CRM 2011 and SharePoint Integrations Permissions

Question

I'm developing a document management based on the crm sharepoint integrations at the moment. It is realy a nice way to take advantage of the sharepoint document capabilities inside crm 2011. BUT!: I see a huge drawback with this attempt, because the sharepoint security model differs from the crm security model. This way, even if a user has no acces to a account entity, for example, it is possible for him to go to the sharepoint site and look at the documents of this entity, because he got permissions on the list for his own account entities.

Why the heck there is no thread about this big security problem? Is there maybe a simple solution to get around this problem?

I hope someone is able to help me.

Best regards, Gerrit

Answer 1

Eugh. Sharepoint.

In my opinion there is no easy way around this and there are other problems with the way it integrates.

I was on a project where we discussed options around this very issue but was moved on before we came to a conclusion.

My suggestion was to use the Sharepoint Security APIs to assign permissions on SP based on roles/events in CRM. All users start with no permissions in SP.

e.g.

User is assigned as owner in CRM - use plugin to call SP API to give permissions to that specific folder. Previous owner has permissions removed.

Opportunity is created. Use SP security API to give permissions to owner of Opportunity to the folder associated with the opportunity.

And etc etc and so on.

It isn't too pretty and depending on requirements could become particular pain to maintain and test, but I didn't see many other options.

But there are plenty of problems with SP integration I think I was lucky that I was moved on to another project!

Answer 2

There exists a commercial out-of-the-box solution solving this problem from Connection Software company (http://connecting-software.com/index.php/en/solutions/products/cb-dynamics-crm-privileges-to-sharepoint-permissions-replicator).

Basically they deploy tiny plugin into CRM that collects all the event that can possibly require change of permissions. There is a extra service that is processing these events and writes folder-level permissions into SharePoint accordingly.