CB Dynamics 365 to SharePoint Permissions Replicator
Online Documentation

1. General

The out-of-the-box integration between Dynamics 365 and SharePoint document storage has a lot of advantages but also some disadvantages. The most significant disadvantage is the absence of permissions integration. Each one of those systems has its own security model and there is no out-of-the-box integration between them. This undesirable behaviour causes serious security issues, as everyone can see everything on the SharePoint side.

The CB Dynamics 365 to SharePoint Permissions Replicator product solves this problem easily:

Key Features

• Replicates Dynamics 365 permissions on item, file, folder, list, document library or even a SharePoint site
• Supports client based integration (IFrame, crmlistcomponent)
• Supports server based integration
• Event-based service
• Configurable
• Provided as a cloud service (no need to install)

2. How it Works

The CB Dynamics 365 to SharePoint Permissions Replicator consists of three basic components:

Connecting Software SaaS Portal takes care about configuration, subscription management and monitoring.

CB Dynamics 365 to SharePoint Permissions Replicator cloud service is responsible for running the permissions replication process.

Dynamics 365 Solution contains the plugin that registers all the steps that can influence permissions in Dynamics 365. When one of these steps occurs, the plugin will notify CB Dynamics 365 to SharePoint Permissions Replicator service, which will ensure that correct permissions are written into SharePoint. This makes sure that the privileges in Dynamics 365 will be exactly replicated to the relevant SharePoint folders. There are several ways to change permissions in Dynamics 365 and this solution covers all of them:

  • User
  • Security roles
  • Sharing
  • Teams, access teams and access team templates
  • Business unit
  • Hierarchy security – manager and position (CRM 2015, 2016 and Online)

      WARNING:

This service will break role inheritance and modify security inside SharePoint. We are not responsible for recovering permissions to the initial state. Please test the service in your test environment first and create backups before implementing to the production environment.

We rely on item level security at folder level in SharePoint. Any manual changes to item level security for influenced document libraries (sharing, etc.) can interfere with our service and may lead to inconsistent behavior or service malfunction.

3. System Requirements

  • Internet access to our portal (https://saas.connecting-software.com/)
  • Dynamics 365 and SharePoint must be accessible outside your network (Microsoft Azure Cloud)
  • Properly configured Document Management between Dynamics 365 and SharePoint
  • Properly working Microsoft Dynamics CRM Sandbox Processing Service in on premise Dynamics 365 (our solution contains Dynamics 365 plugin running in sandbox isolation mode)

4. Purchase

To purchase the CB Dynamics 365 to SharePoint Permissions Replicator product, visit our webpage @ www.connecting-software.com and choose “CB Dynamics 365 to SharePoint Permissions Replicator” from the products menu as shown below in Figure 1.

Figure 1: Connecting Software Home Page

From the “CB Dynamics 365 to SharePoint Permissions Replicator” product page shown below in Figure 2, click the Pricing tab to view the pricing page with the available purchase plans as shown in Figure 3.

CB Dynamics 365 to SharePoint permissions Replicator - product page

Figure 2: CB Dynamics 365 to SharePoint Permissions Replicator product page

Click “Free Trial” to get your free trial to test the product first or you could purchase a paid subscription as shown below in Figure 3 by clicking “Buy Now”.

Figure 3: CB Dynamics 365 to SharePoint Permissions Replicator Pricing Page

Click “Try Free” to add the product to your cart.

Figure 4: CB Dynamics 365 to SharePoint Permissions Replicator Free Trial

Complete your purchase profile and place your order by clicking “Place Order Now” button

CB Dynamics 365 to SharePoint permissions Replicator - Checkout page

Figure 5: Ordering CB Dynamics 365 to SharePoint Permissions Replicator

After you will see an order confirmation on the screen

CB Dynamics 365 SharePoint Permissions Replicator - Thank you page

Figure 6: CB Dynamics 365 to SharePoint Permissions Replicator Order Confirmation

You will receive two emails from us. An order confirmation email and a guidelines email.

order confirmation and quidlines emails

Figure 7: Order confirmation and guidelines emails.

