Securing Dynamics 365: Disabling Subgrid Access Based on Security Roles

Dynamics 365 provides a robust platform for managing customer relationships and streamlining business processes. One critical aspect of maintaining data integrity is ensuring that only authorized users can perform certain actions within the system. In this blog post, we will explore a JavaScript approach to disable a subgrid on the marketing list entity in Dynamics 365 based on the user’s security role. This technique adds an additional layer of protection by restricting access to the subgrid for users who don’t possess the required permissions.

Before we dive in

Before diving into the implementation details, it’s essential to have a basic understanding of JavaScript and Dynamics 365 customization.

The objective is to disable the subgrid on the marketing list entity unless the user possesses a specific security role. This restriction ensures that only authorized users can add or remove users from the list, safeguarding the integrity of the marketing data.

function onload_unlockfield(executionContext) {
    var formContext = executionContext.getFormContext(); // get formContext, since XRM.Page is deprecated
    if (hasCurrentUserRole("Security Role To Look for")){
    if (formContext.getAttribute("lockstatus").getValue() == true){

function hasCurrentUserRole(roleName){
    let hasRole = false;
    let roles = Xrm.Utility.getGlobalContext().userSettings.roles;
    roles.forEach(x => {
                  if ( === roleName) {
                      hasRole = true;
     return hasRole;

function DisableSubgrid() {   
    var subGridCtrl_contactsUCI = Xrm.Page.getControl("contactsUCI");
    var subGridCtrl_accountsUCI = Xrm.Page.getControl("accountsUCI");
    var subGridCtrl_leadsUCI = Xrm.Page.getControl("leadsUCI");
    var subGridCtrl_dynamic_accounts = Xrm.Page.getControl("dynamic_accounts");
    var subGridCtrl_dynamic_contacts = Xrm.Page.getControl("dynamic_contacts");
    var subGridCtrl_dynamic_leads = Xrm.Page.getControl("dynamic_leads");

    // If subgrid is not loaded yet, then call the same function after some time.
    if (subGridCtrl_contactsUCI == null) {
        setTimeout(DisableSubgrid, 1000);

    // Disable the subgrid control

Understanding the Code

The onload_unlockfield function is triggered on the form’s onload event. It retrieves the form context and checks if the current user has the specified security role. If the user has the role, it makes the “lockstatus” field visible.

If the “lockstatus” field has a value of true (indicating it’s locked), it disables several controls including “description,” “type,” “listname,” and calls the DisableSubgrid function.

The hasCurrentUserRole function checks if the current user has a specific security role by comparing the role name with the roles assigned to the user. It utilizes Xrm.Utility.getGlobalContext().userSettings.roles to access the user’s roles.

The DisableSubgrid function is responsible for disabling the specified subgrid controls. It retrieves the control elements using Xrm.Page.getControl and then sets the Disabled property to true for each subgrid control. It also includes a check to wait for the subgrid controls to be loaded if they are not available immediately.


By implementing this JavaScript code, you can enhance the security of your Dynamics 365 environment by controlling access to the subgrid on the marketing list entity based on the user’s security role. This ensures that only users with the necessary permissions can add or remove users from the list, protecting the integrity of your marketing data. Customizing Dynamics 365 using JavaScript empowers you to tailor the system’s behavior to your organization’s specific security requirements.

Remember to thoroughly test the code in a development or test environment before applying it to your production environment.

Leave a comment