Lookup Fields that Side Step Security

In this article I would like to discuss a number of distinct concepts and then bring them together.
  • Search Select Advanced Fields
  • Security and Data Access
  • Dynamically Changing Field Properties using an Internal (Create) Script

Imagine a business requirement to include in the Company Field a lookup to a list of Supplier Companies.

At first sight this is easy to do as we can use a Search Select Advanced Field

We can set the Meta Data properties of the new supplier field:
  • FieldName: comp_supplierid
  • EntryType: Search Select Advanced
  • Search Entity: Company
  • Search SQL: comp_type= 'Supplier';
  • View Fields: Territory, Company Name

As we can see from the Image above this works very well EXCEPT the user is limited by the security model to only being able to see the companies that are included in their security profile.

This set of facts would probably satisfy most situations. But in my case I want to allow a user to choose any Supplier company.

We could resolve the problem by creating a special security territory for companies that are of type supplier and we could give absolute rights to that new territory to the users. But this may be inconvenient to the users and we may not want to add complexity to the security model.

So how can we by pass security for a lookup field? Certainly we are not be able to force the Search Select Advanced field to ignore security as the security feature is fundamental to its behaviour. What we can do is hijack some of its properties and then directly control the retrieval of the data using the eWareQuery Object. The eWareQuery object ignores the security profiles and we can decide exactly the SQL that gets passed to the Sage CRM database.

I can hijack the field by using the CreateScript within the screen (CompanyBoxLong).

I have listed the code below but in general the tasks I need to are

  1. Check if a SupplierID exists
  2. Check if screen is in Edit Mode (I have discussed this type of check before)
  • Make the field ReadOnly
  • Build a query statement to get the Supplier companies
  • Start assembling the HTML for a selection list
  • Process the return rows from the query to create the options in the HTML selection
  • Make sure that any existing value is marked as selected
  • Reset the field's Caption property to include the original caption plus the HTML selection field

  • Check if we are in View/Save Mode and include check to if user normally has rights to view Supplier
  • If user has rights then normal Search Select Advanced behaviour used for display

  • If user doesn't have rights then the output of the Supplier company name is rebuilt.

var intSupplierId = CRM.GetContextInfo("company","comp_supplierid");
var strSQL ="";
var CompanyQRY = CRM.CreateQueryObj(strSQL,"");
if(Values("Act")!=200 & & !Values("_actionid"))

var CustomField = "";

CompanyQRY.SQL = strSQL;
while (!CompanyQRY.eof)
if (CompanyQRY.FieldValue("comp_companyid")==intSupplierId)
CustomField+=" SELECTED >";
CustomField+=CompanyQRY.FieldValue("comp_name")+", "+CRM.GetTrans("Tags",CompanyQRY.FieldValue("Terr_Caption"))+"";
CustomField +="";
Caption = CRM.GetTrans("ColNames","comp_supplierid")+":
var checkRecord = CRM.FindRecord("company","comp_companyid="+intSupplierId);
if (Values("comp_supplierid") & & intSupplierId & & checkRecord.eof)
strSQL +="select comp_name, ";
strSQL +="comp_phonecountrycode+comp_phoneareacode+comp_phonenumber as comp_fullnumber";
strSQL +=" from company where comp_companyid ="+intSupplierId;
CompanyQRY.SQL = strSQL;
if (CompanyQRY.eof)
Caption = CRM.GetTrans("ColNames","comp_supplierid")+":
Caption = CRM.GetTrans("ColNames","comp_supplierid");
Caption +=":
Caption +=CompanyQRY.FieldValue("comp_name");
Caption +=" ";
Caption += CompanyQRY.FieldValue("comp_fullnumber");
Caption +="