Out of the box, Microsoft Dynamics CRM does not support field level security; the security model allows for records to be suppressed from view for specific users or business units and for a specific entity but it does not allow you to hide specific fields within the record.

Third party tools are available or you can write your own custom code to implement this, but both of these options add complexity to your solution and they cannot prevent a user from viewing these fields at the database level.

The following describes a neat way of doing this that uses a separate entity but uses a workflow to give the impression, as far as your users are concerned, that this is field level security.

Let’s say that we want confidential HR information about staff to be entered and viewed only by HR staff. First I’ll show the end result of what we want to achieve and then I will describe the steps necessary to implement this.

The data entry screen for users will appear as follows to HR staff. Notice the lookup field in blue in the middle “Confidential Info (Restricted Access)”.

For non-HR Staff, this field will be disabled.

When the HR staff user clicks on “Confidential (Restricted Access)”, they are presented with the following:

The HR Staff member can quickly view all users’ confidential info using a custom view such as the following:

If other staff attempt to select this view from the drop down, they will receive an error message indicating that they do have permission to view the data:

The general steps to building this solution are as follows:

1. Create a new entity to hold the confidential attributes
2. Create a one-to-many relationship between the new entity and the User entity
3. Create a Workflow that automates the link between these entities
4. Give the relevant users a user role that includes the necessary privileges

Here are the detailed steps to building the above solution:

1. Create a new custom entity named “Confidential_Info”
2. Create a one-to-many relationship between this new Confidential_Info entity and the User entity.
3. Add the system generated lookup field (called something like “Confidential_Info_id”) in the User entity to the User main form. In the properties of the field, untick “Display label on the form”. The label is not necessary because we are going to populate the value of the lookup with a suitable name. Also, tick the Read Only flag because this field will only be populated by the workflow and not by the user.
4. The lookup field is not relevant when the User record is initially created. So hide this lookup field by adding the following code in the onload event of the User form. You must have the field contained in its own section for this to work.
   
   if (crmForm.FormType == 1)

{

crmForm.all.new_confidentialinfoid.parentElement.parentElement.parentElement.style.display = 'none';

}

5. Create a workflow invoked on both the creation of a User record and On Demand.

6. In this workflow, create a step that creates a Confidential_Info record and populates the name attribute to “Confidential Info (Restricted Access)”.

7. Create a second step that updates the User record by linking the newly created Confidential_Info record to this User record. The Set Properties page will look like this:

The finished workflow will look like this:

8. Create views for the User entity for both general staff and HR staff. The HR staff views will include the attributes of your new Confidential_Info record. This is achieved by selecting a different “Record Type” from the drop down list in the “Add Columns” dialog box:

9. Give access to Confidential_Info entity for the HR staff by ensuring that they have a role that includes Create/Read/Write privileges.

10. Finally, for existing users, run this workflow by invoking it manually and then turn off the On Demand option so that users cannot run it.