Microsoft Dynamics CRM uses the term access rights to describe object-based security. When you develop custom code for Microsoft Dynamics CRM, you need to carefully consider how the system handles access rights. In particular, it’s important to consider the privileges and access rights of the user that your code will run under. This factor can get a little tricky because most actions require multiple access rights to execute properly. Table 4-3 lists some common actions that require more than one access right that you might use in your custom code, along with the required access rights for each action.
Table 4-3. Common Actions and Required Access Rights
Action | Required Access Rights |
---|---|
Creating and owning an instance of an entity | Read, Create |
Sharing an instance of an entity | Share (required by the user doing the sharing), Read (required by both the user doing the sharing and the user the instance is being shared with) |
Assigning an instance of an entity | Assign, Write, Read |
Appending to an instance of an entity | Read, AppendTo |
Appending an instance of an entity | Read, Append |
A security dependency exists with certain entities that require a relationship to another entity. For example, an Opportunity is always related to an Account or a Contact. In this case, to create a new instance of an Opportunity, a user needs AppendTo access on Account or Contact and Append access on Opportunity. In these instances, with related entities and required privileges, troubleshooting the exact privileges that the user needs can take some time because the required privileges aren’t always obvious. For example, consider the privileges required to create an appointment with the regardingobjectid attribute set to a Contact record:
prvAppendActivity
prvAppendQueueItem
prvAppendToContact
prvCreateActivity
prvCreateQueueItem
prvReadActivity
prvReadContact
prvReadUser
prvShareActivity
Some of these might jump out at you as surprising, such as needing Create Queue Item privileges to create an appointment. If you find yourself stuck trying to figure out the correct security settings, you can reference Appendix A of the SDK, which lists the privileges by Message.