Siebel CRM Desktop for Microsoft Outlook Administration Guide > Customizing Siebel CRM Desktop > Customizing UI Behavior >

Controlling Access to Object Types

This topic describes how to control access to object types. It includes the following topics:

• Making Object Types Read-Only
• Preventing Users From Deleting Object Types
• Preventing Users From Removing Links Between Object Types

Making Object Types Read-Only

This topic describes how to make an object type read-only so that the user can view it but not modify it. The example in this topic makes the account object type read-only.

To make object types read-only

1. Use a JavaScript editor to open the security_utils.js file.
2. Add the object type that you must make read-only to the array of security descriptors that CRM Desktop uses:
   1. Locate the following function:

   siebel_security_manager()

   2. Locate the following code that resides in the function that you located in Step a:

   factories = {
     "Action": security_manager.factory_from_constructor(activity_security),
     ...
     "Account": security_manager.factory_from_constructor(account_security),
     "Opportunity":   security_manager.factory_from_constructor(opportunity_security),
   };

   This code defines the array of security descriptors. A security descriptor is a type of object that includes a set of methods, including methods that CRM Desktop uses to determine access. Each object in CRM Desktop includes a security descriptor.

   3. Add the following code to the factories object that you located in Step b:

   "custom_object":security_manager.factory_from_constructor(function_name)

   where:

   • custom_object identifies the object type of the custom object.
   • function_name identifies the name of the function that CRM Desktop uses to construct the security descriptor. For more information, see Function That CRM Desktop Uses to Construct Security Descriptors.

     For example, add the following code:

   "Account":security_manager.factory_from_constructor(account_security)

3. Specify the function that determines if the user possesses the permission to modify the form:
   1. Locate the function that you specified in Step c.
   2. Add the following code to the function that you located in Step a.

   base_security.call(this, ctx, item_ex, {
   "modify_filter": modify_check_function
   });
   function custom_object_security(ctx, item_ex)
   {
   base_security.call(this, ctx, item_ex, {
   "modify_filter": function
   });

   where:

   • custom_object_security specifies the name of the function that CRM Desktop calls to determine if the user possesses the permission to modify the form. For more information about custom_object_security, see Function That CRM Desktop Uses to Construct Security Descriptors.

     For example, you can use the following code for the account object:

   base_security.call(this, ctx, item_ex, {
   "modify_filter": modify_check_function
   });
   function account_security(ctx, item_ex)
   {
   base_security.call(this, ctx, item_ex, {
   "modify_filter": function
   });

4. Define the function that you specify in Step 3. Use the following code:

   function modify_check_function(ctx, sd, item_ex, value)
   {
     value.and_value = false;
     value.or_value = false;
   }

   where:

   • modify_check_function must be the function that you specify in Step 3.
   • sd provides access to the access method that the security descriptor uses, such as modify_access, delete_access, or link_access. For more information, see Setting the Security Descriptor.
   • and_value and or_value must be set to false to make an object type read-only. These parameters determine the result of the following calculation:

   resulting_value = (value || or_value) && and_value;

   Note the following:

   • If CRM Desktop calls an access checking method, such as modify_access or delete_access, then the access checking method returns a value in resulting_value.
   • If or_value and and_value are true, then resulting_value is true.
   • If or_value or and_value is false, then resulting_value is false.
   • The value parameter is predefined. You cannot modify it. You can modify or_value and and_value.

     You can define this function anywhere in the security_utils.js file. It recommended that you define it near the custom_object_security function.

5. (Optional) Make the object type read-only depending on a condition.

   You can configure CRM Desktop to examine an object, and then set and_value and or_value to false or true, depending on the results of this examination. For example, the following code determines if a custom field of an object includes a value, where the value is the check mark in a checkbox. If it does, then it sets Can modify to false, and then sets the values for and_value and or_value depending on the value of Can modify:

   function modify_check_function(ctx, sd, item_ex, value)
   {
     var modification_allowed = item_ex.get_property("Can modify").checked;
     value.and_value = modification_allowed;
     value.or_value = modification_allowed;
   }

Function That CRM Desktop Uses to Construct Security Descriptors

The function that Siebel CRM Desktop uses to construct security descriptors resides in the security_utils.js file. For example, CRM Desktop uses the following function to construct the security descriptor for the account object type:

function account_security(ctx, item_ex)
{
base_security.call(this, ctx, item_ex, {
"modify_filter": account_read_only,
"link_filter": account_link_filter,
"delete_filter": function(ctx, sd, item_ex, value) {value.or_value = true; value.and_value = true}
});
}

The base_security function constructs the default security descriptor. This descriptor includes the predefined methods that set access. CRM Desktop uses the base_security function during a call from the security descriptor function of any object, and it uses the values that this function contains. The security descriptor uses the following constructor function, and CRM Desktop uses the default values from this function for all access methods. So, it is not necessary for you to write code in every function that CRM Desktop uses to construct a descriptor:

function custom_object_security(ctx, item_ex)
{
base_security.call(this, ctx, item_ex);
}

where:

• custom_object_security specifies the name of the function that CRM Desktop uses to construct the object descriptor. For example, CRM Desktop uses the account_security function to construct the object descriptor for an account.
• this, ctx, item_ex are the default set of parameters that CRM Desktop uses. You can add more options to define the default access methods and the values that they return.

