In Dynamics CRM 2011 we can restrict the user
security privileges for entities, Misc. Privileges, fields etc. via Security
Roles or Field level security but for certain actions i.e. Record Activate,
Deactivate, Lead Qualify, Quote Activate etc.. We cannot restrict these privileges
via security role or Field level security.
As there is no standard
feature available to control these privileges so one of the possible way is to
control these privileges by developing and registering a plugin on SetStateDynamicEntity Message for an
entity in Pre-Operation stage, the
plugin code should check if record is activated and specified user or user with
specified Security Role or having entity privilege is activating quote then
allow execution else abort execution and throw exception. The following plugin code
below is used for restricting record deactivation.
[C# Code : Restrict Entity Deactivate
Privleges Example]
using System;
|
using
System.Collections.Generic;
|
using
System.Linq;
|
using
System.Text;
|
using
Microsoft.Xrm.Sdk;
|
using
Microsoft.Xrm.Sdk.Metadata;
|
using
Microsoft.Xrm.Sdk.Query;
|
namespace
wod.Crm.ActivationPrivileges
|
{
|
public class wodPlugin : IPlugin
|
{
|
public void Execute(IServiceProvider serviceProvider)
|
{
|
// Obtain the execution context from the service
provider.
|
IPluginExecutionContext context
= (IPluginExecutionContext)
|
serviceProvider.GetService(typeof(Microsoft.Xrm.Sdk.IPluginExecutionContext));
|
IOrganizationServiceFactory
wod_serviceFactory = null;
|
IOrganizationService wod_CrmService = null;
|
Try
|
{
|
// Obtain the service factory
to get the service object
|
wod_serviceFactory = (IOrganizationServiceFactory)serviceProvider.GetService
(typeof(IOrganizationServiceFactory));
|
// Obtain service objec
|
wod_CrmService =
wod_serviceFactory.CreateOrganizationService(context.UserId);
|
if
(context.InputParameters.Contains("EntityMoniker")
|
&&
context.InputParameters["EntityMoniker"] is EntityReference)
|
{
|
switch
(context.MessageName)
|
{
|
case "SetStateDynamicEntity":
|
// Check if the entity status
has been updated
|
if
(context.InputParameters.Contains("Status"))
|
{
|
// Check if user is
deactivating the record
|
if (((OptionSetValue)context.InputParameters["Status"]).Value
== 2)
|
{
|
// Check if current user has
not been assigned a security
role "Sales Manager" then throw
exception
|
if
(CheckUserHasSecurityRole(wod_CrmService
, context.InitiatingUserId,
"Sales
Manager") == false)
|
throw new InvalidPluginExecutionException(
"Not enough privelegs
to deactivate record.");
|
}
|
}
|
break;
|
}
|
}
|
}
|
catch (System.Web.Services.Protocols.SoapException ex)
|
{
|
throw new InvalidPluginExecutionException(ex.Detail.InnerText);
|
}
|
catch (Exception ex)
|
{
|
throw new InvalidPluginExecutionException(ex.Message);
|
}
|
}
|
//Helper method for checking if user is assigned
particular security role
|
private bool CheckUserHasSecurityRole(IOrganizationService
prmCrmService
, Guid
prmUserId, string prmSecurityRoleName)
|
{
|
bool wod_UserHasSecurityRole = false;
|
EntityCollection wod_UserRoles = null;
|
//Create Query Expression to fetch Role Entity
|
QueryExpression wod_Query = new QueryExpression()
|
{
|
//Setting the link entity
condition and filter condition criteria/
|
LinkEntities =
|
{
|
new LinkEntity
|
{
|
LinkFromEntityName
= "role",
|
LinkFromAttributeName = "roleid",
|
LinkToEntityName = "systemuserroles",
|
LinkToAttributeName = "roleid",
|
LinkCriteria
= new FilterExpression
|
{
|
FilterOperator = LogicalOperator.And,
|
Conditions =
|
{
|
new ConditionExpression
|
{
|
AttributeName = "systemuserid",
|
Operator = ConditionOperator.Equal,
|
Values = { prmUserId }
|
}
|
}
|
}
|
}
|
}
|
};
|
wod_Query.EntityName = "role";
|
wod_Query.ColumnSet = new ColumnSet(true);
|
// Obtain results from the query expression.
|
wod_UserRoles =
prmCrmService.RetrieveMultiple(wod_Query);
|
// Searching for a specified Security Role into the
list
|
Entity wod_UserSecurityRole = wod_UserRoles.Entities.ToList().ToList<Entity>()
.Find(delegate(Entity wod_RoleEntity)
|
{
|
return (string)wod_RoleEntity.Attributes["name"] ==
prmSecurityRoleName;
|
});
|
if (wod_UserSecurityRole != null)
|
{
|
wod_UserHasSecurityRole = true;
|
}
|
return wod_UserHasSecurityRole;
|
}
|
}
|
}
|
Files Download Link:
Plugin C# Project file: Record Deactivation Security Privileges.zip
https://skydrive.live.com/?cid=06f61fc8aa6032c9&id=6F61FC8AA6032C9%21151#Plugin C# Project file: Record Deactivation Security Privileges.zip