Click the link pointing to our SaaS portal from Step 1 in the guidelines email to access your SaaS portal and configure your “CB Dynamics 365 to SharePoint Permissions Replicator”.

5. Login to your SaaS Portal Account

After clicking the link shown before in Figure 7, you need to login to your SaaS portal account if you have one already (see Figure 8 – 1) or create a new one (see Figure 8 – 2).

Login to SaaS portal - CB Dynamics 365 to SharePoint Permissions Replicator

Figure 8: SaaS Login page

Now, you need to configure “CB Dynamics 365 to SharePoint Permissions Replicator”.

6. Configuration

The following chapter describes the configuration process of CB Dynamics 365 to SharePoint Permissions Replicator.

Single configuration means replication of a single Dynamics 365 Permissions to a single SharePoint site. You can create multiple configurations like this.

6.1. Using the configuration wizard

The CB Dynamics 365 to SharePoint Permissions Replicator wizard is a new streamlined way of configuring your service to get the replication to work.

After logging in, you will be redirected to the configuration page. If for some reason you lost the link or forgot how to get there, the wizard can always be accessed through the dashboard quick links section.

Dashboard quick links section

Figure 9: Dashboard quick links section

6.1.1 Using your license

You start by choosing between creating a new configuration (see Figure 10 – 1) or activating the license in an existent configuration (see Figure 10 – 2).

For more information about how to activate an existent configuration, please look into section 6.1.7.

Choose between creating new configuration and adding subscription to existent one

Figure 10: Choose between creating new configuration and adding subscription to existent one

6.1.2 Naming the configuration

You start by naming your configuration with a meaningful name to help you locate it again in the future.

Configuration Wizard - Configuration Name

Figure 11: Configuration Wizard – Configuration Name

6.1.3 Configuring Dynamics 365

In this step, you will need to configure Dynamics 365.

Configuration Wizard - Dynamics 365 configuration - password authentication

Figure 12: Configuration Wizard – Dynamics 365 Configuration – Password Authentication

To configure Dynamics 365, you can choose between Using Password Authentication or Using Modern Authentication and then pass the following parameters:

  • Organization URL – The URL of your Dynamics 365 Organization Service endpoint. It can be found in your Dynamics 365: Settings -> Customizations -> Developer Resources.

Examples:

– https://OrganizationName.api.crm4.dynamics.com/
– https://CrmName.contoso.com/OrganizationName/

For password authentication (see Figure 12), you need a single user, let’s call him “service user”. The user needs to be system administrator within your Dynamics 365. You need to fill in additionally:

  • User – The login of the Dynamics 365 user with a System Administrator role

Examples:

– User@OrganizationName.onmicrosoft.com
– contoso\user

  • Password– The password of the Dynamics 365 user.

For modern authentication, you need to fill in additionally (see Figure 13):

  • Directory (Tenant) ID– The ID of your Azure AD instance.

Click on the “Grant tenant administrator consent” button to grant admin consent to the application. Only needs to be done once.

Next, you need to create an application user in Dynamics 365, as follows:

  • In Dynamics 365, go to Settings > Security > Users and switch the view to Application Users.
  • Click on New.
  • Switch to Application User form
    • Type in the Application (client) ID (in the form).
    • Type in the full name.
    • Type in the primary email.
  • Click on Save.
  • Select Manage Roles.
  • In the Manage User Roles dialog box, select System Administrator role, and then select OK.

Configuration Wizard – Dynamics 365 Configuration – Modern Authentication

Figure 13: Configuration Wizard – Dynamics 365 Configuration – Modern Authentication

6.1.4 Configuring SharePoint

In this step, you will need to configure SharePoint.

