML should just contain the one LookupType tag with Queue (2020).
  • All set and done, select the three files and re-zip them

image

  • Re-import the solution and publish all customizations.
  • Now go back to your CRM email. Try to select “from”. And get the delight. Now entity selection is disabled and you are just left with selecting the queue.

image

Advertisements

Published at Wed, 02 May 2018 13:16:34 +0000

{Quick Tip} Restrict To Lookup of email to allow only a record in Dynamics 365

Restrict To Lookup of email to allow only a record in Dynamics 365

Nothing like real time requirements and here is another one. Customer walks in and puts in his requirement – “Users should not be able to select more than one record in the To field of CRM”. We suggested that while sending the email, we would put a validation which would stop the user from sending the email if more than one record is there. Well as everybody knows, more often than not, customer has his way and then we were back to the drawing boards trying to figure out how to do it.

For starters, To field in Dynamics allows you to select more than one record of multiple entity types which is obvious isn’t it. Below is the UI which allows you to do that.

image

 

Fortunately we found out a way. This is what we did.

  • Created a solution. Added Email entity and the To field to it.
  • Exported the solution
  • Unzipped the solution and opened up customizations.xml file in a XML editor.
  • Navigated to the area where To attribute is there in the XML file.

image

  • Added the below in the XML file just above <displaynames> tag.

<LookupStyle>single</LookupStyle>

  • Re-zipped the files. Imported the solution back and Publish all customizations.
  • And now when you click the To field, this is what you get.

image

 

Mission accomplished!

Hope this helps.

 

Debajit Dutta

(Dynamics MVP)

For training/ consulting, please write to us at info@xrmforyou.com

Advertisements

Published at Fri, 04 May 2018 15:23:09 +0000

{Quick Tip} Certificate disappearing in IIS of CRM server even after successful import.

Certificate disappearing in IIS of CRM server even after successful import.

Before I proceed with the post. let me clear this out. There is nothing special about IIS server where CRM is installed. It applies to all IIS servers. However being a devotee of Dynamics for quite sometime now, can’t write any post without tagging CRM to it. Smile

So here I was working for a client with on-premise 2016 version. And their certificate is about to expire. They needed to generate a CSR for a SAN Certificate as wildcard certificates are not allowed by most of company policies.

So they used Open SSL to generate the CSR. For reader’s who might be interested in knowing how to generate SAN Certificate using Open SSL, https://geekflare.com/san-ssl-certificate/ provides a good example. And they got the certificate back from the Network team.

Now the D-day. They imported the certificate in Personal store and  also imported the certificate in IIS using ‘Complete Certificate Request’ option. All set and good.

But the moment they try to bind the certificate to dynamics CRM site, they could not find the certificate. Repeated this process. However the same behavior every time.

A bit of research and this is what comes up – “Certificate without private Key Information in it, cannot be binded to a IIS website.”

But how to do it?

When you generate a CSR request using Open SSL, the private key is output to a file. Usually the name is “Private.Key”, unless you specified something else.

So you have the private key and the certificate separately. But how to bind the certificate with the Private key?

Follow the below steps

  • Copy the Private Key file and the certificate to the Open SSL bin folder. Usually is it C:OpenSSL-Win64 for 64 bit machines and C:OpenSSL-Win32 for 32 bit machines
  • Open command prompt as administrator and navigate to the bin folder in the command prompt.
  • Run the below command

openssl pkcs12 -export -out certificate.pfx –inkey private.key -in certificate.crt –certfile

Here Certificate.pfx in the output certificate with the private key information and certificate.crt is the certificate you received from Network team.

Once the command completed successfully, you should be able to view Certificate.pfx in the bin folder.

Now all set and done. You will now just need to import this certificate to the IIS. But remember to use the “Import” option in the certificate window.

image

A rather off topic but hope it makes an interesting read.

Debajit Dutta

(Business Solutions MVP)

For corportate training/ consulting, please drop a note to info@xrmforyou.com or visit our website – www.xrmforyou.com

Advertisements

Author: Debajit

I am a Dynamics CRM Most Valuable Professional (MVP) with 10 years of experience in Microsoft .NET Technologies and 7 years of dedicated experience in Microsoft Dynamics CRM. I have worked with companies like Microsoft, SanDisk, PwC, TMF Group and have extensive experience of implementing complex CRM solutions from both offshore and client side.

