blog

Heirarchy Secutity
March 15, 2015

All about Hierarchy Security in CRM 2015

In our previous blog, we have discussed Hierarchy Visualization, and in this blog we will discuss Hierarchy Security.

 

Below I have explained some brief and important points about the Hierarchy Security.

  1. It is an extension of the Dynamics CRM Security Model.
  2. It offers more granular access to records.
  3. It reduces maintenance costs, because it is easy to maintain and does not require a large number of Business Units.

 

The hierarchy security model is an extension to the existing Microsoft Dynamics CRM security models that use business units, security roles, sharing, and teams. It offers more granular access to records for an organization and helps to bring the maintenance costs down. For example, in complex scenarios, you can start with creating several business units and then add the hierarchy security. This will achieve more granular access to data, with far less maintenance costs, than a large number of business units may require.

 

Basically Hierarchy Security is divided into two parts.

  • Manager hierarchy
  • Position hierarchy

 

Important points about Manager hierarchy

  1. Based on the direct reporting security model.
  2. This is established based on the Manager Field of the System user.
  3. Managers are able to access the data of their subordinates. And able to perform work on behalf of them.
  4. A manager must have at least the user level Read privilege on an entity, to see the data of their subordinates.
  5. Only restricted to the BU.

 

Important points about Position hierarchy

  1. Not based on direct reporting structure, as Manager Hierarchy.
  2. We can define various Job Positions & arrange Position hierarchy based on that Position. It means users at a higher position can access the data of lower positions.
  3. The direct higher positions must have Read, Write, Update, Append, AppendTo access to the lower positions’ data in the direct ancestor path. The non-direct higher positions, have Read-only access to the lower positions.
  4. Not restricted to the BU.
  5. With the Position hierarchy security, a user at a higher position can access records owned by a lower position user or by the team that a user is a member of.
  6. In addition to the Position hierarchy security model, the users at a higher level must have at least the user level Read privilege on an entity to see the records that the users at the lower positions have access to.

 

The Position hierarchy is *not* based on the direct reporting structure, like the Manager hierarchy. A user doesn’t have to be an actual manager of another user to access user’s data.

 

But based on the position, higher position’s user can access the data of the lower position’s users.

 

If we take an examples of the positions that are given into the below image. Then you can see CEO is on the higher position and VP of Sales and VP of Service is on the lower position. It means, the user at CEO’s Position can access the records of the users that are into the VP of Sales and VP of Service positions.

D-blog-2-1
The Manager Hierarchy is worked based on the Manager Field of the user. As shown in the below screen, Adam is the manager of the Ben, Brendan, and Chris.

D-blog-2-2
Hence, if we setup the Manager Hierarchy, then Adam can access the data of Ben, Brendan, and Chris.

 

Note: With the Position hierarchy security, a user at a higher position has access to the records owned by a lower position user.

 

In addition to the Position/Manager hierarchy security model, the users at a higher level must have at least the user level Read privilege on an entity to see the records that the users at the lower level.

 

How to enabled Hierarchy Security:

 

To set up the security hierarchy, you must have an Administrator security role.

 

The hierarchy security is disabled by default.

 

To enable, go to Microsoft Dynamics CRM > Settings > Security > Hierarchy security and select Enable Hierarchy Modeling. After enabled the hierarchy modeling, choose the specific model by selecting the Manager Hierarchy or Custom Position Hierarchy. All system entities are enabled for hierarchy security out-of-the-box, but, you can exclude selective entities from the hierarchy.

D-blog-2-3
Set the Depth to a desired value to limit how many levels deep a manager/position has a Read-only access to the data of their reports.

D-blog-2-4


NOTE: To make any changes in Hierarchy security, you must have the Change Hierarchy Security Settings privilege.

For example, if we take an example of the following image.

D-blog-2-2

And set the Depth = 1 in Manager Hierarchy Security settings, then Adam can only access the records of Ben, Brendan, and Chris. And in case if we set the Depth = 2, then Adam can access the records of Cynthia as well as Ben, Brendan, and Chris.

