Levelup-for-Dynamics-CRM icon indicating copy to clipboard operation
Levelup-for-Dynamics-CRM copied to clipboard

Published 20 hours ago verified publisher icon rajyraman

Admin settings

Open RavitejaMuthyala opened this issue 8 years ago • 4 comments

Hello The current APP is available for all the users including Admins, developers and also end users. God mode can be an issue if an end-user can edit read only fields. I have tried the extension using my system admin account and also some test user accounts, both were having same form rights. Which definitely is not a good thing. Is there a way this extension can be modified to allow only system Admins will be able to use this app? If users come to know of this extension, there would be lot of data tampering.

RavitejaMuthyala avatar Oct 25 '17 16:10 RavitejaMuthyala

I am in two minds about this. Sort of "security by obscurity". It takes 2 minutes to google "God Mode" and have that as a bookmarklet. There is an issue in Connect about this, so Microsoft will eventually fix it.

rajyraman avatar Nov 02 '17 20:11 rajyraman

You should be aware that making fields readonly on a form is not a security measure, it is only for improving usability. The security model of the platform must be respected and implemented to provide field level security etc truly restricting specific user groups from certain CRUD operations on certain fields. If field disabling is the only method used to restrict access, there are a lot of tools out there that could give users more access than intended. From my perspective, there is nothing for Microsoft to fix.

Just my 2 cents...

rappen avatar Nov 02 '17 20:11 rappen

I don't think FLS can handle a scenario when a field becomes selectively editable, based on some onchange events. You still have to display that field as "readonly" on load and make it editable based on some conditions. In this scenario you'll have to confirm the validity this update, using plugin and check the "Target" along with the "PreImage".

The side effect of that, is it prevents all updates. There are scenarios, where I would use LINQPad to do something, that a normal user can do from the form. I also hate the "right on your face" unfriendly way that plugin exception messages are displayed.

rajyraman avatar Nov 02 '17 21:11 rajyraman

Hi @J76786786 (nice handle!)

Not sure why you resurrected a 5 years old thread but if in your environment 1000+ users feel the need to use Level Up on a daily basis to bypass what you call "security" then perhaps you should have a closer look at your design and implement proper patterns rather than use "ostrich" mode with "security by obscurity".

georged avatar Sep 01 '22 23:09 georged