The post presents an example of how to use access teams in Dynamics 365 on-premise
Overview
In this example, Contoso Pharmaceutical Limited have a clinical trial approval process implemented in Dynamics 365. At design time, it isn’t known who the approvers will be for each clinical trial. Therefore, there needs to be a way to allow approvers to be given access to clinical trials at runtime. To achieve this, from a technical point of view, approvers will need to be given access to specific cpl_clinicaltrial entity records and their associated cpl_applicationdecision child entity records. To meet this requirement, it has been decided to use an access team and to populate it using a C# plugin.
The Solution
Pressing the ‘Submit Decision’ button (Figure 1) triggers a C# plugin that adds John Smith to the access team. This results in John Smith having access to the particular clinical trial and the associated application decisions.
Technical Implementation
This section describes the technical implementation of setting up and populating an access team via a C# plugin
The Entities
cpl_clinicaltrial
The clinical trial entity cpl_clinicaltrial already exists so all that needs to be done is to select the ‘Access Teams’ metadata option
cpl_applicationdecision
Note: When users are added to a clinical trial’s access team (which is associated to the ‘Clinical Trial – Access Team Template’. See Figure 10) they will also be able to read and update associated application decision records. (Even if they don’t have the relevant security role privileges for the application decision entity.) This is due of cascading permissions (Figure 3) between the cpl_clinicaltrial and cpl_applicationdecision entities. (That is, since cpl_clinicaltrial has been shared, the related cpl_applicationdecision will also be shared. This is an example of record based security rather than role based security (See Figure 9)
The Access Team Template
An Access Team Template is created, specifying the required level of access for the users included in the access team
Note: Referring to the example in the overview section, for John Smith to be able to be added to the access team, he would need to be allocated a security role that, at a minimum, has user level write, read and assign access for the clinical trial entity. (The same goes for the application decision entity.)
The C# plugin
The following C# plugin is executed when a clinical trial record is updated. The plugin is responsible for adding system users to an access team associated with a particular clinical trial
In Summary
- line 34 – Retrieves the identifier for the access team template ‘Clinical Trial – Access Team Template’
- line 35 – This retrieves all the users who are currently in the access team for a particular clinical trial
- line 37 – This retrieves all the users who are currently part of the clinical trial. This will include the newly added John Smith
- line 44 – This adds any newly added users to the access team. In this case, it’s John Smith
In Detail
Expanding on line 34 of Figure 5, this function is retrieving the template ‘Clinical Trial – Access Team Template’.
The template is stored in the teamtemplate entity
Expanding on line 35 of Figure 5, the function GetClinicalTrialTemplateTeamSystemUsers retrieves all the users currently in the access team for a particular clinical trial.
Entity: principleobjectaccess
This entity stores information about shared records. The third row of Figure 9 shows a cpl_clinicaltrial record that is shared with an access team. The fourth row shows a record that is also shared with the access team due to its inherited access rights
principalid = The GUID of the team (e.g. access team) or user with who the record has been shared
objecttypecode = The entity of the record which has been shared
objectid = The GUID of the record which has been shared
principaltypecode = The entity of the principle
inheritedaccessrightmask = The record has inherited permissions from it's parent
accessrightsmask = The access rights for the record (as defined by the access team template)
Entity: team
Entity: teammembership
Expanding on line 37 of Figure 5, the function GetClinicalTrialActiveSystemUsers retrieves all the users (e.g. CreatedBy). Users who are part of the clinical trial, including the newly added John Smith (mentioned in the overview section) who has been made an approver
Expanding on line 44 of Figure 5, the function AddUserToTeamTemplate adds John Smith to the access team
The step is registered using the Plugin Registration Tool
Further reading
Determine if a user has a particular security role