Configuration Wizard - SharePoint configuration - password authentication

Figure 14: Configuration Wizard – SharePoint Configuration – Password Authentication

To configure SharePoint, you can choose between Using Password Authentication or Using Modern Authentication and then pass the following parameters:

  • Site Collection URL– The URL of your SharePoint site collection.

Examples:

– https://OrganizationName.sharepoint.com/
– https://SharePointName.contoso.com/sites/Documents

For password authentication (see Figure 14), you need a single user, let’s call him “service user”. The user needs to be site collection administrator. You need to fill in additionally:

  • User– The login of the SharePoint user who is Site Collection Administrator (required).

Examples:

– User@OrganizationName.onmicrosoft.com
– contoso\user

  • Password– The password of the SharePoint user.

For modern authentication, you only need to fill in the form (see Figure 15):

  • Directory (Tenant) ID – The ID of your Azure AD instance.
    Click on the “Grant tenant administrator consent” button to grant admin consent to the application. This is only needed if you have not granted admin consent to the application in previous step.

Configuration Wizard - SharePoint configuration - Modern authentication

Figure 15: Configuration Wizard – SharePoint Configuration – Modern Authentication

6.1.5 Service Activation

If you purchased a trial or a regular subscription you should have received an activation code via e-mail. To activate the service, copy the activation code from the e-mail you received as shown in Figure 7 and paste it into the “Activation Code” field in the “Service Activation” window and press the “Activate Token” button.

Configuration Wizard – Activating the service

Figure 16: Configuration Wizard – Activating the service

A confirmation message will be displayed confirming that the service was activated successfully.

Configuration Wizard – Service activated

Figure 17: Configuration Wizard – Service activated

Once done, you can proceed to the final step. Keep in mind that when you click on the “Finish” button you won’t be able to go back and change your configuration, everything will be already created.

6.1.6 Starting Replication

In the final step, you can choose whether or not to start replicating permissions on the configuration immediately after clicking on the “Leave wizard” button.

Configuration Wizard – Starting Replication

Figure 18: Configuration Wizard – Starting Replication

6.1.7 Activating an existent configuration

In the first step of the wizard, if you click on the “Activate code on an existent Configuration”, you need to select the “Configuration Name” that you wish to activate from the selection box and then click on the “Activate” button.

Configuration Wizard – Activating Code on an existent Configuration

Figure 19: Configuration Wizard – Activating Code on an existent Configuration

You will be requested to type in the Activation Code (see Figure 20).

Service activation

Figure 20: Service activation

If you purchased a trial or a regular subscription you should have received the activation code via e-mail. The “Activation Code” field should be automatically pre-filled. If that is not the case, copy the activation code from the e-mail you received as shown in Figure 7 earlier and paste it into the “Activation Code” field and click on the “Activate” button. A confirmation message will be displayed confirming that the service was activated successfully.

6.2 Manual Configuration

This section describes the configuration process of “CB Dynamics 365 to SharePoint Permissions Replicator”.

A single configuration means replication of permissions from a single Dynamics 365 to a single SharePoint site. You can create multiple configurations.

6.2.1 Create a configuration

To create a new configuration, please go to “Configuration > CB Dynamics 365 to SharePoint Permissions Replicator” (see Figure 21 – 1) and then click on the “Create New” button (see Figure 21 – 2).

Configuration page

Figure 21: Configuration Page

From the configuration screen shown below in Figure 22, you need to enter a meaningful name for your configuration and configure credentials for your Dynamics 365 and SharePoint. To make sure that you have entered valid credentials, you can click on “Test connection” button for each connection.

NOTE:
If you are unable to connect to the target system, please try to login via browser to make sure that you have entered valid information.

For more information about how to configure Dynamics 365 and SharePoint, please consult sections 6.1.3 and 6.1.4, respectively.

New configuration page

Figure 22: New Configuration Page

After fill in all required fields, click on the “Create” button to create a new configuration, if successfully tested.

