When developing custom applications or MSCRM integration with SharePoint, security issues are the prime concerns. In order to handle these issues, one must need to know the internals of MSCRM security and how it interacts with Active Directory. Microsoft Dynamics CRM stores user information in Active Directory to provide application security. For this purpose, the following Active Directory groups are added to the Organizational Unit specified during installation:
- UserGroup
- ReportingGroup
- PrivUserGroup
- SQLAccessGroup
UserGroup
All Microsoft CRM users. This group is updated automatically as users are added and removed from Microsoft CRM.
ReportingGroup
A group that contains all users within Microsoft CRM. This group is updated as users are added to Microsoft CRM. Users in this group have read-only access to the filtered views in the Microsoft CRM database.
PrivUserGroup
Privileged Microsoft CRM user group for special administrative functions.
SQLAccessGroup
A group that contains Microsoft CRM ASP.NET account and other service accounts. Members in this group have full access to the Microsoft CRM database and this group is used by the Microsoft CRM platform layer. End users should never be added to this group. Now instead of adding each user and granting him access to SharePoint Libraries, try adding these security groups and setting permissions as given in the screenshot below:
Use these two SQL queries to get these groups at your system:
- SELECT SqlAccessGroupName FROM FilteredOrganization
- SELECT ReportingGroupName FROM FilteredOrganization
When developing applications/add-on, please consider these scenarios:
- Callout and Workflow .NET assemblies typically run under the context of the local machine’s Network Service account.
- Code called from the client using a custom script typically runs under the context of the logged on user.
- Code called from the server using an ASPX page running in a Virtual Directory or other Internet Information Services (IIS) site typically runs under the context of the logged on user.
So, configure proper security roles to your users before setting up add-on/custom applications/callouts/workflows.
For information on how to grant access to your user, please look into MSCRM SDK “External Components”
For Information on how to manage security at Reports, please look into MSCRM Implementation guide “Understanding Report Permissions”.
Filed under: MSCRM General | Tagged: Configuration & Deployement, Customization & Development, MSCRM General
![Add to My Yahoo! Ayaz Ahmad [MVP Microsoft CRM, MBSS]](http://us.i1.yimg.com/us.yimg.com/i/us/my/addtomyyahoo4.gif){kind=small}
![Add to Google! Ayaz Ahmad [MVP Microsoft CRM, MBSS]](http://buttons.googlesyndication.com/fusion/add.gif){kind=small}
![Add to AOL! Ayaz Ahmad [MVP Microsoft CRM, MBSS]](http://o.aolcdn.com/myfeeds/vis/myaol_cta1.gif){kind=small}
![Add to MSN Ayaz Ahmad [MVP Microsoft CRM, MBSS]](http://sc.msn.com/c/rss/rss_mymsn.gif){kind=small}
![Subscribe in NewsGator Online Ayaz Ahmad [MVP Microsoft CRM, MBSS]](http://www.newsgator.com/images/ngsub1.gif){kind=small}
![Add to Netvibes Ayaz Ahmad [MVP Microsoft CRM, MBSS]](http://www.netvibes.com/img/add2netvibes.gif){kind=small}
![Subscribe in Pakeflakes Ayaz Ahmad [MVP Microsoft CRM, MBSS]](http://www.pageflakes.com/ImageFile.ashx?instanceId=Static_4&fileName=ATP_wht_91x17.gif){kind=small}
![Subscribe in Bloglines Ayaz Ahmad [MVP Microsoft CRM, MBSS]](http://www.bloglines.com/images/sub_modern5.gif){kind=small}
![Add to Alesti RSS Reader Ayaz Ahmad [MVP Microsoft CRM, MBSS]](http://www.alesti.org/g/alesti-rss-reader.gif){kind=small}
![Add to Feedage.com Groups Ayaz Ahmad [MVP Microsoft CRM, MBSS]](http://www.feedage.com/images/add2feedagegroups.gif){kind=small}
![Add to NewsBurst Ayaz Ahmad [MVP Microsoft CRM, MBSS]](http://i.i.com.com/cnwk.1d/i/newsbursts/btn/newsburst3.gif){kind=small}
![Add to Windows Live Ayaz Ahmad [MVP Microsoft CRM, MBSS]](http://entimg.msn.com/i/rss/live.gif){kind=small}
![Rojo RSS reader Ayaz Ahmad [MVP Microsoft CRM, MBSS]](http://www.scenery.org/images/rojo.gif){kind=small}
![iPing-it Ayaz Ahmad [MVP Microsoft CRM, MBSS]](http://www.scenery.org/images/iPing-it.gif){kind=small}
![Add to Feedage RSS Alerts Ayaz Ahmad [MVP Microsoft CRM, MBSS]](http://www.feedage.com/images/add2feedagealerts.gif){kind=small}
![Add To Fwicki Ayaz Ahmad [MVP Microsoft CRM, MBSS]](http://www.fwicki.com/images/ui/fwicki_clicklet.png){kind=small}
this one post very good. i enjoy very much!
