When Column Level Security is applied to a Money (currency) field, access to the primary field is correctly restricted. However, the automatically generated Base currency field (_base):
- Is not restricted by CLS
- Cannot be added to a Field Security Profile
- Can be added to views, exported to Excel, and accessed via API
This allows users to bypass column-level security entirely and still access the protected financial value in base currency.
2. Reproduction Steps
- Create or use an existing Money field on a Dataverse table.
- Enable Column Level Security on the field.
- Create a Field Security Profile with:
- Read = Not allowed
- Update = Not allowed
- Create = Not allowed
- Assign the profile to a test user.
- Confirm the user:
- Cannot see the Money field on forms and views ✅
- Edit a view and add the Base currency field (
_base). - Observe that:
- The user can see the Base value, even though the main field is secured.
- Attempt to secure the Base field:
- It cannot be selected in any Field Security Profile.
3. Expected vs Actual Behavior
Expected:
If a Money field is protected by CLS, its corresponding Base field should inherit the same security restrictions, or at minimum be securable.
Actual:
Base currency fields are always visible and cannot be secured, creating a direct CLS bypass.
4. Business Impact
This affects all multi-currency environments and represents a serious compliance risk for customers handling sensitive financial data such as:
- Revenue
- Cost
- Margin
- Salary
- Commission
- Forecast values
The impact includes:
- Violation of internal financial data access policies
- Regulatory compliance exposure (GDPR, SOX, ISO 27001)
- Inability to rely on CLS for financial segregation of duties
- Data leakage via:
- Views
- Excel exports
- API and integrations
In practice, this makes Column Level Security unreliable for Money fields in regulated environments.
Please implement support for securing the base fields of money fields in Column Level Security