Plugin to restrict users to deactivate only their own records

As we know, MS Dynamics CRM Roles does not have a direct privilege to allow or restrict users to either Activate or Deactivate their own records. To do manage this, one of the easiest ways is to build a plugin to control this action. Find below a plugin to restrict users to deactivate only their own records. For security and control purposes, if the user has System Admin role, this validation will be bypassed.

Plugin step details:

  1. Message: Update
  2. Filtering Attributes: statecode
  3. Run in user’s context: Calling User
  4. Event Pipeline Stage: Pre-Operation
  5. Event Mode: Sync
  6. PreImage – Fields: ownerid

Code

public class PreEntityUpdate : Plugin
    {
        public PreEntityUpdate(): base(typeof(PreEntityUpdate))
        {
            base.RegisteredEvents.Add(new Tuple<int, string,="" action>(20, "Update", "Entity", new Action(ExecuteEntityUpdate)));
        }

        ///
        /// On Entity List Update. Plugin only called when Status changes.
        ///
        protected void ExecuteEntityUpdate(LocalPluginContext localContext)
        {
            // Context Variables
            if (localContext == null){ throw new ArgumentNullException("localContext"); }
            IOrganizationService service = localContext.OrganizationService;
            IPluginExecutionContext context = localContext.PluginExecutionContext;

            //Make sure we are not in an infinite loop
            if (context.Depth > 1)
                return;

            // If User is System Admin, return.
            if (UserIsSystemAdmin(context.UserId, service))
                return;

            // Get Target and PreImage
            if (!context.InputParameters.Contains("Target")) { throw new InvalidCastException("Target not found at PreOutreachUpdate"); }
            if (!context.PreEntityImages.Contains("PreImage")) { throw new InvalidCastException("Pre Image not found at PreOutreachUpdate"); }
            Entity Target = (Entity)context.InputParameters["Target"];
            Entity PreImage = (Entity)context.PreEntityImages["PreImage"];

            /*
             * If Record Status equals Inactive and Owner is not current User, restrict user to disable the Record
             */
            int StateCode = ((OptionSetValue)Target.Attributes["statecode"]).Value;
            int InactiveState = 1;

            Guid CurrentUser = context.UserId;
            Guid RecordOwner = ((EntityReference)(PreImage.Attributes["ownerid"])).Id;

            if (StateCode == InactiveState &&
                CurrentUser != RecordOwner)
            {
                throw new InvalidPluginExecutionException("\n<b>You can't deactivate records that you do not own. If you need to deactivate this record, please contact your CRM Admin.</b> \n\n");
            }
        }

        ///
        /// Check if user has System Admin role
        ///  True if user is System Admin, false in other case
        public bool UserIsSystemAdmin(Guid User_ID, IOrganizationService _service)
        {
            // All MS Dynamics CRM systems share the same System Admin role Guid.
            // Hence, hardcoding it as this will not be a security issue
            Guid Admin_GUID = new Guid("627090FF-40A3-4053-8790-584EDC5BE201");

            // Defining Entity
            var query = new QueryExpression("role");

            // Adding validation to search based on Role GUID
            query.Criteria.AddCondition("roletemplateid", ConditionOperator.Equal, Admin_GUID);

            // Link to SystemUserRoles
            var link = query.AddLink("systemuserroles", "roleid", "roleid");

            // Adding validation to check for the specified user
            link.LinkCriteria.AddCondition("systemuserid", ConditionOperator.Equal, User_ID);

            // Return result
            return _service.RetrieveMultiple(query).Entities.Count &gt; 0;
        }
    }

Hope it helps.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s