Monday, April 04, 2016

CRM and SharePoint Security Replication

It is now easier than ever to integrate Dynamics CRM and SharePoint and in this post I will explain a security concern with this scenario and how you can use a tool from Connecting Software to overcome this and to the synchronize security settings between Dynamics CRM and SharePoint

In this example I am using server based integration between Dynamics CRM 2016 and Sharepoint online. I first created a SharePoint site called CRM and gave Everyone access to this site. I then configured this as the default SharePoint site in Dynamics CRM.  Now when you select the Associated Documents option for a CRM record you see a view of the SharePoint folder that is used to store all the documents associated with that record. You can now do all the typical SharePoint tasks like adding documents and checking documents in and out. The SharePoint folder get created the first time you navigate to the Documents option for a CRM record when it will you prompt to create the folder.
To demonstrate the security flaw in the out of the box SharePoint integration I made a copy of the Customer Service Representative security role in CRM and restricted access on the account entity to user level.
 


I then created a user called Demo1 with this role and when I logged on as Demo1 as expected I could only view and update account records that the user Demo1 owns.


The security issue arises if I select "Open Location" which will open the SharePoint site directly in the browser. From here I can browse and access all folders and documents for Accounts I cannot access in CRM. So while Dynamics CRM and Sharepoint are integrated the security models are not and this can be a concern for many organizations.


I recently came across a product called "Permissions Replicator" from Connecting Software which solves this problem. Once you install the "Permission Replicator" you use the replication controller Wizard to setup the synchronization between your CRM and SharePoint environments by entering their server details and credentials.


Once synchroization starts you can view from the log what SharePoint rights are being applied and you can see from the example below that the Demo1 user is given rights to the Adventure Works folder on the SharePoint site but not the A-Datum account and now when I logon as the Demo1 users I can no longer browse in SharePoint to the folders for accounts I do not have access to in CRM.


You need to consider where to install the CB Replicator as it has two services that need to run continuously and you might consider running this on an Azure image.


My initial impressions of the CB Replicator is that it is well worth a look if you are concerned about the security integration between CRM and SharePoint




No comments:

Post a Comment