Currently the face of XrmForYou.com with significant experience in delivering corporate training on Dynamics CRM and have already delivered multiple projects to client through XrmForYou.com

Author of multiple tools on codeplex including the ‘Role Based Views’ and ‘CRM-Sharepoint Metadata manager & Attachment Extractor’ which are available for commercial use under XrmForYou.com

For consulting/ training, drop me a note at info@xrmforyou.com or visit our website www.xrmforyou.com

Published at Sat, 28 Apr 2018 15:28:54 +0000

Take the Headache Out of Calculating Sales Tax with PowerSalesTax

Take the Headache Out of Calculating Sales Tax with PowerSalesTax

If most of us had our way, taxes wouldn’t be a problem we had to deal with, particularly when it comes to sales tax. Why? Because sales tax can be a pain to understand and figure out- especially for business owners. It can be a full-time job just monitoring new tax rules and making sure that your organization is compliant. There must be an easier way, right?

PowerObjects teamed up with the trusted third-party tax provider- Avalara, to relieve some of the headaches that come with understanding and populating sales taxes. With PowerSalesTax, users can easily and most importantly accurately calculate sales tax on quotes, orders, and invoices within Microsoft Dynamics 365. In today’s blog, we will explain just how PowerSalesTax can increase productivity and save you time!

PowerSalesTax

PowerSalesTax connects to your Avalara account using the AvaTax API, a subset of Avalara- an industry leader in sales tax management and compliance. Once the solution is imported and configured in your CRM environment, simply add the PowerSalesTax tab to any entity form, select Apply Tax and the solution will call out to Avalara to collect the tax information for you. This two-way connection ensures that real-time sales tax calculations flow directly from their up-to-date tax engine directly to the orders and invoices generated in your CRM. Just wait folks, it gets even better…

powersalestax

Need to calculate tax for multiple locations? No problem! PowerSalesTax uses the location entered in the “Address 1” fields on a record to calculate the appropriate tax for that region. City Tax (%), State Tax (%), Special District Tax (%), Country Tax (%), County Tax (%) will automatically be filled in with the percentage of tax that applies, based on the origin and address of the account you are taxing. Pretty cool, right?

powersalestax

For step-by-step instructions on how to set-up and configure PowerSalesTax in your Dynamics 365 environment check out the PowerSalesTax user guide. PowerSalesTax is one of thirty-one add-ons that PowerObjects has developed to enhance Dynamics 365 functionality. Like all PowerPack add-ons, a free 30-day trial of solution is available for download directly from the PowerSalesTax webpage. 

Happy Tax Season and Happy Dynamics 365’ing!

Published at Wed, 18 Apr 2018 17:20:07 +0000

[unable to retrieve full-text content]

Published at

{Quick Tip} Why is my workflow not showing up in Workflow Profiler in Plugin Registration Tool

Why is my workflow not showing up in Workflow Profiler in Plugin Registration Tool

Recently I was conducting a training where I was demoing on how to debug a Custom Workflow activity step using the profiler in plugin registration tool. So here I was explaining to them to first click on “Profile Workflow” button on the plugin registration tool. For starters, here it is in the screenshot below

image

image

And as I said – “Select your workflow”, I suddenly see a hand raised informing me that he is not able to view the workflow created by him.

Verified with all other’s and they are able to see the their respective workflows.

I just thought – “Must be some silly error.” But I was soon to be proved wrong.

Situations like this could be tough when asked all of a sudden. But my memory didn’t reach came to my rescue this time. I realized that while playing with the workflow, he has changed the owner of the workflow to someone else. And hence the workflow is not showing up in the workflow profiler.

So remember, if you are profiling a workflow, make sure the user with whom you have logged in to Plugin Registration Tool and the the owner of the workflow, should be the same person. Otherwise the workflow won’t simply appear in the ‘Profile Workflow’ list.

Hope this helps and saves you some time before you waste couple of hours in this.

-Debajit Dutta (Dynamics MVP)

For corporate training/ consulting, visit www.xrmforyou.com or write to us at info@xrmforyou.com


Author:

Debajit

I am a Dynamics CRM Most Valuable Professional (MVP) with 10 years of experience in Microsoft .NET Technologies and 7 years of dedicated experience in Microsoft Dynamics CRM. I have worked with companies like Microsoft, SanDisk, PwC, TMF Group and have extensive experience of implementing complex CRM solutions from both offshore and client side.