 

Set up Manager and Position Hierarchies:

 

The Manager hierarchy is easily created by using the manager relationship on the system user record. You use the Manager (ParentsystemuserID) lookup field to specify the manager of the user.

 

If you have already created the Position hierarchy, you can also tag the user with a particular position in the Position hierarchy. In the following example, the sales person reports to the sales manager in the Manager hierarchy and also has the Sales position in the Position hierarchy.

D-blog-2-5

To add a user to a particular position in the Position hierarchy, use the lookup field called Position on the user record’s form.

 

To create a Position hierarchy, go to Microsoft Dynamics CRM > Settings > Security > Positions. For each position, provide the name of the position, the parent of the position, and the description. Add users to this position by using the lookup field called Users in this position. Below is the example of the Position hierarchy with the active positions.

D-blog-2-6

In the below screen, I have given an example of the enabled users with their corresponding positions.

D-blog-2-7

Use hierarchy security models in conjunction with other existing security models for more complex scenarios. Avoid creating a large number of business units, instead, create fewer business units and add hierarchy security.

 

Performance considerations:

 

Keep the effective hierarchy security to 50 users or less under a manager/position.

You can use the Depth setting to reduce the number of users in hierarchy security.

 

I Hope this has helped you to understand Hierarchy Security!!!

Heirarchy
February 15, 2015

All about Hierarchy Visualizations in CRM 2015

The two most awaited things that Microsoft has introduced in CRM 2015.

 

  1. Hierarchy Visualizations: It gives you the ability to see the insight of any record in a hierarchical manner. The best thing about this, it is not restricted to the account entity only, you can even setup this for custom entities as well.
  2. Hierarchy Security: In earlier versions we could only setup the security in CRM, based on User or Team Security Roles and sharing particular records between users or teams. But it was always felt that there should be a way for Managers to easily work or view their subordinate’s items. And in CRM 2015 we can achieve this by using Hierarchy Security.

 

This blog will explain all about Hierarchy Visualizations, and in a subsequent blog we will explain about Hierarchy Security.

 

Hierarchy Visualizations:

We can get valuable business insights by visualizing hierarchically related data. And it gives you a number of benefits

 

  • View and explore complex hierarchical information.
  • View key performance indicators (KPIs) in the contextual view of a hierarchy.
  • Visually analyze key information across the web and tablets.

 

In the below screen, you can see the Hierarchy of an entire “Contoso Corporation” organization.

blog-1

 

And Microsoft has enabled the Hierarchy for Tablet clients as well. As shown below.

blog-1-1

Some Important points for Hierarchy Visualizations:

 

  • Hierarchy Visualization is controlled by relationships, and specifically self-referential relationships. It means that the primary entity and the related entity must be the same.
  • Only one (1: N) self-referential relationship per entity can be set as hierarchical. In this relationship the primary entity and the related entity must be of the same type, such as account_parent_account.
  • Can’t change hierarchy relationship for OOB entities.
  • Business unit is not enabled for Hierarchy Visualizations.
  • Custom entities are supported.
  • Only the first 4 fields of the Quick view form will be displayed on the KPI tile in hierarchy.
  • Only the Quick view form is supported for the KPI tiles in hierarchy.
  • Only the following OOB entities are enabled for hierarchy visualization. You can’t enable other OOB entities.

blog-1-2
Using Advanced Find or the CRM API, you can query data in CRM.

