Partners upgrading from the 2.5 to the 2.7 version of the Self-Service Portal will need to update the security roles in CRM for their default user.
In the initial version of the portal there was a default web role for all contacts accessing the portal which is the Authenticated User. This enables that user to access any information within the portal. However, now there are specific security roles that perform only certain functions. For more information about web roles please go to Self Service Portal Security Roles.
To secure the portal, remove certain security roles that are associated with the Authenticated user. Those roles provided the user with permissions to perform functions that should only be associated with certain roles.
In order to remove the permissions for the Authenticated User please navigate to Dynamics 365 -> Portals -> Security -> Web Page Access Control Rules.
Search for the following records:
- Work 365 - Subscription ACL (Customer Self-Service)
Go the ‘Web Roles’ tab, select the Authenticated User role and remove it. This will prevent the Authenticated User from updating subscriptions, a function that only the Administrator and Subscription Manager can perform.
- Work 365 - Invoice Edit ACL (Customer Self-Service)
Go the ‘Web Roles’ tab, select the Authenticated User role and remove it. This will prevent the Authenticated User from viewing the invoices and payment profile information, a function that only the Administrator and Finance Manager can perform.
- Work 365 - Usage Edit ACL (Customer Self-Service)
Go the ‘Web Roles’ tab, select the Authenticated User role and remove it. This will prevent the Authenticated User from viewing usage data, a function that only the Administrator and Subscription Manager can perform.
This will ensure that the Authenticated User can only view the following pages:
- My Agreements
- My Company
- Product Catalog