Identify field level permissions for specific user/team

Introduction

                Nowadays, developers frequently write JavaScript code on entity forms to read/modify field values. But, in some scenarios, our JavaScript code may not receive the expected value from the field (even though the value is present in the field). The possible reason could be field level security.

                If field level security is enabled for a field, and if logged-in user does not have READ right to the field, then JavaScript will get null value. This may result in incorrect business logic.

                Hence, to avoid such scenarios, it is better to check what level of permissions does logged-in user have. In this blog, I have given step by step implementation of Custom Action with Plugin to check what level of permissions user has on a field.

Tricky part in querying field permissions

1. In case of querying field permissions for team, we will follow below path. This is straightforward.

SELECT     fp.attributelogicalname, 
           fpcancreate, 
           fp.canread, 
           fp.canupdate 
FROM       teamprofiles TP 
INNER JOIN fieldsecurityprofile FSP 
ON         tp.fieldsecurityprofileid = fsp.fieldsecurityprofileid 
INNER JOIN fieldpermissions FP 
ON         fp.fieldsecurityprofileid = fsp.fieldsecurityprofileid 
WHERE      tp.teamid = <team id passed IN parameter>

2. In case of querying field permissions for user, we need to first check users association with security profiles and teams (in which the user is added as member) association with security profiles. Below will be query path for the same.

SELECT     fp.attributelogicalname, 
           fp.cancreate, 
           fp.canread, 
           fp.canupdate 
FROM       systemuserprofiles SUP 
INNER JOIN fieldsecurityprofile FSP 
ON         sup.fieldsecurityprofileid = fsp.fieldsecurityprofileid 
INNER JOIN fieldpermissions FP 
ON         fp.fieldsecurityprofileid = fsp.fieldsecurityprofileid 
WHERE      sup.systemuserid = <USER id passed IN parameter> 
UNION 
SELECT     fp.attributelogicalname, 
           fp.cancreate, 
           fp.canread, 
           fp.canupdate 
FROM       teamprofiles tp 
INNER JOIN teammembership tm 
ON         tm.teamid = tp.teamid 
INNER JOIN fieldsecurityprofile fsp 
ON         tp.fieldsecurityprofileid = fsp.fieldsecurityprofileid 
INNER JOIN fieldpermissions fp 
ON         fp.fieldsecurityprofileid = fsp.fieldsecurityprofileid 
WHERE      tm.systemuserid = <USER id passed IN parameter>

[Note: This clause gets field permissions of user which are assigned through Teams.]

Step-by-step guide

Create custom action

  • Create custom action with below configuration:
    • Scope:Global (not to specific entity)
    • Parameters

Explanation:

  • Why scope is set to Global?

This operation is not specific to any entity and developer might want to call the action for either system user or team. Hence, we have set the scope as Global.

  • Parameters description
Parameter NamePurpose
outputThis parameter will contain the result of the action. This will contain JSON string with all the security enabled fields and their permissions.
entityidThis is an input parameter. It should contain either System User GUID or Team GUID.
primaryentityThis is an input parameter. The valid values are either “systemuser” or “team”. This will determine whether field permissions are being identified for user or team.
fieldsecurityprofilenameThis input parameter contains the name of the Field Security Profile from which permissions will be retrieved.
entitynameThis is an optional input parameter. This should contain entity type code.
fieldnameThis is an optional input parameter. If you want to find permissions for any specific field, you can put its logical name in this parameter.

Locate file named GetFieldSecurityProfileAssociationAction.cs under Plugins project.

  • Register Post Operation – Synchronous plugin on action message.
  • Call the action. Sample input & output format is given below.

References

  • Link by Microsoft explains how to retrieve Field Permissions.

https://docs.microsoft.com/en-us/dynamics365/customer-engagement/developer/sample-retrieve-field-permissions

Advertisements

Programmatically authenticate multi-factor enabled Dynamics 365 CRM environment

Introduction

I observed that, recently our clients are focusing more towards security aspect and hence the typical first thing they do is enabling multi-factor authentication. Now from developer’s perspective, there is no issue in accessing CRM through User Interface, because developers can get OTP on their mobile phones.