Currently the face of XrmForYou.com with significant experience in delivering corporate training on Dynamics CRM and have already delivered multiple projects to client through XrmForYou.com

Author of multiple tools on codeplex including the ‘Role Based Views’ and ‘CRM-Sharepoint Metadata manager & Attachment Extractor’ which are available for commercial use under XrmForYou.com

For consulting/ training, drop me a note at info@xrmforyou.com or visit our website www.xrmforyou.com

Published at Wed, 11 Apr 2018 04:58:37 +0000

[unable to retrieve full-text content]

Published at

Creating Your Customer Care Dream Team

Creating Your Customer Care Dream Team

When you think of the greatest teams of all time, which teams come to mind? The ’95-’96 Chicago Bulls? The Avengers? The Magnificent Seven? The Tune Squad?

These teams, like any elite team, combine collaboration, communication, and dedication to propel themselves into infinite greatness. So, pump up those jams because it’s time to conquer your customer care challenge with a winning team! Organizations big and small, across all industries, are refocusing on customer care strategies. Does your customer care strategy take you the distance?

With many PowerPack Add-ons to choose from, learn how to draft a customer care-focused, dream team with the latest information and hot takes from our expert panel.

PowerSurveyPlus

customer care

Alias: The Standout

Biggest Strengths: Dynamic, Detail-Oriented

PowerSurveryPlus is a star player and an important part of any customer care strategy. Aptly nicknamed The Standout, PowerSurveyPlus is one of the most popular choices and is always in good company, as he works well with other powerful add-ons, like PowerMailChimp and PowerChat. PowerSurveyPlus also comes in clutch at end-of-game scenarios, offering a great platform to capture Customer Satisfaction when a support case is closed. Its versatility makes it a reliable communication tool for contacts, vendors, prospects and more. (Don’t take our word for it – check him out in action here!)

Expert Take: PowerSurveyPlus is a critical tool in any customer service organization as it facilitates a closed loop engagement with your customers. They had an issue, you fixed it, and now you want to know how their experience was (or other types of information). Your customer now gets the chance to provide feedback, directly into your Dynamics 365 platform, that can help you shape future customer engagements and deliver a better experience. Additionally, now you can see who the superstars are within your customer service team. – Adam Borst, Customer Care Practice Director

PowerSMS

customer care

Alias: The Conversationalist
Biggest Strengths: Communicative, Dependable

The key to any team’s success is a consistent and effective communication game plan. PowerSMS is that key! Like an old teammate, PowerSMS has the dependability and effortless communication to support any customer care strategy. Engage with customers directly through text messages, such as reminders or confirmations, and track those interactions on their record in Dynamics 365. Workflows can automate text messages to a contact(s) based on certain criteria, and when PowerSMS is integrated with third-party text messaging platforms, you can give your customers the ability to reply, if needed.

Expert Take: Communication is vital! Sending text messages through CRM, and tracking responses is an excellent way to document/engage with your client. Text messages can even be automated to make the functionality that much more convenient! – Zach Bridgeman, PowerPack Pro

PowerMap

customer care

Alias: The Visionary
Biggest Strengths: Observant, Insightful

PowerMap may not seem like a top choice, but he is truly a slam dunk for your Customer Care team! PowerMap connects your customer care team to leads, customers and prospects. Leveraging PowerMap, users can map a certain radius, create a marketing list, view heat maps, and send emails or obtain driving directions, based on those results. For example, if you have a customer care representative in a specific area, you can map out clients in a set radius, send an email you’re in the area, and meet with those valued contacts. PowerMap will also map directions to non-account related items, like a restaurant or airport, to be included during your trip, and it can be accessed with your mobile device.

Expert Take: PowerMap provides a visual depiction of your records, in a way no other PowerPack does. Not only are you able to view all of the records within a CRM entity on the map, but you are also able to dive into each individual record. Through the visual representation of your records, you are able to seize opportunities that you otherwise may not have noticed were there.
Maggie Web, PowerPack Pro

PowerChat

customer care

Nickname: The Chatterbox
Biggest Strengths: Customizable, Punctual

This straightforward player has a defined set of skills to round out your Customer Care Dream Team. But don’t let her Chatterbox nickname scare you – PowerChat is as talkative as she is brilliant! PowerChat allows live chat with web visitors and creates contacts and leads, and tracks those interactions back in Dynamics 365. Users can even add a timer to the chat window so agents can see how long a customer has waited for a response. Like many PowerPack options, PowerChat is customizable to fit your unique needs. Need multiple agents? PowerChat can handle it! Want customers to rate their experience? PowerChat can handle it! Need an auto-generated script? PowerChat can handle it! PowerChat shoots, she scores!

