Upgrade your Internet Experience
Microsoft.com
Welcome Sign in
Microsoft Dynamics Developer Center
Click to Rate and Give Feedback
MSDN
MSDN Library
Microsoft Dynamics
Microsoft CRM 3.0
 Using External Resources

  Switch on low bandwidth view
Using External Resources
banner art

This topic contains information about configuring a custom database or other external resource.

Access and Permissions

If your add-on requires an external component, such as an external database, message queue, file path, registry keys, or Web site, you must configure the correct permissions and authentication in your installation procedure. The user that is making the call to the external component may be different depending on the component of Microsoft CRM that is in control. For example:

  • Callout code is generally running under the context of the local machine's Network Service account. For more information, see Impersonation in Callouts.
  • Workflow code generally runs under the context of the local machine's Network Service account. For more information, see Impersonation in Workflow.
  • Client side script code called from the client or called from the server using an ASPX page running in a Virtual Directory or other IIS site generally runs under the context of the currently logged on user.

Because of this, you may have to grant access to both of these sets of users. The following describes how to do this:

  • At setup time, grant permissions to the appropriate external resources.
  • Document all of the permissions granted and explain how they can be modified.

To make the access problem a little easier, it is important to know that Microsoft CRM provides two groups that can be used to grant access to resources. They are described in the following table:

Group name Description
SQLAccessGroup A group that contains Microsoft CRM ASP.NET account and other service accounts. Members in this group have full access to the Microsoft CRM database and this group is used by the Microsoft CRM platform layer. End users should never be added to this group.
ReportingGroup A group that contains all users within Microsoft CRM. This group is updated as users are added to Microsoft CRM. Users in this group have read-only access to the filtered views in the Microsoft CRM database.

External Databases

If your add-on uses an external database, your installation procedure must do the following:

  • Determine what the SqlAccessGroup and ReportingGroup is called. You can do this by reading the information from the Microsoft CRM organization filtered view.
  • Grant access to the database to the following groups: SqlAccessGroup and ReportingGroup (depending on your requirements, see the preceding table for more information).
  • If SQL Server is on the same computer as Internet Information Services (IIS), you must also grant access to Network Service. This step is not required for SQL Server running on other machines.

Example

This SQL script demonstrates the installation procedure described previously.

USE LOCAL_Microsoft CRM_DATABASE_MSMicrosoft CRM;

-- Retrieve the SqlGroup name from the OrganizationBase table.

DECLARE @sqlGroupName NVARCHAR(256);

SET @sqlGroupName = (SELECT SqlAccessGroupName FROM FilteredOrganization);

-- Retrieve the ReportingGroup name from the OrganizationBase table.

DECLARE @reportingGroupName NVARCHAR(256);

SET @reportingGroupName = (SELECT ReportingGroupName FROM FilteredOrganization);

USE ISV_CUSTOM_DATABASE;

-- Grant SqlGroup access to the ISV's database for the machine.

EXEC sp_grantlogin @sqlGroupName;
-- This will generate a warning if access is already granted.
EXEC sp_grantdbaccess @sqlGroupName, @sqlGroupName; 

EXEC sp_addrolemember 'db_owner', @sqlGroupName;


-- Grant ReportingGroup access to the ISV's database for the users of Microsoft CRM.

EXEC sp_grantlogin @reportingGroupName;
-- This will generate a warning if access is already granted.
EXEC sp_grantdbaccess @reportingGroupName, @reportingGroupName; 

EXEC sp_addrolemember 'db_owner', @reportingGroupName;


-- Grant callouts access to the ISV's database only if SQL Server and IIS are on the same machine.

EXEC sp_grantlogin 'NT AUTHORITY\NETWORK SERVICE';

EXEC sp_grantdbaccess 'NT AUTHORITY\NETWORK SERVICE', 'NT AUTHORITY\NETWORK SERVICE';

EXEC sp_addrolemember 'db_owner', 'NT AUTHORITY\NETWORK SERVICE';

© 2007 Microsoft Corporation. All rights reserved.


© 2009 Microsoft Corporation. All rights reserved. Terms of Use  |  Trademarks  |  Privacy Statement
Page view tracker