D365 PSA: Restrict Project access only to their Project Managers

Out-of-the-box PSA’s Project Manager security role provides complete access to even other Project Managers. But then, what if you want to bring down the access of the Project Managers to their own Projects only?

Remember, access in D365 PSA is provided for Owner (ownerid) field and not Project Manager (msdyn_projectmanager) field.

PSARoleRestrict

Scenario

Now, I don’t want a Project Manager to have access to others Projects and looks like this can’t be controlled from the Security Level perspective, given the Project Manager is a separate field than Owner of the Project.

So, I’ll limit the access to only the User level (the one who created the record would have the access, obviously)

PSARoleRestrict2

But this remove the access from even the Project Managers since they don’t own the Projects. To overcome this, I’ve written a simple plugin to provide access to the Project Manager whenever they are updated by Sharing and giving PMs the access.

For this, I’ve written a plugin code that will grant all permissions to the Project Manager of that Project and I would like to share this with you all to consume it.

GitHub Project

Here’s the GitHub repository I’ve created which has the plugin code and the Unmanaged Solution that contains only the plugin assembly and the registered step –

Link: D365PSA-PMAccessRights

gitProj

The D365 Unmanaged Solution resides here –

unmanagedSoln

This will work in the following scenarios –

  1. When a Project Manager is changed from Person A to Person B, the access rights of Person A will be removed and granted to Person B.
  2. You can even create a trigger field and use an on-demand workflow to set the trigger. This trigger should be included in the filtering attributes of the plugin step to update the existing records.

This will provide access to the Project Manager of the Project automatically apart from the Owner so that they see/access only Projects that concern them
accessGiven

Make sure no other security role is overriding your restricted access.

Hope this helps! 🙂

Advertisements

D365 Quick Tip: Can’t add members to the default Business Unit Team

I would like to share a consideration I take while designing Teams that you might need to make certain records shareable. I faced an issue once when users started to use Default Teams created on Business Units.

And after several months, it occurred that some users from other Business Units too needed to be on that Team. And several records were already assigned to BU provided Default Teams.

Scenario

  1. Priyesh belongs to Southeast Asia BU and Somesh belongs to North America BU.
  2. Some records were assigned to North America team which is the Default Team created by BU..
  3. Priyesh wanted to be in the North America Team.
    addPriyeshToNA

    So adding North America to Teams under the user Priyesh, but I get the below error
    error

That is because you cannot add Default Teams to users in some other BUs.

Workaround

As a workaround, I only created a new Team and named it “<BU Name> – Shareable” team and assigned records to this team so that I know where I want the records to be visible as per my Security Roles setup.

structure

And hence, added the North America – Shared team for Priyesh.
addedAlternative

I would also like to hear your suggestions and any workarounds you may have. Thanks! 😊