But, many times we use different third-party applications like XRMToolBox to connect to Dynamics CRM or use plugin registration tool to connect to organization. In such scenarios, we get an error even after putting correct credentials.

This blog explains solution to above problem.

Problem Statement

If multi-factor authentication is enabled for Dynamics 365, then developers could not connect to CRM via programming or Plugin Registration Tool or XrmToolbox etc., using their own password.

Solution

There is very simple solution which requires only below 2 steps:

  1. Follow this article to generate App Password.

https://support.office.com/en-us/article/create-an-app-password-for-office-365-3e7c860f-bda4-4441-a618-b53953ee1183

  1. Once app password is generated and noted down from above step, use that password instead of your default password.

Hope you find this information useful!!!

You cannot delete this component while the following components depend on it.

Introduction

In Dynamics 365, to delete any component, you must remove/delete all the dependencies of the component which you want to delete. For e.g. If you want to delete custom entity called Configuration, you will need to delete/remove all the dependencies of the component which are dependent on Configuration entity.

Now many times users face problems in finding where can I get the list of dependent components? It’s easy to just say Open Default Solution > Go to Entities > Select the Entity > Click on Show Dependencies. Yes. That’s absolutely correct.

Now the problem is when we don’t understand the list which is shown by CRM. This blog explains tricky component which we don’t find directly.

Problem Statement

  1. Open Default Solution (Or unmanaged solution that contains the entity you want to delete).
  2. Go to Entities tab and select the entity you want to delete.
  3. Click on Show Dependencies button. You will see a popup window something like below:

dependencies list

We cannot easily identify highlighted components from above image because of below reasons:

  1. We cannot find any name to the plugin step neither to SDK Processing Image.
  2. If we try to find the steps in Default Solution, you won’t be able to see it anywhere under Sdk Message Processing Step.
  3. If we connect using plugin registration tool, we won’t find the steps their as well.

Solution

When I investigated more on this issue, I found that there was a Business Rule which was registered on the entity and had scope as Entity. This was causing the issue.

I deactivated the business rule and deleted the same and the highlighted components got removed from the dependencies list.

 

Embed Microsoft Forms in your website and get leads in Dynamics 365 CRM without writing code

 

Introduction

We come across frequent requirement where customers ask to create a custom page and embed it in their website and write logic to get leads into Dynamics 365 CRM.

In this blog, I have explained how without coding we can achieve this requirement.

Approaches

Traditional Approach

We will create custom HTML page and create custom service hosted somewhere and then using JavaScript we will make a call to the web service and create respective records in CRM.

Alternative Better Approach

We can use Microsoft Forms & Microsoft Flow and without coding we can get the lead data inserted into Dynamics 365 CRM.

How-to Steps

Pre-Requisites:

  1. You should have D365 CRM (Sales) license.
  2. You should have access to Microsoft Forms (refer References section for the same).
  3. You should have access to Microsoft Flow.

Create Microsoft Form to get Lead Information

  1. Login to https://portal.office.com and open Forms from Admin Center.

1

  1. Click on New Form

2

  1. Name the form and keep adding questions.

3

  1. This is my form

4

  1. Click on Share option and select Embed option.

5

  1. Copy the Iframe tag and include it in your web page.
  2. That’s it. Your form is ready.

Create Microsoft Flow to insert response in Dynamics 365 CRM.

  1. Go to Flow from admin center.

6

  1. Select CREATE FROM BLANK option. Give some name to Flow.
  2. Search for Microsoft Form in connector and select Microsoft Forms – When a new response is submitted

7

  1. Select your form.

8

  1. Click Next step and select Add an Action.
  2. Search for Microsoft Forms and select Microsoft Forms – Get Response Details
  3. In the configuration put below formula as per below screenshot.

first(triggerBody()?[‘value’])?[‘resourceData’]?[‘responseId’]

9

Refer this blog to understand above formula.

  1. Click on Next step and select Add an Action.
  2. Search for Dynamics 365 and select Dynamics 365 – Create a new record (V2)
  3. Select Organization.

10

  1. Select entity as Leads. It will show the fields of Lead entity as below.

11

  1. Click on Last Name textbox and select Last Name option from the right pane as per below screenshot. Repeat same steps for other fields.

