Running Custom Code in Dynamics CRM Portal – Part 2 – Security

In a previous post, I talked about my experience running custom code from the portal. This method allowed a web file to be created and then called asynchronously from JavaScript. This post can be found at the link below, if you have not read it, I recommend reading it to provide context for the remainder of this post.

Running Custom Code in Dynamics CRM Portal

One of the major aspects missing from the last post is security. When the RetrieveMultiple plugin is triggered, it runs in the context of the system user. And, as it is written, the plugin does not have any knowledge of what portal user it was triggered by. This problem can be solved using the steps below.

Providing the current portal user (contact) id to the plugin

The first step is to pass the id of the current portal user to the plugin. This can be achieved by adding a condition to the FetchXml filter like below, along with adding a field to the Portal Actions entity.

Verifying Security on Organization Service Calls

The next step is to ensure that all calls to the OrganizationService have filtering applied. To do this, I created a class implementing the IOrganizationService interface which delegates calls to the organization service provided by the plugin. Then, when a call is made, I query the user’s entity permissions assigned through the associated web roles and then use these to determine what the user should be able to do and/or see.

Keep in mind that the Authenticated User web role is applied to Contacts automatically and will not always be explicitly assigned to the user.

Author: Michael Sollenberger

I am a Dynamics 365 Consultant with over 4 years of experience. I first became interested in programming at age 10 when I started learning BASIC from the book “Beginning Programming for Dummies.” Currently, I am working as a technical consultant for Cloud Nine Solutions. My responsibilities include estimating, designing, and building solutions with Dynamics 365 for Sales and Customer Service. My most recent project was a CRM implementation within an enterprise environment where I was responsible for managing the technical aspects of the project. Previously, I was a developer for Distributed Network Software where I first started with Dynamics CRM 2011 and worked in Dynamics GP.

Leave a Reply

Your email address will not be published. Required fields are marked *