Duplicate E-mail Addresses confound CRM 2011 Tracking

Posted on October 1st, 2011.

A month or so ago, I was preparing test-bed data for a prospective client.  As part of the test, they wanted identical sets of contact data loaded for 20 users in 20 individual CRM Business Units.  This would allow 20 different testers to execute the same test scripts and, in theory, have the same user experience and get the same results.

One of the tests involved selecting an inbound e-mail from the user’s Outlook inbox, and tracking it in the CRM.  The CRM for Outlook client is all over that, so it should not have been an issue.  But once we started testing this as users in the individual Business Units [BUs], we discovered a disturbing issue; When you have contacts in the database with duplicate e-mail addresses, CRM for Outlook will often track an e-mail from this address against the wrong contact record in CRM.

Let’s have a look at the following example:

image

Within our CRM Organization, we have two side-by-side BUs called “Sales” and “Customer Service”.  User Sam is in the Sales BU, while user Chris is in the Customer Service BU.  In our Organization, these two BUs operate completely independently, with a Chinese Wall in between to segregate their data.

Both users have the same privilege on the Contact record – they can only read contact records that they own:

image

Both users own their own version of the “Joe Jones” contact – these contact records represent the same person, and therefore have the same e-mail address, but in terms of our organization they are kept as two contacts for security and privacy reasons.

Now, put yourself in the shoes of one of these users. Let’s say Sam gets an e-mail from Joe in his inbox, and wants to track it in CRM. He clicks the ‘Track in CRM’ button, and it appears to track just fine. That makes sense to Sam, because he knows he has just one contact with Joe’s e-mail address in his database, so all is well.  But Sam then clicks the ‘View in CRM’ button on the CRM for Outlook toolbar, and opens up the e-mail record in CRM.  If he clicks on the ‘From’ contact link, one of two things will happen:

a) it will open up his Joe Jones contact record, as expected
b) it will attempt to open up Chris’ Joe Jones record, and he will get a security error

For certain, if both users do exactly the same steps, one will see result (a) and the other will see result (b).  Which of the two things that will happen seems to depend on who entered their contact record first in CRM.  Genius, no?

This didn’t happen in CRM 4.  The reason it happens in CRM 2011 is because Microsoft has introduced a new database table called EmailSearchBase.  This table is a dead-simple cross-reference list of e-mail addresses and the CRM records that they belong to.  It was created to improve the performance of e-mail tracking, by de-normalizing the e-mail address information.  So when the CRM for Outlook needs to look up an address, it doesn’t have to query the Contact, Account, Lead, and User entities anymore, it just has to look at the EmailSearchBase table for a match.  The problem is that the CRM security model is ignored during this search – it simply grabs the first match it finds in the list, and if that records happens to belong to a CRM record that you don’t have any access to, it doesn’t care and it uses that ContactId as the ‘From’ on your e-mail record.

I opened a support ticket with Microsoft on this, thinking I was doing them a favour by pointing out a very large hole in their security model, but I was effectively told that the Sustained Engineering team doesn’t consider this a significant enough issue to bother with a fix.  I don’t usually lose my cool on the phone, but I’m afraid I wasn’t very cordial with the two support reps that were trying to convince me that having duplicate e-mail addresses in the database was a poor business practice. 

My only, albeit feeble, course of action was to create a product enhancement suggestion.  If you would like to vote for my product suggestion (that they fix the gaping security hole in CRM), please use this link.

Hope this information enlightens and infuriates you.

Make a Comment

Make A Comment: ( 3 so far )

blockquote and a tags work here.

Spam Protection by WP-SpamFree

3 Responses to “Duplicate E-mail Addresses confound CRM 2011 Tracking”

RSS Feed for Dave Ireland's CRM & Stuff Comments RSS Feed

What an oversight. I hope the CRM engineering team steps up and seriously considers the design and its implications.

Thanks for posting this.

Peter
October 2nd, 2011

I have the same “sort of” problem in a client environment. User track incomming e-mail without setting a “regarding”. This will go correct most of the time but sometimes it seems crm is linking the mail at random to another contact. Any ideas on that matter?

joey
November 30th, 2011

Joey, you may be a victim of the CRM’s “smart” matching logic (I’m legally obligated to put “smart” in quotes, because it’s not all that bright really. Google the Smart Matching issue – you will likely end up disabling it if it’s causing more problems than it’s solving.

direland
December 28th, 2011

Where's The Comment Form?

About

Adventures in Microsoft CRM

RSS

Subscribe Via RSS

  • Subscribe with Bloglines
  • Add your feed to Newsburst from CNET News.com
  • Subscribe in Google Reader
  • Add to My Yahoo!
  • Subscribe in NewsGator Online
  • The latest comments to all posts in RSS
  • Subscribe in Rojo

Meta

Liked it here?
Why not try sites on the blogroll...