PowerChat is a player always ready to meet and overcome any challenge you pass her way! (Check out her highlight reel here!)

Expert Take: PowerChat allows you to create cases or even convert visitors to opportunities all from within the chat window. – Jacob Sapp, PowerPack Pro

PowerMailChimp

customer care

Alias: The Powerhouse
Biggest Strengths: Charismatic, Analytical, Synergistic

PowerMailChimp has a solid reputation and is often trusted to provide the foundation to a well-rounded customer care team. PowerMailChimp is more than just an effective communicator – this powerhouse can track customer engagement through open and click rates, and swiftly manage your campaigns and templates. Keep customers and prospects engaged by using PMC to send newsletters and promotions. Add a PowerSurveyPlus link and learn which of your customers are engaging, opening links, and more! Powerful communication, analytics, management… PowerMailChimp has it all! Plus, she brings a wealth of knowledge, and has been in the PowerPack business for over six years. Although her loyalty is to this elite squad, PowerMailChimp is known for her successful collaborations with other praised PowerPacks, like PowerSurveyPlus, PowerWebTraffic, PowerWebForm and PowerOneView.

Expert Take: PowerMailChimp is a great solution that allows you to connect your existing Marketing Lists in CRM with your MailChimp account. Send newsletters to your Accounts, Contacts or Leads and track their information from within your CRM. – Jacob Sapp, PowerPack Pro

Check out the Player Cards here and propel your organization into the customer experience hall of fame!

Happy Dynamics 365’ing!

Published at Tue, 17 Apr 2018 19:24:10 +0000

Dynamics 365 Security tips – Can a user work with only team roles in Dynamics 365

Can a user work with only team roles in Dynamics 365

Recently I was conducting a training in Dynamics 365 where I got the same question. Just a quick thought and the answer that comes to mind is “Yes”. After all,

a user’s security role is the sum of the security roles directly assigned to the user + sum of the roles the user derives through it’s association with the Teams (provided teams are given security role)

And here I was, where a user is belonging to a team and the team has a security with all the right privileges assigned to make the user work in Dynamics.

When I assigned the role directly to the user and the user is not part of the team, it just worked fine. Now comes the other way round. I remove the user’s security role, assign the same security role to a team and add the user to the team.

image

As you can see, the security role is having pretty much everything to access this account.

Login screen below after the user logged in.

image

Looks awesome isn’t it. The user can see accounts as expected. Just when you think that you have won the hearts of participants heart with your awesome understanding of Dynamics, Dynamics would throw a stick or two at you.

So I clicked on Account and this is what I get below.

image

That facepalm moment where you are just thinking, what just happened?

Now time for some recovery. When I click on Advanced find and try to access accounts, I could see them just fine.

image

You can even create/ read/ write and do all the fancy stuffs as per the role privilege.

Now I just did this trick. I just created a dummy role with absolutely no privilege to any entity and added it to the user. And this time when I click on Sales –> accounts, it just works fine.

So next time when you are up to this, this can save you some awkward moments. Not sure if this a bug or expected behavior but it seems the problem is only with the Home Page grid. Even if I try to read/ write accounts with the user credentials programmatically using SDK.

For the home page grid to work, it requires a role to be assigned directly to the user.

Debajit Dutta (Dynamics MVP)

 

Dynamics 365 Tip Hiding Navigation Pane in forms exposed on Mobile (including Owner relationship)

Hiding Navigation Pane in forms exposed on Mobile (including Owner relationship)

Dynamics have evolved over the years and with time it has become a really vast tool. So many features are in there that we may not have used till now in all our projects. They are there though, sitting quietly and can do some pretty cool stuffs. But you remember them when you need them the most. Once such scenario, I am going to describe here.

So here I was working for a customer who wants to expose their CRM on mobile. We created separate forms for mobile, light-weight than the web versions and exposed them on mobile. However with the mobile real-estate being really less, customer wanted the navigation options to be hidden.

So it started, developers removed all the links in the navigation pane using form editor. And published the form.

Wouldn’t it be perfect. It should just work right. Sadly no. You may end up removing all but the nagging owner relationship (for user owned entities). And in mobile, it would just occupy the first tab.

image

Well, it won’t go, no matter how much hard you try, until you go to the Form Properties –> Display Tab –> Uncheck “Show Navigation”

image

Save and publish the form. And voila, it just works!

Hope this helps

Debajit Dutta (Dynamics MVP)