Record-based security applies to individual records. It is provided by using access rights. The relationship between an access right and a privilege is that access rights apply only after privileges have taken effect.
Access rights :
An access right is granted to a user for a particular record. Types of access rights that can be granted are:
AccessRights enumeration value
|Read||ReadAccess||Controls whether the user can read a record.|
|Write||WriteAccess||Controls whether the user can update a record.|
|Assign||AssignAccess||Controls whether the user can assign a record to another user.|
|Append||AppendAccess||Controls whether the user can attach another record to the specified record.|
The Append and Append To access rights work in combination. Every time that a user attaches one record to another, the user must have both rights. For example, when you attach a note to a case, you must have the Append access right on the note and the Append To access right on the case for the operation to work.
|Append To||AppendToAccess||Controls whether the user can append the record in question to another record.|
The Append and Append To access rights work in combination. For more information, see the description for Append.
|Share||ShareAccess||Controls whether the user can share a record with another user or team. Sharing gives another user access to a record.|
|Delete||DeleteAccess||Controls whether the user can delete a record.|
Sharing records :
Sharing lets users give other users or teams access to specific customer information. This is useful for sharing information with users in roles that have only the Basic access level. Microsoft Dynamics 365 provides the following sharing capabilities:
a. Share : Any user who has share privileges on a given entity type can share records of that type with any other user or team in Microsoft Dynamics 365. To share a record, use GrantAccessRequest.
b. Modify share : You can modify the rights granted to a shared record after it has been shared. To modify sharing for a record, use the ModifyAccessRequest.
c. Remove share : If user shares a record with another user or team, it is possible stop sharing the record. After user removes sharing for a record, the other user or team loses access rights to the record. To remove sharing for a record, use the RevokeAccessRequest.
Sharing and inheritance :
If a record is created and the parent record has certain sharing properties, the new record inherits those properties. Sharing is maintained on individual records. A record inherits the sharing properties from its parent and also maintains its own sharing properties. Therefore, a record can have two sets of sharing properties, one that it has on its own and one that it inherits from its parent.
Removing the share of a parent record removes the sharing properties of objects (records) that it inherited from the parent.
Assigning records :
Anyone with Assign privileges on a record can assign that record to another user. When a record is assigned, the new user or team becomes the owner of the record and its related records. The original user or team loses ownership of the record, but automatically shares it with the new owner.
Retrieving the access rights for a record :
Use the RetrievePrincipalAccessRequest message to retrieve the access rights the specified security principal (user or team) has to a record.
Use the RetrieveSharedPrincipalsAndAccessRequest message to retrieves all the security principals (users or teams) that have access to a record, together with their access rights to that record.
Dependencies between access rights :
Security dependencies exist because it is necessary to have more than one access right to perform a given action. The access right dependencies for the respective actions specified are:
1. Create : Create and Read access rights are required.
2. Share : Share and Read access rights are required.
3. Assign : Assign, Write and Read access rights are required.
4. Append to a record : Read and AppendTo access rights are required.
5. Append a record : Read and Append access rights are required.