Developer Student Guide

Entity Permissions

Table of ContentsLesson: Entity Permissions.......................................................................................................................... 3

Exercise: Assign global permissions to an Entity List..............................................................................3

Enable Entity Permissions................................................................................................................... 3

Create a Lead Manager Web Role......................................................................................................3

Add a Contact to the new Web Role....................................................................................................3

Add an new Entity Permission record..................................................................................................4

Add the newly created permission to the Administrators Web Role.....................................................5

Test the List on the Portal.................................................................................................................... 5

Exercise: Create a reduced permission set.............................................................................................6

Add Read-Only permission to the Default Web Role...........................................................................6

Test the Permissions on the Portal......................................................................................................6

Lesson: Entity Permissions

In this lesson, we’ll secure our Entity Lists and Entity Forms using Entity Permissions. This allows us to potentially build out a complete Custom Web Application with secured forms and views, allowing users of the portal in different roles to have varying degrees of access to the data exposed on the portal.

Exercise: Assign global permissions to an Entity List

The most basic type of Security is just to enable permissions on the Forms and Lists on our portal, and granting permissions only to people in those roles.

In order to do this Exercise, you must have an Entity List and Entity Form for the Edit and Read view of that Entity List already in place. If you have done the Entity Forms and Entity List exercises, you will have already in place an Entity List that renders a list of leads on the portal, and Edit and Create Forms that can be used to edit records in that list, or add new records.

If you have not done the Entity List exercises, you may either do those exercises, or just create an Entity List for leads, ensuring that there is an Entity Form for the Edit action, if you are comfortable with the Entity List functionality.

Enable Entity Permissions

You will notice that when you navigate to this List on the portal, it is unsecured. Even an anonymous user can see all Leads in the system. Time to secure this list. The first step is to enable permissions on both the Entity Form Record and the Entity List Record.

Create a Lead Manager Web Role

In Dynamics CRM, Navigate to Portals > Web Roles, then Click New to create a new Web Role.

Give the Role a name. You can name it whatever you want – but from now on I’ll assume you named it Lead Manager. Set the Website to the website you are using for the training – either Training Portal or Community Portal as appropriate. Also both Authenticated Users Role and Anonymous Users Role are both set to false. Save the Web Role

Add a Contact to the new Web Role

Add an Existing Contact to this Web Role (other than the System Administrator Contact). If you have done the Web Content Authorization Exercises (i.e. the Security Exercises), you will have created a Jon

3

Doe contact. It is recommended that in this case you use this Contact for the remainder of the exercises.

Add an new Entity Permission record

Now we will add Global permissions to the Lead Entity to this Web Role.

1. From the Web Role form, navigate to Entity Permissions either through the Sub Grid or from the top right-hand navigation

2. Click to Add an Entity Permission to the Web Role

3. Click the magnifying glass to view existing records, then click New

4

4. Set the Entity Name to lead5. Set the Scope to Global6. Grant all Privileges: Read, Write, Create, Delete, Append, Append To7. Click Save

Add the newly created permission to the Administrators Web Role

Navigate to Portals > Community Portal or Training Portal > Web Roles and open the Administrators role

Navigate to Entity Permissions either through the Sub Grid or from the top right-hand (related records) navigation dropdown. Click to Add an Existing Entity Permission…

Search for “lead”. This should bring up the Global Lead Permission that you created earlier. Add this permission to the Web Role

Test the List on the Portal

5

Exercise: Create a reduced permission set

In this exercise, we are going to edit the Authenticated User Role, allowing anyone logged in to read all leads in the system, but without giving them any other permissions.

Add Read-Only permission to the Default Web Role

Recall that the default user role is any role(s) that has the Boolean field “Authenticated User Role” set to true. For Community Portal or Training Portal, this role is called “Authenticated Users”

1. Navigate to Portals > Community Portal or Training Portal > Web Roles and open the Authenticated Users role

2. From the Web Role form, navigate to Entity Permissions either through the Sub Grid or from the top right-hand navigation

3. Click to Add an Entity Permission to the Web Role4. Click the magnifying glass to view existing records, then click New

5. Set the Entity Name to lead6. Set the scope to Global7. Grant the Read Privilege only8. Save

Test the Permissions on the Portal

Navigate to the Portal Web Application that you are using for the training; either Community Portal or Training Portal, if it exists. Ensure you are not signed in.

Navigate to your Leads List page. It should be either under the Content page or in your Workspace, if applicable.

While you are not signed in, or if you sign in as someone who is not in any of the Web Roles we have worked with so far, you should see no records.

6

Sign in as customer

You should now have read permission, but not edit or create.

You can compare this to the ability to edit and create that you’ve experienced so far while logged in as jdoe or administrator.

7

Exercise: Add a Contact-Scoped Permission Set

We are going to modify the permission that we granted to the Lead Manager role earlier so that it only grants permission to leads that are related to the Portal User who is logged in. In this case, we are going to specify that leads for which the logged in Contact is the “Parent Contact for Lead” will be accessible to Contacts within the Lead Manager role

Note for this exercise that in the Entity List Exercises we set the create form for leads to set this relationship for any leads created through the portal. Thus, any leads that we create through the portal, while logged in as a user in the Lead Manager role, will be then accessible to that user. Thus, In order to populate your CRM with test data, you can either create a view Leads through the portal while logged in as the Jon Doe contact, or set the relationship manually (through the CRM) for a few of the sample Leads already in the system.

Remove the global permission from Lead Manager

First let’s remove global permission from the Lead

Navigate to Portals > Community Portal or Training Portal > Web Roles and open the Lead Manager role. From the Web Role form, navigate to Entity Permissions either through the Sub Grid or from the top right-hand navigation.

Remove any existing permissions from this role.

Add a new Contact-scoped permission

Still on the Web Role form, we are now going to add a contact-scoped permission.

1. From the Web Role form, navigate to Entity Permissions either through the Sub Grid or from the top right-hand navigation

2. Click to Add an Entity Permission to the Web Role3. Click the magnifying glass to view existing records, then click New

4. Set the Entity Name to lead5. Set the scope to Contact

8

6. Set the Contact Relationship to “lead_parent_account”7. Grant all Privileges: Read, Write, Create, Delete, Append, Append To8. Save

Access the List from the Portal

Navigate to the Portal Web Application that you are using for the training; either Community Portal or Training Portal, if it exists.

Sign in as jdoe (The Jon Doe contact)

Navigate to the Lead List. You should only have Write Access to Leads that are related to the Jon Doe contact. You can test this by creating a new Lead using the Create Button. The new Lead should appear in the list. Existing leads should be read-only. You have read access to these records only by virtue of the Authenticated User Role.

Experiment

Try taking away the global read permission from the Authenticated Users Role. What records do you see while logged in as Jon Doe?

Try Adding a View Details Page (using a separate Web Page with a Web Form or Entity Form) to the List (remove the Details action from the Entity List record, if there is one). How do permissions affect the details page?

9

Exercise: Add an Account-Scoped Permission Set

In the case of this exercise, we want to create a situation where there are records only visible from the portal is they are associated with the currently logged-in users’ parent account.

This exercise is essentially a copy of another exercise that it pertains to equally well – The Exercise entitled “Add a Parent Account Form” in the Entity Form Lesson. It is included here for convenience.

10