12

Note: Click Show advanced options to see optional fields.

  1. That’s it. Finally click on Create Flow.

At this stage you are ready. You can start entering data in your form and it will automatically get inserted into Dynamics 365 CRM near to real time.

References

  1. Know more about Microsoft Forms

https://forms.office.com/

https://support.office.com/en-us/forms

  1. Frequently asked questions about Microsoft Forms

https://support.office.com/en-us/article/Frequently-asked-questions-about-Microsoft-Forms-495c4242-6102-40a0-add8-df05ed6af61c

 

Can I still get CRM Online trial of older version?

Introduction

As Microsoft keeps releasing new versions of Dynamics 365/CRM, we should be prepared for the new features; but it is frequent requirement that, when we are about to test our customizations on older versions, and we register a trial, we get surprise of the newly released version. So, how can we test our customizations on the version we were expected?

This blog explains how can we achieve this.

Follow below steps to get older version of Dynamics CRM Online versions

  1. Visit https://www.microsoft.com/en-us/dynamics365/sales-trial and get started and sign up for new trial.
  2. Once you create new online environment, it will be the latest version of Dynamics 365 CRM.
  3. Go to https://portal.office.com > Admin Center.

admin center

  1. In Admin Center, click on Dynamics 365.

dynamics 365 in admin center

  1. You will see something like below:

instance manager

  1. Click on Edit. Change the Instance Type to Sandbox. Click Next & Save. After this step, you will see something like below.

sandbox options in instance management

  1. Click on RESET. You will get option to select Target Version.

target versions

  1. Select the version you want and click Reset. That’s it.

Invalid stage transition. Transition to stage {0} is not in the process active path.

Introduction

With latest release of Dynamics 365, Microsoft has restricted skipping BPF stages and throws above error. When we try to change BPF stage programmatically and if we skip any BPF stage, then user will get above error.

Understand the error with the help of an example

Let’s say we have below Business Process Flow on Opportunity.

sample BPF

With D365, only below transitions are allowed.

  1. Qualify to Develop
  2. Develop to Propose
  3. Propose to Close

Below transitions are not allowed.

  1. Qualify to Propose
  2. Develop to Close
  3. Qualify to Close

How my earlier code (prior to D365 release) worked and suddenly stopped working?

Before D365 release by Microsoft, the above scenarios were considered as unsupported and there were no restrictions forced by Microsoft. Hence our code used to work in these unsupported scenarios as well. With D365 release, Microsoft has restricted these unsupported scenarios and users will start receiving the error with same code.

How have I come to this conclusion?

  1. I got the error log file with error code and same error code (-2146885629) is now available in SDK (you can search in CHM file).

SDK Error Code

  1. I raised a support ticket with Microsoft and as per confirmation from MS Support, it has turned out to be by-design. I received below response from MS Support Team.

Reply from MS Support

Note: Even though Microsoft has mentioned Environment as CRM Online, as this is by-design in D365, it applies to CRM On-premise deployments as well.

Summary/Resolutions

  1. After thinking about these unsupported scenarios, it makes sense to use logical branching to skip the stages if needed and if not, then we should follow the path mentioned in BPF.
  2. The resolution to this issue can be programmatically iterate the record through all the stages or use conditional branching in BPF.

How to use Business Rules to determine Form Type in Dynamics CRM

Introduction

One of the frequent requirement we receive is doing basic form customizations based on Form Type. E.g. Show few fields while creating record and hide those fields once record is saved.

First option which comes in developer’s mind

As we cannot check entity’s form type using Business Rules, we must use JavaScript to achieve this requirement. Hence, usually developer will write a JavaScript method and register an event on Form Load.

This will be time consuming task as compared to the solution which I have explained below. Also, it will need technical person to achieve this requirement, because it involves coding.

An option that usually skips from developer’s mind

As we know, Created On field is populated only when record is created. Also, CRM does not allow to set Created On field to the user, we can take help of this field to determine whether user is on Create form or has opened existing record.

Below screenshot shows how Business Rule can be configured to unlock the Account on Create form and lock it for existing record.

business rule

Simple solution, but we usually miss it.