Twitter Image

On Implicit sharing, team ownership and reparenting

Written by St├ęphane Dorrekens
Friday, 20 December 2013 08:42
MSCRM 2011 introduced the notion of team ownership and it's more and more used as the base paradigm for implementing the security model 
However, there's a not well known hidden effect of using team ownership which is called implicit sharing.

When a record is linked to another via a cascading relationship, if the reparenting option is set and if the owner of the parent record is not the owner of the child record, an automatic sharing record will be created.
A typical case is activities linked via the regarding field as the OOB default relationship is parental, so with a full cascade.

Let's take an example where we have an account which is team owned and create a task which is user owned (a quite typical scenario)

If now we look in the PrincipalObjectAccess table, you can see a new record is created which shares the Task record with the Team owning the account.
This happens even if the owner is member of the owning team.

Note that the AccessRightMask field is 0, which is the reason why the sharing window of the task don't show you any sharing, the actual rights are to be found in the field InheritedAccessRightsMask

This behavior may be what you want, but in lot of cases it just add extra records in the POA table and we all know this impact performance in a (very) bad way.
The good news, it's quite easy to remove that behavior, just change the cascading relationship between the involved entities.
In that case, we adapt the parental relationship from account to task by changing the reparenting cascade setting.

If we now remake the same test, no record is created in the POA table.
Here's the results of a test where test1 and test 3 had cascading reparenting ans test 2 add none.

The conclusion is that the OOB default relationship cascade setting, especially relating to activities, should not be taken as granted and should be always reviewed at design time.
nb:There's also a Post CRM2011 UR11 organization setting called  DisableImplicitSharingOfCommunicationActivities which could be helpful in that situation.