CB Dynamics 365 to SharePoint Permissions Replicator
The out-of-the-box integration between Dynamics 365 and SharePoint document storage has a lot of advantages but also some disadvantages. The most significant disadvantage is the absence of permissions integration. Each one of those systems has its own security model and there is no out-of-the-box integration between them. This undesirable behaviour causes serious security issues, as everyone can see everything on the SharePoint side.
The CB Dynamics 365 to SharePoint Permissions Replicator product solves this problem easily:
• Replicates Dynamics 365 permissions on item, file, folder, list, document library or even a SharePoint site
• Supports client based integration (IFrame, crmlistcomponent)
• Supports server based integration
• Event-based service
• Provided as a cloud service (no need to install)
2. How it Works
The CB Dynamics 365 to SharePoint Permissions Replicator consists of three basic components:
- Connecting Software SaaS Portal (https://saas.connecting-software.com/)
- CB Dynamics 365 to SharePoint Permissions Replicator cloud service
- Dynamics 365 Solution – CB Replicator
Connecting Software SaaS Portal takes care about configuration, subscription management and monitoring.
CB Dynamics 365 to SharePoint Permissions Replicator cloud service is responsible for running the permissions replication process.
Dynamics 365 Solution contains the plugin that registers all the steps that can influence permissions in Dynamics 365. When one of these steps occurs, the plugin will notify CB Dynamics 365 to SharePoint Permissions Replicator service, which will ensure that correct permissions are written into SharePoint. This makes sure that the privileges in Dynamics 365 will be exactly replicated to the relevant SharePoint folders. There are several ways to change permissions in Dynamics 365 and this solution covers all of them:
- Security roles
- Teams, access teams and access team templates
- Business unit
- Hierarchy security – manager and position (CRM 2015, 2016 and Online)
This service will break role inheritance and modify security inside SharePoint. We are not responsible for recovering permissions to the initial state. Please test the service in your test environment first and create backups before implementing to the production environment.
We rely on item level security at folder level in SharePoint. Any manual changes to item level security for influenced document libraries (sharing, etc.) can interfere with our service and may lead to inconsistent behavior or service malfunction.
3. System Requirements
- Internet access to our portal (https://saas.connecting-software.com/)
- Dynamics 365 and SharePoint must be accessible outside your network (Microsoft Azure Cloud)
- Properly configured Document Management between Dynamics 365 and SharePoint
- Properly working Microsoft Dynamics CRM Sandbox Processing Service in on premise Dynamics 365 (our solution contains Dynamics 365 plugin running in sandbox isolation mode)
To purchase the CB Dynamics 365 to SharePoint Permissions Replicator product, visit our webpage @ www.connecting-software.com and choose “CB Dynamics 365 to SharePoint Permissions Replicator” from the products menu as shown below in Figure 1.
Figure 1: Connecting Software Home Page
From the “CB Dynamics 365 to SharePoint Permissions Replicator” product page shown below in Figure 2, click the Pricing tab to view the pricing page with the available purchase plans as shown in Figure 3.
Figure 2: CB Dynamics 365 to SharePoint Permissions Replicator product page
Click “Free Trial” to get your free trial to test the product first or you could purchase a paid subscription as shown below in Figure 3 by clicking “Buy Now”.
Figure 3: CB Dynamics 365 to SharePoint Permissions Replicator Pricing Page
Click “Try Free” to add the product to your cart.
Figure 4: CB Dynamics 365 to SharePoint Permissions Replicator Free Trial
Complete your purchase profile and place your order by clicking “Place Order Now” button
Figure 5: Ordering CB Dynamics 365 to SharePoint Permissions Replicator
After you will see an order confirmation on the screen
Figure 6: CB Dynamics 365 to SharePoint Permissions Replicator Order Confirmation
You will receive two emails from us. An order confirmation email and a guidelines email.
Figure 7: Order confirmation and guidelines emails.
Click the link pointing to our SaaS portal from Step 1 in the guidelines email to access your SaaS portal and configure your “CB Dynamics 365 to SharePoint Permissions Replicator”.
