One of the professional benefits I gain from training Microsoft Dynamics CRM courses appears from time to time in the form of an innocent question from a student. A question which makes me stop for a moment and think… What would Mr. Spock answer to this?
Here is one: Does a Rollup field calculation take the user’s privileges into account?
Let me demonstrate: a user has access to a Project record which contains the Total hours consumed. This is a Rollup field which sums up the related Activity Report records Total Hours field value. The user Security Roles prevent him for reading any Activity Report records.
Having this, when the user activates the Total hours consumed field on demand calculation functionality, would the result be zero?
Humm… on one hand, It seems logical to expect that if the user has no access to the data used for calculation, he will get partial or no calculation result. On the other hand, displaying partial or no result can lead the user to the wrong business decision.
After testing this scenario I can answer that Rollup field calculation ignores the user’s privileges. Even without access, the Activity Reports entity, a user can activate a Rollup field on demand calculation and get a result as if he had full privileges.
The reason for this is that Rollup fields calculation is performed under the privileges of the System user account rather than the actual operating user. If you want to prevent read access to calculation result, use Field Level Security as Microsoft suggests in this article.