6.2.2 Activate a configuration

To start replicating permissions, you need to activate the configuration via the activation code received after purchasing the service from the shop (https://www.connecting-software.com/dynamics-crm-sharepoint-permissions-replicator-pricing/). If you already have the activation code, you can activate the configuration straight away by clicking on “activate code now” link.

New configuration created

Figure 23: New Configuration Created

Paste the activation code into the “Activation Code” field in the “Service Activation” window shown below in Figure 24 and click on the “Activate” button. The Activation Code has the following format: f305ca9c-4ee6-448c-8f34-aa9cacdbf307.

Service activation

Figure 24: Service Activation Window

Once token is activated, a confirmation message will be displayed confirming that the service was activated successfully (see Figure 25) and then you can close the “Service Activation” window.

Service Activation Window – Confirmation message

Figure 25: Service Activation Window – Confirmation message

You can also activate/extend any configuration at any time by expanding the burger icon next to that configuration and then click on “Activate service” button as shown below in Figure 26.

Activate-Extend a Configuration

Figure 26: Activate/Extend a Configuration

7. Configuration Settings

7.1 User mapping

The service provides an automated algorithm to map (match) Dynamics 365 users to SharePoint users. The algorithm uses login name to map users and so it is important that Dynamics 365 and SharePoint are connected to the same Active Directory domain or Office 365 organization.

Click on icon user mapping icon next to any configuration to view/edit the user mapping as shown below in Figure 27.

User Mapping Option

Figure 27: User Mapping Option

In top box, you can see the number of CB Dynamics 365 to SharePoint Permissions Replicator user licenses required for your Dynamics 365 organization..

User Mapping Page

Figure 28: User Mapping Page

User mapping mode specifies whether the custom mapping will be appended to predefined mapping – Automatic (append) – or will replace predefined mapping – Manual (replace). To change user mapping mode, click on the “Change” button.

The Custom mapping column indicates whether the user mapping was automatic or manual.

The Mapped column indicates the status of the user mapping. The possible values are:

 User is mapped icon – Indicates that the user is mapped (automated mapping or custom)

User is not mapped – Indicates that the user has not been mapped

user is excluded – Indicates that the user is excluded from automated mapping (intentionally)

If a user is not mapped or if you want to modify the user’s mapping, click the “Edit” button. You will be redirected to “Custom user mapping“ page as shown below in Figure 29. In this page. you will need to select (check) the target SharePoint principal(s) to be mapped to Dynamics 365 user.

Click on the “Block” button to exclude an user from automated mapping. The user will not be mapped automatically.

Click on the “Remove” button to remove custom mapping.

Click on the “Unblock” button to include an user to automated mapping.

Custom user mapping Page

Figure 29: Custom user mapping Page

7.2 Permissions mapping

As Dynamics 365 and SharePoint security models differ, a mapping between them needs to be established. To do so, CB Replicator automatically creates certain permission levels in the target SharePoint. The service has preconfigured mapping between Dynamics 365 and SharePoint that should be suitable for most deployments.

D365 access right

SharePoint permission level

SharePoint permissions

ReadAccess

cbreplicator_crm_ReadAccess

ViewListItems

OpenItems

ViewVersions

ViewFormPages

Open

BrowseDirectories

BrowseUserInfo

UseClientIntegration

UseRemoteAPIs

CreateAlerts

WriteAccess

cbreplicator_crm_WriteAccess

AddListItems

EditListItems

DeleteListItems

DeleteVersions

Click on  icon next to any configuration to view/edit the permission mapping as shown below in Figure 30

Figure 30: Permission Mapping Option

Permission mapping mode specifies whether the custom mapping will be appended to predefined mapping – Automatic (append) – or will replace predefined mapping – Manual (replace). To change permission mapping mode, click on the “Change” button.

The Is custom column indicates whether permission mapping is default or custom (user-defined).

The Entity Filter column indicates which entities (Account, Lead, etc.) are affected by the permission mapping – the preconfigured mapping for specific Dynamics 365 access right is overridden in this case.

