POWEROBJECTS

718 Washington Ave. N. Suite #101
Minneapolis, MN 55401
View map and all Locations

Send us a message

Here’s a quick tip to make sure sensitive data in Dynamics CRM isn’t being viewed by users who aren’t supposed to see it. When it comes down to it, hiding the field using Business Rules or JavaScript does not prevent users from accessing the data. The solution you should use is to prevent unauthorized access is Field Level Security.

tips-and-tricks

Consider this scenario, the Account entity has a Sensitive Data field which holds ‘Top Secret’ information.

Hiding a Field Does not Hide the Data in Dynamics CRM

If you use a Business Rule or JavaScript to hide the field on the form it should indeed remove the field from the form.

Hiding a Field Does not Hide the Data in Dynamics CRM

But look what happens when the user decides to use the built in developer tools (F12) in their browser. They are able to see the ‘Top Secret’ information.

Hiding a Field Does not Hide the Data in Dynamics CRM

If you need to have data on a form that is accessible to some users and not to others using Field Level Security is a better solution.

Hiding a Field Does not Hide the Data in Dynamics CRM

Now when the user tries see the ‘Sensitive Data’ they don’t see anything other than the masked value.

Here’s the explanation. When using a Business Rule or JavaScript the logic to hide or show the field is applied in the user’s browser. At this point the data was already sent to the client from the server. The underlying field data must be kept around in its hidden state just in case a Business Rule or JavaScript decides that field need to be shown again and to prevent having to re-request data from the server (think performance).

When Field Level Security is in place the logic determining if the data is shown or not is applied on the server prior to the data being sent to the client. This way instead of sending the actual data, the asterisk placeholders are sent in its place. An added benefit of Field Level Security is that it’s applied in places like views or advanced find where you aren’t able to apply Business Rules or JavaScript.

If you want more information on security in Dynamics CRM, check out these links:

Happy CRM’ing!

Avatar for JoeCRM

JoeCRM

Joe CRM is a CRM superhero who runs on pure Microsoft Dynamics CRM adrenaline. As the face of PowerObjects, Joe CRM’s mission is to reveal innovative ways to use Dynamics CRM and bring the application to more businesses and organizations around the world.