5. Login to your SaaS Portal Account
After clicking the link shown before in Figure 7, you need to login to your SaaS portal account if you have one already (see Figure 8 – 1) or create a new one (see Figure 8 – 2).
Figure 8: SaaS Login page
Now, you need to configure “CB Dynamics 365 to SharePoint Permissions Replicator”.
The following chapter describes the configuration process of CB Dynamics 365 to SharePoint Permissions Replicator.
Single configuration means replication of a single Dynamics 365 Permissions to a single SharePoint site. You can create multiple configurations like this.
6.1. Using the configuration wizard
The CB Dynamics 365 to SharePoint Permissions Replicator wizard is a new streamlined way of configuring your service to get the replication to work.
After logging in, you will be redirected to the configuration page. If for some reason you lost the link or forgot how to get there, the wizard can always be accessed through the dashboard quick links section.
Figure 9: Dashboard quick links section
6.1.1 Using your license
You start by choosing between creating a new configuration (see Figure 10 – 1) or activating the license in an existent configuration (see Figure 10 – 2).
For more information about how to activate an existent configuration, please look into section 6.1.7.
Figure 10: Choose between creating new configuration and adding subscription to existent one
6.1.2 Naming the configuration
You start by naming your configuration with a meaningful name to help you locate it again in the future.
Figure 11: Configuration Wizard – Configuration Name
6.1.3 Configuring Dynamics 365
In this step, you will need to configure Dynamics 365.
Figure 12: Configuration Wizard – Dynamics 365 Configuration – Password Authentication
To configure Dynamics 365, you can choose between Using Password Authentication or Using Modern Authentication and then pass the following parameters:
- Organization URL – The URL of your Dynamics 365 Organization Service endpoint. It can be found in your Dynamics 365: Settings -> Customizations -> Developer Resources.
For password authentication (see Figure 12), you need a single user, let’s call him “service user”. The user needs to be system administrator within your Dynamics 365. You need to fill in additionally:
- User – The login of the Dynamics 365 user with a System Administrator role
- Password– The password of the Dynamics 365 user.
For modern authentication, you need to fill in additionally (see Figure 13):
- Directory (Tenant) ID– The ID of your Azure AD instance.
Click on the “Grant tenant administrator consent” button to grant admin consent to the application. Only needs to be done once.
Next, you need to create an application user in Dynamics 365, as follows:
- In Dynamics 365, go to Settings > Security > Users and switch the view to Application Users.
- Click on New.
- Switch to Application User form
- Type in the Application (client) ID (in the form).
- Type in the full name.
- Type in the primary email.
- Click on Save.
- Select Manage Roles.
- In the Manage User Roles dialog box, select System Administrator role, and then select OK.
Figure 13: Configuration Wizard – Dynamics 365 Configuration – Modern Authentication
6.1.4 Configuring SharePoint
In this step, you will need to configure SharePoint.
Figure 14: Configuration Wizard – SharePoint Configuration – Password Authentication
To configure SharePoint, you can choose between Using Password Authentication or Using Modern Authentication and then pass the following parameters:
- Site Collection URL– The URL of your SharePoint site collection.
For password authentication (see Figure 14), you need a single user, let’s call him “service user”. The user needs to be site collection administrator. You need to fill in additionally:
- User– The login of the SharePoint user who is Site Collection Administrator (required).
- Password– The password of the SharePoint user.
For modern authentication, you only need to fill in the form (see Figure 15):
- Directory (Tenant) ID – The ID of your Azure AD instance.
Click on the “Grant tenant administrator consent” button to grant admin consent to the application. This is only needed if you have not granted admin consent to the application in previous step.
Figure 15: Configuration Wizard – SharePoint Configuration – Modern Authentication
6.1.5 Service Activation
If you purchased a trial or a regular subscription you should have received an activation code via e-mail. To activate the service, copy the activation code from the e-mail you received as shown in Figure 7 and paste it into the “Activation Code” field in the “Service Activation” window and press the “Activate Token” button.
Figure 16: Configuration Wizard – Activating the service
A confirmation message will be displayed confirming that the service was activated successfully.