Permissions Mapping Page

Figure 31: Permissions Mapping Page

To create a new custom mapping, click on the Create New button. You will be redirected to “Custom permission mapping“ page as shown below in Figure 32. In this page. you will need to choose an appropriate Dynamics 365 Access Right, a SharePoint Permission Level and, optionally, an Entity filter. Click Save and Close to finish.

Custom permission mapping

Figure 32: Custom permission mapping

Click on “Edit” button to modify a custom permission mapping.

Click on “Remove” button to delete a custom permission mapping.

NOTE: You can only edit or delete custom permission mappings

Attribute name

Values

Description

Required

Default value

Dynamics 365 Access Right

String

The Dynamics 365 access right name.

Allowed values are:

·         AppendAccess

·         AppendToAccess

·         AssignAccess

·         CreateAccess

·         DeleteAccess

·         ReadAccess

·         ShareAccess

·         WriteAccess

Yes

 

SharePoint Permission Level

string

The SharePoint permission level.

Yes

 

Entity Name

String

The logical name of Dynamics 365 entity that will be affected by the permission mapping.

This attribute is used when you want to override global mapping of specific Dynamics 365 access right for specific Dynamics 365 entity.

No

 

7.3 Start / Stop a configuration

After creating a configuration, you can start the replication process. The pattern of Start and Stop buttons is used. The current status of the service is shown under the Status column.

NOTE:

There could be a delay before the permissions are replicated to SharePoint as the “CB Dynamics 365 to SharePoint Permissions Replicator” is relying on service queues for its execution

The replication process status could be one of the following:

  • Starting: The replication process is starting. This is an intermediate state after clicking the “Start” button.
  • Started: The replication process is running. The Dynamics 365 permissions are being replicated into SharePoint.
  • Stopping: The replication is stopping. This is an intermediate state between Started and Stopped state after clicking the Stop button.
  • Stopped: The replication process is stopped. Dynamics 365 permissions are NOT being replicated into SharePoint. You are able to edit/delete the configuration.

Starting the Service

Figure 33: Starting the Service

After starting the service, the Replication Status column indicates the status of 3 process queues (see Figure 34):

Event queue holds Dynamics 365 events to be processed by CB Replicator. Events are processed one by one. An event can trigger a request to update permissions that is forwarded to the evaluation queue.

Evaluation queue holds SharePoint Document locations for evaluating permissions. The queue items are processed by Evaluation Workers. Workers calculate permissions for a document location and check permission changes. If there are changes, the item is forwarded to the Write queue.

Write queue holds SharePoint Document locations for writing permissions. The queue items are processed by Writer workers that are responsible for writing the unique permissions to the SharePoint item.

Stopping the Service

Figure 34: Stopping the Service

7.4 View / Edit a configuration

You can modify an existent configuration by expanding the burger icon next to that configuration and then click on “Edit configuration” option as shown below in Figure 35.

Note: The “Edit configuration” option is only available when the configuration is stopped. When the configuration is running, you can only view its details by clicking the “View configuration” option.

Edit configuration Option

Figure 35: Edit configuration Option

The Edit configuration page has the same settings as the New configuration page shown earlier in Figure 22.

For password authentication, select (check) the Change password checkbox to change the password as shown below in Figure 36.

Click the “Save” button to save your changes.

Edit Configuration Page

Figure 36: Edit Configuration Page

7.5 Delete a configuration

You can delete an existent configuration by expanding the burger icon next to that configuration and then click on “Delete” option as shown below in Figure 37.

Delete option

Figure 37: Delete Option

By clicking the “Delete” button, the configuration will be permanently deleted. You will be asked to confirm as shown in Figure 38.

Delete confirmation

Figure 28: Delete Confirmation

Note:  When deleting a configuration, it will be permanently deleted with all activated subscriptions (even paid ones). These subscriptions are not transferable to other configurations.

