Looking for PowerObjects? Don’t worry, you’re in the right place! We’ve been part of HCL for several years, and we’ve now taken the final step in our acquisition journey: moving our website to the HCL domain. Nothing else is changing – we are still fanatically focused on Microsoft Business Applications!

PowerObjects Blog 

for Microsoft Business Applications


Hiding a Field Does not Hide the Data in Dynamics CRM

Post Author: Joe D365 |

Here's a quick tip to make sure sensitive data in Dynamics CRM isn't being viewed by users who aren't supposed to see it. When it comes down to it, hiding the field using Business Rules or JavaScript does not prevent users from accessing the data. The solution you should use is to prevent unauthorized access is Field Level Security.

Consider this scenario, the Account entity has a Sensitive Data field which holds 'Top Secret' information.

Hiding a Field Does not Hide the Data in Dynamics CRM

If you use a Business Rule or JavaScript to hide the field on the form it should indeed remove the field from the form.

Hiding a Field Does not Hide the Data in Dynamics CRM

But look what happens when the user decides to use the built in developer tools (F12) in their browser. They are able to see the 'Top Secret' information.

Hiding a Field Does not Hide the Data in Dynamics CRM

If you need to have data on a form that is accessible to some users and not to others using Field Level Security is a better solution.

Hiding a Field Does not Hide the Data in Dynamics CRM

Now when the user tries see the 'Sensitive Data' they don't see anything other than the masked value.

Here's the explanation. When using a Business Rule or JavaScript the logic to hide or show the field is applied in the user's browser. At this point the data was already sent to the client from the server. The underlying field data must be kept around in its hidden state just in case a Business Rule or JavaScript decides that field need to be shown again and to prevent having to re-request data from the server (think performance).

When Field Level Security is in place the logic determining if the data is shown or not is applied on the server prior to the data being sent to the client. This way instead of sending the actual data, the asterisk placeholders are sent in its place. An added benefit of Field Level Security is that it's applied in places like views or advanced find where you aren't able to apply Business Rules or JavaScript.

If you want more information on security in Dynamics CRM, check out these links:

Happy CRM'ing!

Joe CRM
By Joe D365
Joe D365 is a Microsoft Dynamics 365 superhero who runs on pure Dynamics adrenaline. As the face of PowerObjects, Joe D365’s mission is to reveal innovative ways to use Dynamics 365 and bring the application to more businesses and organizations around the world.

PowerObjects Recommends