Figure 17: Configuration Wizard – Service activated
Once done, you can proceed to the final step. Keep in mind that when you click on the “Finish” button you won’t be able to go back and change your configuration, everything will be already created.
6.1.6 Starting Replication
In the final step, you can choose whether or not to start replicating permissions on the configuration immediately after clicking on the “Leave wizard” button.
Figure 18: Configuration Wizard – Starting Replication
6.1.7 Activating an existent configuration
In the first step of the wizard, if you click on the “Activate code on an existent Configuration”, you need to select the “Configuration Name” that you wish to activate from the selection box and then click on the “Activate” button.
Figure 19: Configuration Wizard – Activating Code on an existent Configuration
You will be requested to type in the Activation Code (see Figure 20).
Figure 20: Service activation
If you purchased a trial or a regular subscription you should have received the activation code via e-mail. The “Activation Code” field should be automatically pre-filled. If that is not the case, copy the activation code from the e-mail you received as shown in Figure 7 earlier and paste it into the “Activation Code” field and click on the “Activate” button. A confirmation message will be displayed confirming that the service was activated successfully.
6.2 Manual Configuration
This section describes the configuration process of “CB Dynamics 365 to SharePoint Permissions Replicator”.
A single configuration means replication of permissions from a single Dynamics 365 to a single SharePoint site. You can create multiple configurations.
6.2.1 Create a configuration
To create a new configuration, please go to “Configuration > CB Dynamics 365 to SharePoint Permissions Replicator” (see Figure 21 – 1) and then click on the “Create New” button (see Figure 21 – 2).
Figure 21: Configuration Page
From the configuration screen shown below in Figure 22, you need to enter a meaningful name for your configuration and configure credentials for your Dynamics 365 and SharePoint. To make sure that you have entered valid credentials, you can click on “Test connection” button for each connection.
If you are unable to connect to the target system, please try to login via browser to make sure that you have entered valid information.
For more information about how to configure Dynamics 365 and SharePoint, please consult sections 6.1.3 and 6.1.4, respectively.
Figure 22: New Configuration Page
After fill in all required fields, click on the “Create” button to create a new configuration, if successfully tested.
6.2.2 Activate a configuration
To start replicating permissions, you need to activate the configuration via the activation code received after purchasing the service from the shop (https://www.connecting-software.com/dynamics-crm-sharepoint-permissions-replicator-pricing/). If you already have the activation code, you can activate the configuration straight away by clicking on “activate code now” link.
Figure 23: New Configuration Created
Paste the activation code into the “Activation Code” field in the “Service Activation” window shown below in Figure 24 and click on the “Activate” button. The Activation Code has the following format: f305ca9c-4ee6-448c-8f34-aa9cacdbf307.
Figure 24: Service Activation Window
Once token is activated, a confirmation message will be displayed confirming that the service was activated successfully (see Figure 25) and then you can close the “Service Activation” window.
Figure 25: Service Activation Window – Confirmation message
You can also activate/extend any configuration at any time by expanding the burger icon next to that configuration and then click on “Activate service” button as shown below in Figure 26.
Figure 26: Activate/Extend a Configuration
7. Configuration Settings
7.1 User mapping
The service provides an automated algorithm to map (match) Dynamics 365 users to SharePoint users. The algorithm uses login name to map users and so it is important that Dynamics 365 and SharePoint are connected to the same Active Directory domain or Office 365 organization.
Click on icon next to any configuration to view/edit the user mapping as shown below in Figure 27.
Figure 27: User Mapping Option
In top box, you can see the number of CB Dynamics 365 to SharePoint Permissions Replicator user licenses required for your Dynamics 365 organization..
Figure 28: User Mapping Page
User mapping mode specifies whether the custom mapping will be appended to predefined mapping – Automatic (append) – or will replace predefined mapping – Manual (replace). To change user mapping mode, click on the “Change” button.
The Custom mapping column indicates whether the user mapping was automatic or manual.
