Microsoft Dynamics CRM 2011 and Microsoft Dynamics CRM Online support the execution of plug-ins in an isolated environment. In this isolated environment, also known as a sandbox, a plug-in can make use of the full power of the Microsoft DynamicsCRMSDK to access the organization Web service. Access to the file system, system event log, certain network protocols, registry, and more is prevented in the sandbox. However, sandbox plug-ins do have access to external endpoints like the Windows Azure cloud.
The Microsoft DynamicsCRM platform collects run-time statistics and monitors plug-ins that execute in the sandbox. If the sandbox worker process that hosts a plug-in exceeds threshold CPU/memory/handle limits or is otherwise unresponsive, then that process will be killed by the platform. At that point any currently executing plug-ins in that worker process will fail with exceptions. However, the next time the plug-in is executed it will run normally. There is one worker process per organization so failures in one organization will not affect another organization.
In summary, the sandbox is the recommended execution environment for plug-ins as it is more secure, supports run-time monitoring and statistics reporting, and is supported on all Microsoft DynamicsCRM deployments.
Plug-in developers have the option of registering their plug-ins in the sandbox, known as partial trust, or outside the sandbox, known as full trust. Full trust is supported for on-premises and internet facing Microsoft DynamicsCRM deployments. For a Microsoft Dynamics CRM Online deployment, plug-ins must be registered in the sandbox (partial trust) where they are isolated as previously described.
The Microsoft DynamicsCRM platform collects run-time information on plug-ins that execute in the sandbox. This information is stored in the database using PluginTypeStatistic entity records. These records are populated within 30 minutes to one hour after a sandboxed plug-in executes. See the PluginTypeStatistic attributes to find out what information is collected. You can retrieve this information using the retrieve message or method.
Sandboxed plug-ins can access the network through the HTTP and HTTPS protocols. This capability provides support for accessing popular Web resources like social sites, news feeds, Web services, and more. The following network access restrictions apply to this sandbox capability:
Only the HTTP and HTTPS protocols are allowed.
Access to localhost (loopback) is not permitted.
IP addresses cannot be used. You must use a named Web address that requires DNS name resolution.
Anonymous authentication is supported and recommended. There is no provision for prompting the logged on user for credentials or saving those credentials.
For more information, see Write a Plug-in.