 

Hierarchical data structures are supported by self-referential one-to-many (1:N) relationships of the related records. In the past, to view hierarchical data, you had to iteratively query for the related records. Now, you can query the related data as a hierarchy, in one step. You’ll be able to query records using the Under and Not Under logic. The Under and Not Under hierarchical operators are exposed in Advanced Find and the workflow editor as well.

blog-1-3
The below image represents this, what result you will get, when you do the Query on the Hierarchal data.

blog-1-4

How to setup Hierarchical Visualization for a custom entity:

For a custom entity like new_widget, you need to create (1:N) self-referential relationship like new_new_widget_new_widget and mark it as hierarchical, as shown here.

blog-1-5

To change the Hierarchy Visualization settings, you need to go to the Solution, and under the new_widget entity, go to the Hierarchy Settings. There you can setup the Default Quick view form. As shown below.

blog-1-6
After entering the Hierarchy Settings for the Widget entity, you will be able to see the hierarchy representation.

blog-1-7

blog-1-8
Hence it seems, that Hierarchy Visualization is a very powerful function, with which to view the insight of a record. But it still seems that one thing is missing; we can’t setup Visualization for cross entity relationships.

 

For example, you can depict the account hierarchy showing accounts at multiple levels, but you can’t show accounts and contacts in the same hierarchy visualization.

 

We hope that Microsoft will enable this functionality for cross entity relationships in near future.

 

I hope this has helped!!!

In Next blog we will discuss details about Hierarchy Security.

CRM To MDM
January 27, 2015

Configure Microsoft Dynamics Marketing Connector for CRM on-premises/IFD

To set up the MDM (Microsoft Dynamics Marketing) Connector with CRM on premise/IFD, you need to execute the following steps.

 

  • Configure CRM to Expose CRM certificate.
  • Install Marketing Connector for Microsoft Dynamics CRM.
  • Configure ACS Name Space on Windows Azure.
  • Add CRM certificate on Azure Service Bus.
  • Configure MDM & Start Initial Synchronization.

 

Configure CRM to Expose CRM certificate:

 

If you are using a Microsoft CRM online environment, then this step is *not* needed, because CRM online exposes the certificate, as shown in the below screenshot.
Microsoft CRM

 

After completing the below steps, CRM on-premises & IFD will expose the certificate.
The following items are pre-requisites for this.

  • A certificate from an issuing authority.
  • Logon access to a user account with the System Administrator role on the server.

 

Install the certificate in the certificate store of the server running the Microsoft Dynamics CRM asynchronous service.

 

Note: If the CRM application and Asynchronous service is installed on the same server, then you do not need follow the above step.

 

Generate a public key file in Base64 format from the certificate. To do this:

  • right-click on the certificate in the Personal/Certificates list
  • then under All Tasks in the context menu, select Export

 

Provide read access to the certificate for the asynchronous service user:

  • Right click on the certificate and click on the All Tasks
  • then click on the Manage Private Keys, as shown in the below screenshot

Microsoft CRM

Then provide the read permission to the user, that is running the Asynchronous service. As shown in the below screenshot.

Microsoft CRM

In our case, we have given the read permission to the “CRM-AsynS” user, because our Asynchronous service is running under this user.

 

Configure MSCRM_Config database:

Add CRM Powershell Snap in.

Add-PSSnapin Microsoft.Crm.PowerShell

 

This command adds the CRM Windows PowerShell snap-in to the current session. The snap-in is registered during installation and setup of the CRM server.

 

Now you need to run the following command to Set the CRM certificate.

 

Set-CrmCertificate –CertificateType AppFabricIssuer –Name <issuerName> -StoreName My –StoreLocation LocalMachine -StoreFindType FindBySubjectDistinguishedName –DataFile <certificateFilename>

 

Issuer name <issuerName> can be any name. However, you will be using this same issuer name when configuring Microsoft Azure Active Directory Access Control Service (ACS). The DataFile parameter value is the file name or path of the public certificate key file.

 

After performing the above steps, the certificate will be visible your CRM IFD environment. As shown in the below screenshot.

Microsoft CRM

 

Before, performing the above steps, it was displaying as follows.

Microsoft CRM

 

Install Marketing Connector for Microsoft Dynamics CRM:

 

Download “Microsoft Dynamics Marketing CRM Connector” and install it.

 

After installation is complete, you will find the DynamicsMarketingConnectorSolution_managed.zip file in the installation path. As shown in the below screenshot.