Is there are any options to load users from AD to CRM as an import process?
nice info about relation between MS CRM & Active directory.
Hi Amol,
We are looking for MS CRM professionals for our Pune locations. The details are:
Title: MS CRM professionals
Skills: MS CRM 4.0, .net framework
Experience: 4+ yrs with at least 1.5 years of MS CRM 3.0 / 4.0
Job Description:
• Developing, testing, deploying and supporting Microsoft Dynamics CRM customization
• Custom add-ons built within the .NET framework.
• This position has tremendous growth potential around Microsoft Dynamics CRM development and implementation.
• In addition to system implementation, you will gain hands-on experience working with some of the best and newest MS technologies.
Requirements:
• 3+ years experience developing web applications in a Microsoft environment
• Functional understanding of the MS CRM Web and Outlook clients
• Hands-on experience with creating Workflows and extending workflows
• Hands-on experience with creating Workflows and extending workflows
• Microsoft SQL Server experience is a plus
• Self-starter and be able to handle multiple tasks and priorities
• Enjoy working at an entrepreneurial company
• Highly motivated and dependable
If you are really interested please send your updated resume.
Regards,
Amit Mahajan
Recruitment Team
(9850001230)
PrivUserGroup
Privileged Microsoft CRM user group for special administrative functions.
what are these “administrative functions”?
i found out, that our user, which is used as default-user for processing a plugin in ms crm 4.0 is “system” (found out with WhoAmI Request). Is this the normal procedure, to initiate a web service-object in context of system user and then add the callerid from the plugin-context?
i know, that there is the possibility to initiate the service with context.getCrmService(). But then i cant use my customized entities. Well i can, but only with dynamic entities…
regards,
mk
Hi,
This post was written for CRM 3.0.
Now in CRM 4 plugin runs under System user.
Secondly, i usually use dynamics entities to implement my logic and they have proved to be very reliable.
Do you use Callouts too? I could not find any reason, why i should use a callout instead of a Plugin. Are they only available because they were availabele in 3.0?
Dynamic Entities are realy powerfull. But it is more difficulty to program with DE’s. Especially in big Expansions it ist very compfortable to program against an WSDL-File with the Customized Entities.
What i need to know is,
a)is the system user the/one right way to call the CRM Web Service?
b)does Microsoft support this or has this user some other functions?
c)Which Rights does this user have?
Sorry if i flood your blog with this, but i could not find a statement about this with google.
Kind regards,
mk
hi///
i want to move my crm data including active directory users, customisations, reports, workflows to a new setup from existing set up.
could u please tell the procedure to achieve this,
hi///
i want to perfprm rollout on my mscrm 4.0 including active directory users, customisations, reports, workflows .
could u please tell the procedure to achieve this,
Hi,
The reason i’m posting this here is because this problem may be related to user in grouping but then again i don’t know much about CRM as I’m new to CRM (i don’t mean to offend anyone by postig this here).
Basically, I am encoutering a problem where i get “Warning: The following user exists and was not added: firstname lastname (domain\username)” when I try to add a user from AD. AD believes it’s not there but CRM thinks it’s there. Now, i believe that the problem may have been caused by the following scenario and it may just be a table where i need to remove that name from so that I can re-add the user. 1. Backup the Database_MSCRM. 2. Add a new user successfully. 3. Restore Backup from step 1. 4. User is no longer in CRM. 5. Try to Add user again but get the above message/problem that I cannot add.
All other users prior to Backup are all okay.
Any ideas anyone…
Thanks and regards,
Mike
Hi
Great Post. Thank you for the explanation. I have a small prob. Due to several redeployments of our test- and development servers, i have now a lot of these crm AD Security Groups in AD and SQL Server. Can I somehow determine which groups (identified with GUID) are the actual ones? I need to delete the old ones in order to have a better overview in AD…
Any help would be highly appreciated.
Maybe a small script …
Janos
well you need to check this from SQL Server. Check the groups in SQL server -> MSCRM_Organization database and then compare them with AD ones. Then remove extra groups.