Nowadays, developers frequently write JavaScript code on entity forms to read/modify field values. But, in some scenarios, our JavaScript code may not receive the expected value from the field (even though the value is present in the field). The possible reason could be field level security.
If field level security is enabled for a field, and if logged-in user does not have READ right to the field, then JavaScript will get null value. This may result in incorrect business logic.
Hence, to avoid such scenarios, it is better to check what level of permissions does logged-in user have. In this blog, I have given step by step implementation of Custom Action with Plugin to check what level of permissions user has on a field.
1. In case of querying field permissions for team, we will follow below path. This is straightforward.
SELECT fp.attributelogicalname,
fpcancreate,
fp.canread,
fp.canupdate
FROM teamprofiles TP
INNER JOIN fieldsecurityprofile FSP
ON tp.fieldsecurityprofileid = fsp.fieldsecurityprofileid
INNER JOIN fieldpermissions FP
ON fp.fieldsecurityprofileid = fsp.fieldsecurityprofileid
WHERE tp.teamid = <team id passed IN parameter> 2. In case of querying field permissions for user, we need to first check users association with security profiles and teams (in which the user is added as member) association with security profiles. Below will be query path for the same.
SELECT fp.attributelogicalname,
fp.cancreate,
fp.canread,
fp.canupdate
FROM systemuserprofiles SUP
INNER JOIN fieldsecurityprofile FSP
ON sup.fieldsecurityprofileid = fsp.fieldsecurityprofileid
INNER JOIN fieldpermissions FP
ON fp.fieldsecurityprofileid = fsp.fieldsecurityprofileid
WHERE sup.systemuserid = <USER id passed IN parameter>
UNION
SELECT fp.attributelogicalname,
fp.cancreate,
fp.canread,
fp.canupdate
FROM teamprofiles tp
INNER JOIN teammembership tm
ON tm.teamid = tp.teamid
INNER JOIN fieldsecurityprofile fsp
ON tp.fieldsecurityprofileid = fsp.fieldsecurityprofileid
INNER JOIN fieldpermissions fp
ON fp.fieldsecurityprofileid = fsp.fieldsecurityprofileid
WHERE tm.systemuserid = <USER id passed IN parameter> [Note: This clause gets field permissions of user which are assigned through Teams.]
Explanation:
This operation is not specific to any entity and developer might want to call the action for either system user or team. Hence, we have set the scope as Global.
| Parameter Name | Purpose |
| output | This parameter will contain the result of the action. This will contain JSON string with all the security enabled fields and their permissions. |
| entityid | This is an input parameter. It should contain either System User GUID or Team GUID. |
| primaryentity | This is an input parameter. The valid values are either “systemuser” or “team”. This will determine whether field permissions are being identified for user or team. |
| fieldsecurityprofilename | This input parameter contains the name of the Field Security Profile from which permissions will be retrieved. |
| entityname | This is an optional input parameter. This should contain entity type code. |
| fieldname | This is an optional input parameter. If you want to find permissions for any specific field, you can put its logical name in this parameter. |
Locate file named GetFieldSecurityProfileAssociationAction.cs under Plugins project.
https://docs.microsoft.com/en-us/dynamics365/customer-engagement/developer/sample-retrieve-field-permissions