I want to remove READ rights from a security role on systemuser entity and execute a plugin on each new systemuser creation – it will grant READ to the particular user so that only his/her systemuser record is visible to them. The plugin has to run very last in the chain asynchronously.
In my plugin I use following code to assign read rights to user,
EntityReference systemUser = PostImage.ToEntityReference();
GrantAccessRequest grantRequest = new GrantAccessRequest()
{
Target = systemUser,
PrincipalAccess = new PrincipalAccess()
{
Principal = systemUser,
AccessMask = AccessRights.ReadAccess
}
};
GrantAccessResponse grantResponse =
(GrantAccessResponse)XrmServiceContext.Execute(grantRequest);
But when I create a new user and logged in using that credentials, this doesn't seem to make any change. All the systemuser records are visible!What am I doing wrong? Currently systemuser has read permisson set to 'organization' in crm security roles.
Any help would be much appreciated. Thanks!
You don't need to do this in a plugin or any other kind of code. All users are granted explicit shares to their own user record and user settings via rows in the PrincipalObjectAccess ('POA') table.