Field Security Entities
You use field security entities to apply field-level security, which restricts field access to specified users and teams. The scope of field-level security is global, which means that it applies to all records within the organization, regardless of the business unit hierarchical level to which the record or the user belongs. Field security works in all Microsoft Dynamics CRM clients, including the Web client, Microsoft Dynamics CRM for Outlook, and Mobile Express. It applies to all components, such as the Microsoft Dynamics CRM SDK, reports, search, offline, filtered views, auditing, and duplicate detection. For this version of Microsoft Dynamics CRM, field-level security is restricted to custom fields.
For more information about how secured fields change the behavior of methods, see How Field Security Can Be Used to Control Access to Field Values in Microsoft Dynamics CRM.
|Field level security profiles prevent unintended users from getting access to Microsoft Dynamics CRM data based on the profile definitions. If the Microsoft SQL Server ACLs are misconfigured, or if there is a SQL injection issue, adversaries can get direct access to data in Microsoft SQL Server thereby bypassing field level security restrictions. For more information, see Overview of Web Application Security Threats.|
Set Up and Use Field Security
To use field security you must do the following:
Create a field security profile record
Add users or teams to the profile
Create a custom attribute in either a default, out-of-the-box entity, or in a custom entity
Secure the custom attribute, either when you create the attribute or by updating the attribute metadata
Publish the attribute customizations
Create a field permission record that defines what access (create, update, read) the profile will have for the custom attribute
For sample code about how to perform these steps, see Sample: Enable Field Security for an Entity.
Use the following field permission attributes to set whether the specified field security profile can create, read, or update an attribute. You can set or compare the value for these attributes by using the A Yes or No Boolean global option set:
|If low privilege users are given Read access to the field security profile entity, they can see what profiles other users have and find other users with access to secured attributes they are interested in. They can then use social engineering techniques to get assigned a profile with access to those secured attributes.|
Sharing of Field Security
You can share secured fields much as you can share records. To do this, you create, update, or delete a PrincipalObjectAttributeAccess (field sharing) record, where you specify the user or team, the entity, and the permissions.
The following table lists the corresponding methods for securing a field compared to securing a record.
|Record sharing||Field access sharing|
Use GrantAccessRequest to grant record access for a user or team.
Use ModifyAccessRequest to update record access for a user or team.
Use RevokeAccessRequest to remove record access for a user or team.
TasksSample: Retrieve Field Permissions
Sample: Enable Field Security for an Entity
Sample: Retrieve Field Sharing Records
ConceptsFieldSecurityProfile Entity Messages and Methods
FieldSecurityProfile Entity Metadata
FieldSecurityProfile Entity OptionSet Attribute Metadata
FieldPermission Entity Messages and Methods
FieldPermission Entity Metadata
FieldPermission Entity OptionSet Attribute Metadata
PrincipalObjectAttributeAccess (Field Sharing) Entity Messages and Methods
PrincipalObjectAttributeAccess (Field Sharing) Entity Metadata
Other ResourcesThe Security Model of Microsoft Dynamics CRM
Microsoft Dynamics CRM 2011
Send comments about this topic to Microsoft.
© 2013 Microsoft Corporation. All rights reserved.