Policy Based Security for Microsoft Dynamics CRM

As corporate security, data sharing, and compliance requirements increase, managing access to customer data in Microsoft Dynamics CRM has become more important than ever.  These changing requirements can result in increased administration overhead and complexity.

NextLabs Enforcer for Microsoft Dynamics helps simplify this management by extending the existing Dynamics security model through attribute based policies.  With attribute based policies, we can easily implement attribute based access control for Dynamics.  Attribute based access control allows us to secure records in Dynamics based on a combination of user attributes and record values.

In the following example, we have specific Dynamics account records that are considered sensitive.   These accounts are considered VIPs based on a value in the record.  We only want certain Dynamics users to be able to access these accounts based on a user attribute in the Dynamics user record.  Whenever an account record is changed to a VIP, we want these accounts to be secured automatically.  We also don’t want Dynamics users to be able to override this security.

NextLabs policies are natural language policies.  This makes the policies simple to write and understand.

First we specify the policy effect.  In this case we are allowing access to the accounts based on criteria in the policies.

Then we specify the subject components.  Subject components represent the Dynamics users who will be allowed access to the accounts.  In the example, we added a VIP Account Manager property or attribute to the user account.  This can also be extended to automatically pull user attributes from systems outside of Dynamics.

Finally, we specify the resource components.  The resource components represent the data in Dynamics that the policy will control access to.  In this scenario, we added a property to the account record called VIP Account.

Policy Based Security for Microsoft Dynamics CRM

Once the policy is written and deployed, it will be enforced whenever an account is accessed or appears in a view.  Multiple policies can be enforced at once which can help address very complex security requirements without the need to manually control access to records or for custom development, ensuring that our Dynamics customer data remains secured.