The Mapped column indicates the status of the user mapping. The possible values are:
– Indicates that the user is mapped (automated mapping or custom)
– Indicates that the user has not been mapped
– Indicates that the user is excluded from automated mapping (intentionally)
If a user is not mapped or if you want to modify the user’s mapping, click the “Edit” button. You will be redirected to “Custom user mapping“ page as shown below in Figure 29. In this page. you will need to select (check) the target SharePoint principal(s) to be mapped to Dynamics 365 user.
Click on the “Block” button to exclude an user from automated mapping. The user will not be mapped automatically.
Click on the “Remove” button to remove custom mapping.
Click on the “Unblock” button to include an user to automated mapping.
Figure 29: Custom user mapping Page
7.2 Permissions mapping
As Dynamics 365 and SharePoint security models differ, a mapping between them needs to be established. To do so, CB Replicator automatically creates certain permission levels in the target SharePoint. The service has preconfigured mapping between Dynamics 365 and SharePoint that should be suitable for most deployments.
D365 access right
SharePoint permission level
Click on icon next to any configuration to view/edit the permission mapping as shown below in Figure 30
Figure 30: Permission Mapping Option
Permission mapping mode specifies whether the custom mapping will be appended to predefined mapping – Automatic (append) – or will replace predefined mapping – Manual (replace). To change permission mapping mode, click on the “Change” button.
The Is custom column indicates whether permission mapping is default or custom (user-defined).
The Entity Filter column indicates which entities (Account, Lead, etc.) are affected by the permission mapping – the preconfigured mapping for specific Dynamics 365 access right is overridden in this case.
Figure 31: Permissions Mapping Page
To create a new custom mapping, click on the Create New button. You will be redirected to “Custom permission mapping“ page as shown below in Figure 32. In this page. you will need to choose an appropriate Dynamics 365 Access Right, a SharePoint Permission Level and, optionally, an Entity filter. Click Save and Close to finish.
Figure 32: Custom permission mapping
Click on “Edit” button to modify a custom permission mapping.
Click on “Remove” button to delete a custom permission mapping.
Dynamics 365 Access Right
The Dynamics 365 access right name.
Allowed values are:
SharePoint Permission Level
The SharePoint permission level.
The logical name of Dynamics 365 entity that will be affected by the permission mapping.
This attribute is used when you want to override global mapping of specific Dynamics 365 access right for specific Dynamics 365 entity.
7.3 Start / Stop a configuration
After creating a configuration, you can start the replication process. The pattern of Start and Stop buttons is used. The current status of the service is shown under the Status column.
There could be a delay before the permissions are replicated to SharePoint as the “CB Dynamics 365 to SharePoint Permissions Replicator” is relying on service queues for its execution
The replication process status could be one of the following:
- Starting: The replication process is starting. This is an intermediate state after clicking the “Start” button.
- Started: The replication process is running. The Dynamics 365 permissions are being replicated into SharePoint.
- Stopping: The replication is stopping. This is an intermediate state between Started and Stopped state after clicking the Stop button.
- Stopped: The replication process is stopped. Dynamics 365 permissions are NOT being replicated into SharePoint. You are able to edit/delete the configuration.
Figure 33: Starting the Service
After starting the service, the Replication Status column indicates the status of 3 process queues (see Figure 34):
Event queue holds Dynamics 365 events to be processed by CB Replicator. Events are processed one by one. An event can trigger a request to update permissions that is forwarded to the evaluation queue.
Evaluation queue holds SharePoint Document locations for evaluating permissions. The queue items are processed by Evaluation Workers. Workers calculate permissions for a document location and check permission changes. If there are changes, the item is forwarded to the Write queue.
Write queue holds SharePoint Document locations for writing permissions. The queue items are processed by Writer workers that are responsible for writing the unique permissions to the SharePoint item.
Figure 34: Stopping the Service
7.4 View / Edit a configuration
You can modify an existent configuration by expanding the burger icon next to that configuration and then click on “Edit configuration” option as shown below in Figure 35.
Figure 35: Edit configuration Option
The Edit configuration page has the same settings as the New configuration page shown earlier in Figure 22.
For password authentication, select (check) the Change password checkbox to change the password as shown below in Figure 36.
Click the “Save” button to save your changes.
