Enhanced Data Security – Restriction on Custom entity screen buttons

By | June 6, 2010

Data security and data maintenance is very much important in today’s world. Many organizations follow the concept of territorial structure while some still stick to basics and make the data of user from one territory available for viewing purpose for user in another territory. This user might not have permissions to modify the data, but still he/she can view it. This phenomenon works well as the hierarchy of users increases and managing security rights for all of them becomes a cumbersome task.

In order to keep the data secured based on the user hierarchy and the access rights set, Sage CRM has powerful tools like Territories, Security Profiles etc. These two functionalities manage user access rights on primary entities like Company, Person, Case, Opportunity, Communication and Lead. CRM identifies which user has rights to Insert/Update/Delete/Edit that particular entity using Security profiles assigned to that user and accordingly make available the New/Change/Save buttons in CRM. The territory profile data used for this purpose is stored in the TerritoryPermission table in order to maintain the high level protection of data.

Now consider the above scenario where standard behavior also needs to work for custom entities or the custom functionalities that we design. We can make the change and delete buttons disappear or appear based on the user rights set in the TerritoryPermissions table. This way we can ensure the standard level enhanced security mechanism in our custom actions also.

In custom ASP page you can hide/show the buttons based on the above security setting as well as your own custom conditions by using:

if(eWare.Button(“”,””, “Item”,”CASES”,”EDIT”) && Custom_Condition)
//’ Add Button
//’ Do Nothing

This works well when we have designed our page and we have all the code in hand, but what if we are working on standard inbuilt screens? Let’s consider a scenario where we need to restrict the user from Person (primary entities) edit or need to hide/show any custom button on Person standard screen.

Here are some of the easy and straight forward steps that you can follow.

1. You need to catch the custom condition at create script level.
2. Store the remove flag in one hidden variable.
3. Fetch the hidden value an client side. (page on load)
4. Based on hidden variable result hide/show button.

Some sample scenarios where this can work:

1. Person entity is used extensively and it is integrated with Self Service. Now you want to make sure that once the Self Service is enabled for person, no one can change the person details apart from System Administrator. In short you need to hide/show Change on the Person summary screen.

2. Suppose Sage CRM is integrated with Sage ACCPAC ERP where the Company entity is used mainly. So you would like to make available the Change button only to the users having admin rights or any particular user.

3. If you have added a custom button say “Print Order” on the standard Opportunity screen and you would like to make it available only when the opportunity is in “In Progress” state.

This all can be achieved following through the steps above.

You can also refer below link to find how you can remove/retain standard buttons from screen.


If you find this content useful, Please drop us an email at crm@greytrix.com.