Menu
I'm new to Dynamics CRM and I'm trying to export security roles from the SQL back end of CRM to create a report of each security roles read, write, create etc permissions. Has anyone done this before as the CRM tables are quite vague.
400
To assign a role in Dynamics 365 Sales Professional: Under Standard Settings, select Manage users. Select a user you want to assign a role to, and then on the command bar, select Manage Roles. In the Manage User Roles dialog box, select the security role or roles you want for the user or users, and then select OK.
A security role defines how different users, such as salespeople, access different types of records. To control access to data, you can modify existing security roles, create new security roles, or change which security roles are assigned to each user. Each user can have multiple security roles.
System Administrators have all privileges on all field-level security fields. Users and Teams can be added to multiple field level security profiles. Once you have set your field security, users who do not have Read permission for the field will see the field itself but will only see “*****” instead of the data.
The following will list every Security Role, the entities it relates to - also the privileges and access levels:
SELECT DISTINCT
r.Name
,COALESCE(e.OriginalLocalizedName, e.Name) AS [EntityName]
,CASE p.AccessRight
WHEN 32 THEN 'Create' /* or hex value 0x20*/
WHEN 1 THEN 'Read'
WHEN 2 THEN 'Write'
WHEN 65536 THEN 'Delete' /* or hex value 0x10000*/
WHEN 4 THEN 'Append'
WHEN 16 THEN 'AppendTo'
WHEN 524288 THEN 'Assign' /* or hex value 0x80000*/
WHEN 262144 THEN 'Share' /* or hex value 0x40000*/
ELSE 'None'
END AS [Privilege]
,CASE (rp.PrivilegeDepthMask % 0x0F)
WHEN 1 THEN 'User (Basic)'
WHEN 2 THEN 'Business Unit (Local)'
WHEN 4 THEN 'Parental (Deep)'
WHEN 8 THEN 'Organization (Global)'
ELSE 'Unknown'
END AS [PrivilegeLevel]
,(rp.PrivilegeDepthMask % 0x0F) as [PrivilegeDepthMask]
,CASE WHEN e.IsCustomEntity = 1 THEN 'Yes' ELSE 'No' END AS [IsCustomEntity]
FROM Role AS r
INNER JOIN RolePrivileges AS rp
ON r.RoleId = rp.RoleId
INNER JOIN Privilege AS p
ON rp.PrivilegeId = p.PrivilegeId
INNER JOIN PrivilegeObjectTypeCodes AS potc
ON potc.PrivilegeId = p.PrivilegeId
INNER JOIN MetadataSchema.Entity AS e
ON e.ObjectTypeCode = potc.ObjectTypeCode
ORDER BY r.Name, [EntityName]
Just in case anyone finds themselves in my position. I took Donal's answer and developed it a bit further. The first query will get you the user acces roles specific to entities, formatted similarily as in the UI. However it does not print the mics rights that are displayed at the bottom of the page in the UI, as those aren't linked to entities. Use the second query to get those. I added a column displaying the current environment, this allows a quick comparison between different instances of the CRM.
User Role Rights concerning entities:
With groupRights AS (
SELECT DISTINCT
[MSCRM_CONFIG].[dbo].[Organization].friendlyname AS Environment,
COALESCE(e.OriginalLocalizedName, e.Name) AS [Entity],
r.Name as [Role],
CASE p.AccessRight
WHEN 32 THEN 'Create' /* or hex value 0x20*/
WHEN 1 THEN 'Read'
WHEN 2 THEN 'Write'
WHEN 65536 THEN 'Delete' /* or hex value 0x10000*/
WHEN 4 THEN 'Append'
WHEN 16 THEN 'AppendTo'
WHEN 524288 THEN 'Assign' /* or hex value 0x80000*/
WHEN 262144 THEN 'Share' /* or hex value 0x40000*/
ELSE 'None'
END AS [Privilege]
,(rp.PrivilegeDepthMask % 0x0F) as [PrivilegeDepthMask]
,CASE WHEN e.IsCustomEntity = 1 THEN 'Yes' ELSE 'No' END AS [IsCustomEntity]
FROM Role AS r
INNER JOIN RolePrivileges AS rp
ON r.RoleId = rp.RoleId
INNER JOIN Privilege AS p
ON rp.PrivilegeId = p.PrivilegeId
INNER JOIN PrivilegeObjectTypeCodes AS potc
ON potc.PrivilegeId = p.PrivilegeId
INNER JOIN MetadataSchema.Entity AS e
ON e.ObjectTypeCode = potc.ObjectTypeCode
INNER JOIN dbo.RoleBase
ON dbo.RoleBase.RoleId = rp.RoleId
INNER JOIN [MSCRM_CONFIG].[dbo].[Organization]
ON dbo.RoleBase.OrganizationId = [MSCRM_CONFIG].[dbo].[Organization].Id
)
SELECT * FROM groupRights
PIVOT
(
avg(PrivilegeDepthMask)
FOR Privilege
IN ([Create], [Read], [Write], [Delete], [Append], [AppendTo], [Assign], [Share], [Error])
) p
ORDER BY [Environment], [Entity], [Role]--, [PrivilegeLevel]
And the MISC rights:
SELECT DISTINCT
[MSCRM_CONFIG].[dbo].[Organization].friendlyname AS Environment,
r.Name as [Role],
p.name as [Privilege Name],
CASE p.AccessRight
WHEN 32 THEN 'Create' /* or hex value 0x20*/
WHEN 1 THEN 'Read'
WHEN 2 THEN 'Write'
WHEN 65536 THEN 'Delete' /* or hex value 0x10000*/
WHEN 4 THEN 'Append'
WHEN 16 THEN 'AppendTo'
WHEN 524288 THEN 'Assign' /* or hex value 0x80000*/
WHEN 262144 THEN 'Share' /* or hex value 0x40000*/
ELSE 'None'
END AS [Privilege]
,CASE (rp.PrivilegeDepthMask % 0x0F)
WHEN 1 THEN 'User (Basic)'
WHEN 2 THEN 'Business Unit (Local)'
WHEN 4 THEN 'Parental (Deep)'
WHEN 8 THEN 'Organization (Global)'
ELSE 'Unknown'
END AS [PrivilegeLevel]
,CASE WHEN e.IsCustomEntity = 1 THEN 'Yes' ELSE 'No' END AS [IsCustomEntity]
FROM Role AS r
INNER JOIN RolePrivileges AS rp
ON r.RoleId = rp.RoleId
Left outer JOIN Privilege AS p
ON rp.PrivilegeId = p.PrivilegeId
Left outer JOIN PrivilegeObjectTypeCodes AS potc
ON potc.PrivilegeId = p.PrivilegeId
Left outer JOIN MetadataSchema.Entity AS e
ON e.ObjectTypeCode = potc.ObjectTypeCode
INNER JOIN dbo.RoleBase
ON dbo.RoleBase.RoleId = rp.RoleId
INNER JOIN [MSCRM_CONFIG].[dbo].[Organization]
ON dbo.RoleBase.OrganizationId = [MSCRM_CONFIG].[dbo].[Organization].Id
where e.OriginalLocalizedName is null
and e.Name is null
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