8. Navigating the Dashboard

After having an active configuration, this configuration can be accessed through the SaaS Configuration menu or through the SaaS Dashboard as shown below in Figure 39.

CB Dynamics 365 to SharePoint Permissions Replicator on Dashboard

Figure 39 – CB Dynamics 365 to SharePoint Permissions Replicator on Dashboard

In the Dashboard you will find quick links (Figure 39 – 1) as well as your configurations (Figure 39 – 2). Keep in mind that by clicking “Go to Configuration” (Figure 39 – 3) you will be redirected to the configuration page (see section 7.1.4) and by clicking “More Info” (Figure 39 – 4) you will be able to see more information about the configuration..

Each configuration has information about number of subscriptions and users as shown in Figure 40.

CB Dynamics 365 to SharePoint Permissions Replicator – Service Information

Figure 40: CB Dynamics 365 to SharePoint Permissions Replicator – Service Information

1. Service icon/name
2. Name of your configuration
3. Link to the Configuration’s list page (where you can start/stop the configuration)
4. Available number of users to map
5. Replication status – if the icon is rotating replication is running
6. Number of available subscriptions (both active and future)
7. Number of users
8. Number of consumed and total user licenses
9. More information link

Clicking anywhere on the configuration box (Figure 40 – 2) will redirect you to a section where you can find more information about the service, such as subscriptions, batteries and available traffic.

8.1 Valid Subscriptions

Scrolling down to the next section, you can find all active and future subscriptions.

Valid Subscriptions

Figure 41: Valid Subscriptions

Expanding a subscription, you can see useful information, like validation period (start and end dates), user licenses information, and other details about the subscription.

Subscription Details

Figure 42: Subscription Details

  1. Subscription’s validation date
  2. The day the subscription was activated
  3. Subscription plan
  4. The activation code
  5. Information about the the subscription and user licenses:
    • Consumed user licenses – number of licenses that are currently in use
    • Total User licenses – number of licenses bought with this subscription
    • Missing User licenses – number of licenses missing for your configuration if there are more mapped Dynamics 365 users than the total number of user licenses.
    • Mapped Dynamics 365 Users – number of users that are mapped between SharePoint and Dynamics 365
    • Total Dynamics 365 Users – number of existent users in Dynamics 365

8.2 Other Information

In the last section, you can find all subscriptions that are already expired as shown in Figure 43.

Figure 43: Other Information

9. Activity log

To help you with basic troubleshooting, the service keeps track of the replication process. To view activity log, click on icon next to any configuration as shown below in Figure 44.

Figure 44: View Activity Log Option

In the activity log view shown below in Figure 45, you can search for older logs, filter logs by type (Figure 45 – 1), navigate to older pages (Figure 45 – 2) and search for a specific text in Message or Info columns (Figure 45 – 3).

The following log types are generated:

  • Debug: Internal information that could be used to troubleshooting.
  • Info: General information from the CB Replicator service.
  • Warn: Warning messages
  • Error: Error messages
  • Event: Events received from Dynamics 365
  • Permission Write: Permissions written to SharePoint

Activity Log Page

Figure 45: Activity Log page

From the activity log view shown above in Figure 31, you can browse older logs, filter by specific log types (1), navigate to older pages (2) and search for specific text (3).

The following log types are produced:

  • Debug: Internal information that could be used to troubleshooting.
  • Info: General information from the CB Replicator service.
  • Warn: Warning messages
  • Error: Error messages
  • Event: Events received from CRM
  • Permission Write: Permissions written to SharePoint.

10. Conclusion

This document described how to configure and run the CB Dynamics 365 to SharePoint Permissions Replicator as a service.

If you need any assistance or have any question, please contact the support team of CB Dynamics 365 to SharePoint Permissions Replicator at our email address office@connecting-software.com or via the support form https://saas.connecting-software.com/Support/Create . We will get back to you as soon as we can.