In this webinar, our experts showcase a variety of demo use cases of how different components of the...
Here's a quick tip to make sure sensitive data in Dynamics CRM isn't being viewed by users who aren't supposed to see it. When it comes down to it, hiding the field using Business Rules or JavaScript does not prevent users from accessing the data. The solution you should use is to prevent unauthorized access is Field Level Security.
Consider this scenario, the Account entity has a Sensitive Data field which holds 'Top Secret' information.
If you use a Business Rule or JavaScript to hide the field on the form it should indeed remove the field from the form.
But look what happens when the user decides to use the built in developer tools (F12) in their browser. They are able to see the 'Top Secret' information.
If you need to have data on a form that is accessible to some users and not to others using Field Level Security is a better solution.
Now when the user tries see the 'Sensitive Data' they don't see anything other than the masked value.
Here's the explanation. When using a Business Rule or JavaScript the logic to hide or show the field is applied in the user's browser. At this point the data was already sent to the client from the server. The underlying field data must be kept around in its hidden state just in case a Business Rule or JavaScript decides that field need to be shown again and to prevent having to re-request data from the server (think performance).
When Field Level Security is in place the logic determining if the data is shown or not is applied on the server prior to the data being sent to the client. This way instead of sending the actual data, the asterisk placeholders are sent in its place. An added benefit of Field Level Security is that it's applied in places like views or advanced find where you aren't able to apply Business Rules or JavaScript.
If you want more information on security in Dynamics CRM, check out these links:
Happy CRM'ing!