Sonoma Partners Microsoft CRM and Salesforce Blog

Controlling Access to Access Team Templates

One of the great new features of CRM 2013 is Access Teams.  Access Teams provides a great alternative over Sharing as Sharing should always be used as an exception and not the rule.  Too much sharing will lead to a large PrincipalObjectAccess (POA), which can lead to poor CRM performance.  This blog goes into details on recommendations to keep the POA table as small as possible.

For one of our customers we had a perfect scenario to use Access Team Templates.  The scenario is users should only have access to read their own records.  However, if they’re assigned a to-do that’s grouped together as part of a larger deliverable, they need to be able to see all details of that larger deliverable.  Therefore, adding them to the Access Team of the parent record with Read access, and allowing native CRM customizations to cascade that access down to the child records, the user is now able to see all data in this one grouping of work that they normally wouldn’t with normal security roles.

 

image

image

 

Access Teams are driven by the Access Team Templates (shown above, and available in Settings –> Administration –> Access Team Templates).

However, there’s something you should be aware of.  If the Access Team Template is ever deleted, all Access Teams that were created and use that template will be deleted from the system.  Therefore you need to provide tight security over who can create / update / delete Access Team Templates.

This is where the tricky part came in.  How do you drive permissions to Access Team Templates?  In native security roles there’s no “Access Team Template” or anything similar to that available in the list of entities or miscellaneous privileges.  So what drives this access?

Through painful trial and error, we identified the “not so obvious” Customizations entity (shown below) drives these permissions.  Therefore it’s recommended you remove Delete privileges to Customizations to prevent Access Team Templates from being deleted (for other obvious reasons as well).  Thankfully out of the box only the System Administrator and System Customizer roles have this privilege.

 

image

Topics: Microsoft Dynamics CRM Microsoft Dynamics CRM 2013 Microsoft Dynamics CRM Online