EVEN BETTER UPDATE!!!: Nick incorporated this into an addin for Tanguy’s awesome XrmToolbox. I’d still recommend you read the post to understand how this all works. Also, if you are OnPrem, then the last paragraph of this post will save you even more time.
UPDATE: I’ve modified the post to demonstrate how to fully automate the whole process with sample console app code.
I’ve received a lot of feedback from customers and partners that if you are doing eXtend CRM (aka XRM), then it’s a real pain to have disable the out of the box functionality. Instead, the feedback I get is that what people really want is a clean organization that has:
- A Minimum Privileges Role Template which allows them to turn on the functionality they want to enable for a user.
- Automatically hide Settings and Resource Center from the Site Map.
- Delete unnecessary out of the box Security Roles.
- Hide the out of the box Reports.
- Delete the out of the box Dashboards.
I know a few CRM partners who already have something like this to kickstart their XRM development. I’ve been working on a little side project I just simply call XRM Starter. It’s a combination of an unmanaged solution which accomplishes #1 & #2 and sample code that accomplishes #3, #4, and #5. The sample code also automates the import/publish process. Here’s how to get started…
Download the XrmStarter.zip solution package. It’s an unmanaged solution. Create a new organization using deployment manager. You either import the solution into the new organization using the standard solution import process and perform #3, #4, #5 manually or you can drop the following code into a console app:
Once you’ve done that, create a new security role by copying the Minimum Privileges Role Template:
Add a User, then assign the user the new role you just created.
Now, log in to CRM as that user. If you are using Windows Authentication, then just run Internet Explorer with the “Run as different user” option and log in as that other person:
…then navigate to the CRM Organization. If you are using Claims or CRM Online, then just start a new Internet Explorer InPrivate session and you will be prompted for credentials when you navigate to the CRM Org. Once you log in as that user, you will see the following:
Notice how the only thing showing in the top level navigation is Workplace, the ribbon is bare, and the only two links under My Work are Dashboards and Reports. If you deleted the out of the box dashboards and hid the out of the box reports, then clicking both links will result in the main content area being empty. I am going to quickly build an entity and a report by going back to my browser session logged in as a System Administrator. You should too, but I am going to skip instructions and assume you can do that yourself. Now that I have created the entity and report, I can update the role to grant read access to the entity I created:
…and if I refresh the browser that’s logged in as the user with the new security role, I see the entity in the Site Map since I gave the role Read access to the ReadOnlyTest entity:
However, notice I don’t have an option to create or edit the entity in the Ribbon. I can run the report on the data:
If I open one of the entity forms, notice how few actions are available to me in the form Ribbon:
I can’t create, update, or delete the record because I only have read privileges. Have a look at the contents of the Xrm Starter Solution:
Most of the work is done by the Minimum Privileges Role Template. Mostly, this is just an example of the power of CRM 2011 role based security in action. Through plenty of trial / error and other blog posts, I was able to get what I think is the right minimal privileges configured for core XRM scenarios. The good news is that if you start getting errors when testing the role, you can just turn the privileges you need on. That’s basically what I did to get to the level of privileges I have configured for the role. When you review the errors you are getting (either through the CRM error dialog or using http://crmdiagtool2011.codeplex.com/), the error messages you will tell you what privXXX formatted privileges are missing. I found the Security Role UI to Privilege Mapping documentation to be very useful to translate the privXXX format into what’s in the CRM UI.
In order to hide the Settings and Resource Center navigation links, I used the approach I mention in this blog post. That’s why you see the privShowSettings and privShowResourceCenter entities and Site Map in the unmanaged solution.
If you are using CRM Online for your dev and test environments, you have to run through these steps for every new CRM Organization you create. The good news is that if you have access to the CRM and SQL servers, all you have to do is maintain a clean organization + these steps copy the organization database using SQL Server Management Studio, and then use the import organization wizard within deployment manager to set up a new org by pointing to that database. Once you have a database as your XRM Starter attached to your SQL Server, spinning up a new org that’s XRM ready is lightning fast!