Level Up God Mode

Level Up for Dynamics 365 is one of the most useful productivity tools if you are working with the Power Platform and model-driven apps. This utility is a Chrome extension that allows users to perform advanced actions, that normally would require JavaScript bookmarklets. In this article I’ll describe how God Mode works and cover some of the security concerns you may have.

https://chrome.google.com/webstore/detail/level-up-for-dynamics-365/bjnkkhimoaclnddigpphpgkfgeggokam

God Mode is one of the most powerful options in this utility, which makes all mandatory fields optional, make hidden fields/tabs/sections visible and makes read-only fields editable.

Using God Mode in Model-driven app

One of the questions you may have is: so does Level Up break the Dynamics 365 security model? The short answer is No.

God Mode just runs in the client side, it doesn’t call the API service with any kind of elevated priviligies. You can actually see the current code in the following screenshot taken from the original GitHub repository:

https://github.com/rajyraman/Levelup-for-Dynamics-CRM/blob/master/app/scripts/inject/levelup.forms.ts
https://github.com/rajyraman/Levelup-for-Dynamics-CRM/blob/master/app/scripts/inject/levelup.forms.ts

In consecuence, we can say that:

  • God Mode doesn’t allow you to see or update additional records beyond what your security role(s) already does.
  • God Mode allows you to see hidden form attributes, which you could also see by Advanced Find.
  • God Mode allows you to update read-only form attributes, which you could also edit by importing the same records or calling the API.
  • God Mode doesn’t allow you to read/create/update attributes secured by Field Level Security profiles
  • God Mode doesn’t allow you to update attributes secured by server-side extensions (e.g. pre-validation plugins)
  • God Mode doesn’t skip the auditing control (e.g. updating a read-only form attribute would be tracked in the auditing history).

Actually, you could easily run God Mode without having the Level Up extension by just using the native Developer tools that any browser offers nowadays. For instance, in Chrome, just press F12, navigate to the Console section and run the following code. It will do exactly the same as God Mode:

Xrm.Page.data.entity.attributes.forEach(function(attr) {attr.setRequiredLevel('none')} );

Xrm.Page.ui.controls.forEach(function(c){ c.setVisible(true);
      if (c.setDisabled) {
        c.setDisabled(false);
      }
      if (c.clearNotification) {
        c.clearNotification();
      }});


Xrm.Page.ui.tabs.forEach(function(tab){
      tab.setVisible(true);
      tab.setDisplayState('expanded');
      tab.sections.forEach(function(section) {section.setVisible(true)});
    });
Chrome Developers Tools – Running JavaScript in Console

So, as a summary, we could conclude the following points:

  • Don’t rely on client side controls (e.g. show/hide) if you really want to secure some information in the Common Data Service. Use the main security model components: security roles, business units, teams, field level security profiles, server-side validation and auditing.
  • Although God Mode doesn’t break the platform security model, don’t instigage your business users to use the tool. Your UI customisations should offer them the right experience and guidance. I predominantly recommend technical and support teams to take advantage of this great utility.

This article has been written based on the Level Up version 3.5.2 and the CDS version 9.1.0000.16532 (server) / 1.4.551-2004.1 (client) with 2020 Wave 1 enabled.

Hope you find it useful! 🙂

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s