 

Now in CRM, you will need to import the “DynamicsMarketingConnector_for_CRM2015_managed.zip” solution. As shown in the below screenshot.

Microsoft CRM

 

And provide the “Dynamics Marketing Connector” security role to the user, you are setting up the connector with. As shown in the below screenshot.

Microsoft CRM

 

Configure ACS Name Space on Windows Azure:

 

To configure the ACS Name space on Windows Azure, you need to first Add the Azure Account into your Power Shell. And for that you need to run the following command in Power Shell.

 

Add-AzureAccount

 

After running this command, it will display the login screen for Azure, as shown in the below screenshot.

Microsoft CRM

 

Now you need to run the following command to create the ACS Name space in Azure.

 

New-AzureSBNamespace -Name YOUR_NAMESPACE -NamespaceType Messaging -Location “YOUR_LOCATION” -CreateACSNamespace 1

 

As shown in the below screenshot.

Microsoft CRM

 

Then, it will create the Service Bus in Azure. As shown in the below screenshot.

Microsoft CRM

 

Add the CRM certificate to the Azure Service Bus:

Now select your Service Bus and click on the “Connection Information” button on the Azure screen, then it will open the following screen.

Microsoft CRM

 

Note: you need to copy the Default Key, this is the Management Key. This key will be used when configuring MDM.

 

Click on the “Open ACS Management Portal” option. This action will open the ACS Management Portal.

 

In the portal you will need to add the CRM certificate. This certificate must contain the public and private keys.

 

To add the certificate, go to the Certificates and Keys and click on the “Add Token Signing Certificate or Key” option, as shown in the below screenshot.

Microsoft CRM

 

In the Add Token Signing Certificate or Key page, you need to import your certificate and provide the password of that certificate.

Microsoft CRM

 

After the wizard completes, your certificate will be displayed as follows.

image
Configure MDM & Start Initial Synchronization:

 

To configure MDM connector, login to the Dynamics Marketing, and go to Settings and Integration Option. As shown in the below screenshot.

Microsoft CRM

 

Now enable the CRM Connector Service, as shown in the below screenshot.

Microsoft CRM

 

The action above will enable the services, as shown in the below screenshot.

Microsoft CRM

 

Now configure the CRM End Points. To do this, you will need to give the CRM Service User information. This user will be used for integrating the MDM and CRM.

Microsoft CRM

 

Now configure the Service Bus. To do this, you will need to provide the Azure Namespace, and ensure that you do not change the name of the Queue of CRM or MDM. As shown in the below screen.

Microsoft CRM

 

Now click on “Configure Azure ACS” option. In the “Provide Credentials for configuring the Azure ServiceBus” page, set the following values.

 

Management Key, this is the Default key, which we have copied in the earlier steps, when we were adding the CRM certificate in the Azure Service Bus.

Microsoft CRM

 

Dynamics CRM Service Certificate, you need to download the CRM certificate from the Developer Resources, screen, as shown below. And then you need to import that into the Dynamics CRM Service Certificate.

Microsoft CRM
Now edit the SDK Service Settings, as shown in the below screen.

Microsoft CRM

 

Then click on the “Configure Azure ACS” option. In the “Provide Credentials for configuring the Azure ServiceBus” page, paste the Management Key, which we copied during the adding CRM certificate in Azure Service Bus.

Microsoft CRM

 

Now, it should start displaying that all the Services running, as shown below.

Microsoft CRM

 

Now select appropriate options, and save the changes, as shown in the below screenshot.

Microsoft CRM

 

After setup is complete, you can perform a Health Check and the Initial Synchronization. As shown in the below.

Microsoft CRM

 

If you need to diagnose any issues with the MDM Connector, you can download the log from the Log section of the Marketing Integration page, as shown in the below screen.

Microsoft CRM

 

And from the CRM Side, you can view the System Jobs. As shown in the below screenshot.

Microsoft CRM

 

Hope this help you to configure the MDM integration with CRM!

Visit our website www.ecleva.com or if you have any query than don’t hesitate to Contact us.