Setting the Security Descriptor

sd (security descriptor) is the security_descriptor object that CRM Desktop uses for the object where you are modifying access. You can use it to examine other types of permissions. For example, the following code prevents the user from deleting or modifying an object. If the delete_access method that the security descriptor references returns a value of false, then CRM Desktop sets and_value and or_value to false:

function modify_check_function(ctx, sd, item_ex, value)
{
if (sd.delete_access())
  {
  value.and_value = false;
  value.or_value = false;
  }
}

Preventing Users From Deleting Object Types

This topic describes how to configure Siebel CRM Desktop so that users cannot delete object types.

To prevent users from deleting object types

• Do all the steps described in Controlling Access to Object Types, with the following differences:
  1. Replace the code you use in Step 3 with the following code:

  base_security.call(this, ctx, item_ex, {"delete_filter": delete_check_function});

  This code uses the delete_filter parameter when Siebel CRM Desktop calls the base_security function.

  2. In Step 4, replace modify_check_function with delete_check_function.

     Note that you can configure CRM Desktop to control access to object types and prevent users from deleting object types. To do this, do the work described in Controlling Access to Object Types, create a copy of this work, and then modify this copy to prevent users from deleting object types.

Preventing Users From Removing Links Between Object Types

This topic describes how to configure Siebel CRM Desktop so that the user cannot remove a link that occurs between object types, such as removing an industry link from an account.

To prevent users from removing links between object types

1. Do all the steps described in Controlling Access to Object Types, with the following differences:
   1. Replace the code you use in Step 3 with the following code:

   base_security.call(this, ctx, item_ex, {"delete_filter": link_check_function});

   This code uses the delete_filter parameter when Siebel CRM Desktop calls the base_security function.

   2. In Step 4, use the following code:

   if (link.link_to == "object_type")
     {
     access.create = true;
     access.remove = false;
   }

   where:

   • link is a required parameter that contains information about the link that CRM Desktop examines. This information identifies the object that provides the link source, the object that provides the link destination, the tag that CRM Desktop uses for the link, and other information.
   • object_type identifies the type of object where CRM Desktop applies the logic that you specify in this if statement.
   • access.create is an optional parameter that you can set to one of the following values:
     • true. Allows the user to create a link between two object types.
     • false. Prohibits the user from creating a link between two object types.
   • access.remove is an optional parameter that you can set to one of the following values:
     • true. Allows the user to remove a link between two object types.
     • false. Prohibits the user from removing a link between two object types.

       For example, the following code allows the user to create a link between an industry and the object where you are defining link access, but not to remove this link:

   if (link.link_to == "Industry")
   {
   access.create = true;
   access.remove = false;
   }

   CRM Desktop uses access.create and access.remove to create or remove a link instead of the and_value and or_value described in Controlling Access to Object Types. It does this because and_value and or_value only allow you to specify a single true or false value that determines if the user can modify or delete an object. A link allows you to set a true or false value that determines if the user can create a link, and a separate true or false value that determines if the user can remove a link. For example, CRM Desktop creates a link if the user uses the autocomplete control to pick an account in an opportunity form, and it deletes this link if the user subsequently deletes this account.

   CRM Desktop enables or disables buttons in the MVG dialog box depending on the access that you specify. For example, if you disallow the user from adding new associations, then CRM Desktop disables the Add button in the MVG dialog box.

   Note that you can configure CRM Desktop to control access to object types and prevent users from removing links between object types. To do this, do the work described in Controlling Access to Object Types, create a copy of this work, and then modify this copy to prevent users from removing links between object types.

2. (Optional) Use the following code to specify the type of link:

   if (link.link_to == "Industry" && link.tag == "link_type")
     {
     access.create = true;
     access.remove = false;
   }

   where:

   • link_type specifies the type of link. For more information, see Types of Links You Can Specify.

Types of Links You Can Specify

You can use one of the following values when you specify the type of link in the if (link.link_to statement:

• direct. CRM Desktop applies the logic that you specify in this if statement only on direct links. A direct link is a type of link that possesses a one-to-one relationship between one object type and another object type. A link between one account and one opportunity is an example of a direct link. The function that resides in the business_logic.js file determines the type of link. The add_direct_link function specifies a direct link.
• mvg. CRM Desktop applies the logic that you specify in this if statement only on MVG links. An MVG link is a type of link that possesses a one-to-many relationship between one object type and another object type. A link between one opportunity and many contacts is an example of an MVG link. The function that resides in the business_logic.js file determines the type of link. The add_mvg_link function specifies a direct link.

For example, the following code allows the user to create a direct link between an industry and the object where you are customizing link access, but not to remove this link:

if (link.link_to == "Industry" && link.tag == "direct")
  {
  access.create = true;
  access.remove = false;
}