Field level security in Microsoft Dynamics 365/CRM restricts access to the fields containing sensitive business data which are only accessible by authorized users.
It also serves as a means of adding an extra security around the field i.e Create, Update and Read value.
For example, field security will be helpful in restricting the confidential data like Project revenue/credentials etc from unauthorized users.
There will be issues when a calculated field uses secured fields in the calculation.
It is specified by Microsoft Dynamics 365 that if a calculated field uses secured fields in a calculation, then you should also consider securing the calculated field to prevent users from attempting to access data that they don’t have permissions for.
Working on a calculated field with secured fields
We had a requirement in which the value of a field should be read/updated/created by only the members of the authorized team.
Here is the complete requirement:
As shown in the below image, there are four currency fields in an entity. Two of them have field security enabled for authorized users and another one is a calculated field which uses secured fields.
Now, if any of the three fields ( i.e Budget Amount, Additional Amount and Add On Amount) do not contain data, then the calculated field (i.e Total Value) will not show any value in it.
To overcome this, we have created 3 business rules for each currency field to set the respective field value to 0 if it doesn’t contain any data.
But this will cause an issue for unauthorized users, as the business rule will trigger with the current user permissions and if the current user doesn’t have Create and Update permission on these two fields ( i.e secured fields), the below error will be displayed.
According to the error, the user needs only update and create permission for setting the values of the secured fields. Therefore we have created a new field security profile for all users and gave Create/Update permission.
Upon doing that, we now have two field security profiles
2. For all users with only Create/Update permission.
After creating a new field security profile for all users, unauthorized users will also be able to save the change without any error. Total Value field will get calculated and Budget Amount, Additional Amount field (i.e field security enabled field) values would still be masked (as the unauthorized user doesn’t have read permission).
This new permission has allowed all the users to update/create values in Budget Amount and Additional Amount fields (i. Field security enabled fields). The secured fields are unlocked and can be edited. See the below screenshot for the difference.
Now to prevent the user from editing the secured fields, use a simple script method to lock the fields (i.e Budget Amount and Additional Amount fields) for unauthorized users. (i.e check the current user present in the authorized team, if not lock the field).
But there is a slight catch with the field security enabled fields.
When an entity field has field security enabled, for unauthorized users the field value will be masked and field value will be null while accessing the record. (i.e if the entity record is opened, even when the secured field doesn’t have any value, the field would still be masked with ‘*’).
Create a real-time system workflow which runs on behalf of the owner of the workflow (i.e administrator) with steps to set the field value to 0 if it is empty.
Enable the field security on the calculated fields too, if they involve secured fields. If you don’t wish to enable it, then go for real-time workflow which runs on the behalf of authorized user.
Posted By: Nitin Res, Osmosee