CRM 4.0 Authourization

 

The privileges you are assigned regulate the functions you can perform on particular Records or objects. Your access levels determine which Records these privileges apply to. In other words, although your privileges may include the capability to delete Account Records, it is your access level that determines exactly which Records you are able to delete.
Microsoft CRM includes four distinct access levels presented in order of increasing authority.

User (basic)

User Access is the most restrictive of all the access levels. With User Access rights, a User can perform actions on the following:
· Records he owns
· Records owned by another User but which have been shared with him
· Records owned or shared by a Team of which he is a member

Business Unit (local)

Business Unit Access is a step above the basic User level. It includes all the User Access rights, but it also provides access to Records that are owned by or shared with other Users who belong to the same Business Unit. The term local really corresponds to one distinct Business Unit of which the User is a member.
For example, if Moe has local Opportunity read rights, he can review the Records for all prospects interested in signing up for the beta tester program at his company. If Moe had only User Access, he could see only those Records that he had created himself or Records that other Users had decided to share with him.

Parent: Child Business Units (deep)

A User with Parent: Child Access rights has Business Unit Access plus the ability to access objects or Records from any Business Unit that's subordinate to the unit he is assigned to. If you think of an organizational chart for the divisions of your company, a deep view enables you to see your Business Unit and all those directly below it.

Organizational (global)

Organizational Access rights are the least restrictive of all the categories. With Organizational Access, you can perform actions on any Record within the system, regardless of the Business Unit you belong to and regardless of sharing issues.

Code Sample

The code sample below provide whether user has permission to add new entity based on User Privileges
//Create Instance of CrmAuthenticationToken
CrmAuthenticationToken token = new CrmAuthenticationToken();
token.AuthenticationType = 0;
token.OrganizationName = "SCAG";
//Create Instance of CrmService
CrmService service = new CrmService();
//Associate CrmAuthenticationToken to CrmService object
service.CrmAuthenticationTokenValue = token;
service.Credentials = System.Net.CredentialCache.DefaultCredentials;
service.Url = "http://rsv-CRM02:5555/mscrmservices/2007/CrmService.asmx";
// Create the request object.
WhoAmIRequest userRequest = new WhoAmIRequest();
// Execute the request.
WhoAmIResponse user = (WhoAmIResponse)service.Execute(userRequest);
RetrievePrivilegeSetRequest retPrivSetReq = new RetrievePrivilegeSetRequest();
RetrievePrivilegeSetResponse retPrivSetResp = (RetrievePrivilegeSetResponse)service.Execute(retPrivSetReq);
List<privilege> prevset = new List<privilege>();
foreach (privilege prev in retPrivSetResp.BusinessEntityCollection.BusinessEntities)
{
prevset.Add(prev);
}
string access = "prvWrite" + entityName;
privilege objPrivilege = prevset.Find(delegate(privilege p) { return (p.name.ToLower() == access.ToLower()); });
QueryExpression qe = new QueryExpression();
qe.EntityName = "role";
qe.ColumnSet = new AllColumns();
// Set up the join between the "role" entity and the intersect table "systemuserroles".
LinkEntity le = new LinkEntity();
le.LinkFromEntityName = "role";
le.LinkFromAttributeName = "roleid";
le.LinkToEntityName = "systemuserroles";
le.LinkToAttributeName = "roleid";
// Set up the join between the intersect table "systemuserroles" and the "systemuser" entity.
LinkEntity le2 = new LinkEntity();
le2.LinkFromEntityName = "systemuserroles";
le2.LinkFromAttributeName = "systemuserid";
le2.LinkToEntityName = "systemuser";
le2.LinkToAttributeName = "systemuserid";
// The condition is WHERE user ID = myUserId.
ConditionExpression ce = new ConditionExpression();
ce.AttributeName = "systemuserid";
ce.Operator = ConditionOperator.Equal;
ce.Values = new object[] { user.UserId };
le2.LinkCriteria = new FilterExpression();
le2.LinkCriteria.Conditions = new ConditionExpression[] { ce };
le.LinkEntities = new LinkEntity[] { le2 };
qe.LinkEntities = new LinkEntity[] { le };
BusinessEntityCollection bec = service.RetrieveMultiple(qe);
foreach (BusinessEntity refEntity in bec.BusinessEntities)
{
role myRoles = (role)refEntity;
RetrieveRolePrivilegesRoleRequest rprreq = new RetrieveRolePrivilegesRoleRequest();
rprreq.RoleId = myRoles.roleid.Value;
RetrieveRolePrivilegesRoleResponse rpresp = (RetrieveRolePrivilegesRoleResponse)service.Execute(rprreq);
List<RolePrivilege> lstRolePrivleges = new List<RolePrivilege>(rpresp.RolePrivileges);
RolePrivilege rp = new RolePrivilege();
if (objPrivilege != null)
{
rp = lstRolePrivleges.Find(delegate(RolePrivilege p) { return (p.PrivilegeId == objPrivilege.privilegeid.Value); });
}
if (rp != null && rp.PrivilegeId != null)
{
result = true;
}
}