Lets continue our look into the Security Permission Replication issue that plagues any integration between SharePoint and Dynamics CRM. In this blog post we'll take a look in depth how Connecting Software's Connect Bridge Permission Replicator solves this issue between Dynamics CRM and SharePoint.
To start, lets look at the necessary environments being used to demonstrate the functionality of the CBReplicator includes:
- A Development Active Directory server
- A single CRM Dynamics 2013 server
- A single SharePoint 2013 server
- A single SQL 2012 Server hosting both CRM and SharePoint instances.
- Document management is configured from CRM to store documents in a SharePoint site collection location
- 2 test users that are able to log into SharePoint and CRM under different business units with different roles
- The CBReplicator software is already installed and connections to both CRM and SharePoint instances
CRM and SharePoint permissions do not sync and are not linked in any way out of the box. This opens up a security risk for CRM documents that are stored in SharePoint. Not only is this a security risk, but it decentralizes the security management from CRM as well. Blocking a user’s access to a document in CRM does not mean that it will be blocked in SharePoint. To demonstrate the problem let’s look at the following:
Both Test User 1 and Test User 2 are logged into SharePoint and CRM. There are no accounts available and no documents to see in SharePoint. User 1 is a Sales Manager in Business Unit 001 and User 2 is a salesperson in Business Unit 002.
Create an account with User 1 in CRM. This account should only be visible to User 1 because he owns it and only members of his business unit will see it as seen below.
To simulate the use of the document management feature in CRM, we will add a document to be managed the account in CRM. Since this is the first time adding documents for this new account, you will get a warning from the webpage indicating that a folder using the account name and a unique identifier will be automatically created in SharePoint.
After the file upload is complete, the CRM UI should look like this:
To verify that the upload went well, log into SharePoint as the same user and check to see what was created.
Now, logged in as Test User2, we already know we don’t have access in CRM to the account, and therefore no access to that account’s document management area. However, if we log into SharePoint as User 2, we can see everything, whether we have access to it in CRM or not. This is the fundamental problem we are going to solve using the CBReplicator software.
The CBReplicator software from Connecting Software is used to sync permissions from CRM to SharePoint one way. It works by Polling the CRM Event entity that is installed when starting the service for the first time. This is what the UI Controller for the windows service looks like out-of-the-box:
The CBReplicator is a 24/7 service that runs in the background to poll and replicate the changes from CRM to SharePoint. It is recommended to install the software on a standalone server in order to keep resources from the CRM SharePoint or SQL servers free for their applications. Depending on the number of changes that need to be replicated, the CBReplicator can use a lot of resources.
After starting the CBReplicator, with debug messages on, we can see all of the steps that are being taken to replicate permission changes as seen below.
From the above logs in the CBReplicator UI, you can see that there are permissions that were replicated across from CRM to SharePoint for the account that was just created. It is showing what permissions for what roles in CRM are replicated.
Now, as User 2, we should no longer see the folder or document in SharePoint, indicating a successful replication and solution to the problem.
Let’s change the scenario a little bit. User 1 (the sales manager in BU001) is collaborating with User 2 (a salesperson in BU002) and needs User 2 to have access to the documents in CRM and SharePoint. There are several ways to give the user access to the account in CRM such as:
- Adding the user to the same business unit
- Sharing the account
In this case User1 will only share the account with read only access. User2 is only a temporary resource for working with this account and is still employed in BU002.
After clicking “Share”, the permissions should be replicated by the CBReplicator
After the CBReplicator is finished processing the share event, we can log in to CRM and SharePoint to confirm the replication changes.
Yes, the replication is complete, and all is good. One big thing to note is that the permission level is also replicated. User1 gave User2 explicit read only permissions on the account and in SharePoint, you should expect the same. From the screenshot, you can see that the + button to add documents is gone, also, User2 cannot delete any documents because the delete controls are not available for the user (even the delete key does not work).
When User 2 and User1 are finished collaborating on the account project that they are working on, User 1 can simply go back to the shared account and remove the share permissions and the CBReplicator will replicate the changes again.