A child record is shared unexpectedly even if cascading for sharing on Relationship is Cascade None

  • Article

This article provides a resolution for the issue that a child record is shared unexpectedly even though cascading for sharing on Relationship is set to Cascade None in Microsoft Dynamics CRM 2011.

Applies to:   Microsoft Dynamics CRM 2011
Original KB number:   2696885

Symptoms

Consider this scenario:

The Account-Contact Parental relationship is set to configurable cascading, while sharing is set to Cascade None. The security role for users provides them with user level access to the Account and Contact entity records for all the privileges. An administrator who has the System Administrator role in Microsoft Dynamics CRM owns an account and shares it with two users. Both of these users have a custom security role as described above giving them access to their own Account and Contact records. A contact created by one user under Account that is owned by Administrator is by default visible to the other user.

Example:

  1. User by name Admin has default System Administrator role in Microsoft Dynamics CRM.
  2. Alan Jackson and Ben Burton are two users in Microsoft Dynamics CRM whose security role gives them access to only their own Account and Contact records for all privileges.
  3. Admin has modified the Account-Contact Parental relationship to set to Cascade None for Sharing.
  4. Admin creates an Account in Microsoft Dynamics CRM named Account1 by Admin and shares this Account with Alan Jackson and Ben Burton.
  5. Alan opens Account record Account1 by Admin in Microsoft Dynamics CRM, then creates a contact under this Account by selecting Contacts in left navigation pane, New Contact button, names this contact as Alan's contact.
  6. Ben logs into Microsoft Dynamics CRM, points to Workplace, select Contacts, and changes the view to Active Contacts. Contact Alan's contact owned by Alan is visible to Ben even though Ben's security role assigns privileges to his own Contact record.

Cause

The child contact created by a user under an account runs through a Reparent operation that will share the child contact with the same users who have shared rights to the parent account. The Cascade Sharing option is controlling only the sharing operation, which is not executed in this situation, as the sharing operation for the parent record has occurred before the creation of the child record.

Resolution

Such visibility of child records to users can be avoided by changing Cascade-Reparent to None on account_contacts relationship properties.

Note

Any time a record is shared via cascading, any shared records are irreversible.