Figure 36: Edit Configuration Page
7.5 Delete a configuration
You can delete an existent configuration by expanding the burger icon next to that configuration and then click on “Delete” option as shown below in Figure 37.
Figure 37: Delete Option
By clicking the “Delete” button, the configuration will be permanently deleted. You will be asked to confirm as shown in Figure 38.
Figure 28: Delete Confirmation
Note: When deleting a configuration, it will be permanently deleted with all activated subscriptions (even paid ones). These subscriptions are not transferable to other configurations.
8. Navigating the Dashboard
After having an active configuration, this configuration can be accessed through the SaaS Configuration menu or through the SaaS Dashboard as shown below in Figure 39.
Figure 39 – CB Dynamics 365 to SharePoint Permissions Replicator on Dashboard
In the Dashboard you will find quick links (Figure 39 – 1) as well as your configurations (Figure 39 – 2). Keep in mind that by clicking “Go to Configuration” (Figure 39 – 3) you will be redirected to the configuration page (see section 7.1.4) and by clicking “More Info” (Figure 39 – 4) you will be able to see more information about the configuration..
Each configuration has information about number of subscriptions and users as shown in Figure 40.
Figure 40: CB Dynamics 365 to SharePoint Permissions Replicator – Service Information
1. Service icon/name
2. Name of your configuration
3. Link to the Configuration’s list page (where you can start/stop the configuration)
4. Available number of users to map
5. Replication status – if the icon is rotating replication is running
6. Number of available subscriptions (both active and future)
7. Number of users
8. Number of consumed and total user licenses
9. More information link
Clicking anywhere on the configuration box (Figure 40 – 2) will redirect you to a section where you can find more information about the service, such as subscriptions, batteries and available traffic.
8.1 Valid Subscriptions
Scrolling down to the next section, you can find all active and future subscriptions.
Figure 41: Valid Subscriptions
Expanding a subscription, you can see useful information, like validation period (start and end dates), user licenses information, and other details about the subscription.
Figure 42: Subscription Details
- Subscription’s validation date
- The day the subscription was activated
- Subscription plan
- The activation code
- Information about the the subscription and user licenses:
- Consumed user licenses – number of licenses that are currently in use
- Total User licenses – number of licenses bought with this subscription
- Missing User licenses – number of licenses missing for your configuration if there are more mapped Dynamics 365 users than the total number of user licenses.
- Mapped Dynamics 365 Users – number of users that are mapped between SharePoint and Dynamics 365
- Total Dynamics 365 Users – number of existent users in Dynamics 365
8.2 Other Information
In the last section, you can find all subscriptions that are already expired as shown in Figure 43.
Figure 43: Other Information
9. Activity log
To help you with basic troubleshooting, the service keeps track of the replication process. To view activity log, click on icon next to any configuration as shown below in Figure 44.
Figure 44: View Activity Log Option
In the activity log view shown below in Figure 45, you can search for older logs, filter logs by type (Figure 45 – 1), navigate to older pages (Figure 45 – 2) and search for a specific text in Message or Info columns (Figure 45 – 3).
The following log types are generated:
- Debug: Internal information that could be used to troubleshooting.
- Info: General information from the CB Replicator service.
- Warn: Warning messages
- Error: Error messages
- Event: Events received from Dynamics 365
- Permission Write: Permissions written to SharePoint
Figure 45: Activity Log page
From the activity log view shown above in Figure 31, you can browse older logs, filter by specific log types (1), navigate to older pages (2) and search for specific text (3).
The following log types are produced:
- Debug: Internal information that could be used to troubleshooting.
- Info: General information from the CB Replicator service.
- Warn: Warning messages
- Error: Error messages
- Event: Events received from CRM
- Permission Write: Permissions written to SharePoint.
This document described how to configure and run the CB Dynamics 365 to SharePoint Permissions Replicator as a service.
If you need any assistance or have any question, please contact the support team of CB Dynamics 365 to SharePoint Permissions Replicator at our email address email@example.com or via the support form https://saas.connecting-software.com/Support/Create . We will get back to you as soon as we can.