Dynamics Integration security role Create permissions

Recently a few customers have discovered that the Dynamics Integration security role the Connector for Microsoft Dynamics solutions create when they are imported in to Microsoft Dynamics CRM, has Business Unit create privileges for the majority of the entities in the Microsoft Dynamics CRM system.  As we see here for the Order, Invoice and Quote entities:

For most users this is acceptable, however if your organization has multiple business units within it and the security level of some entities is not at the same level as it is for the Dynamics Integration role, errors can occur.

For example, say you have business unit A and business unit B and A is the parent of B.  A is also the default business unit that is associated to the organization so this means that the Dynamics Integration role has write access to the entities in business A unit only by default.  Now when the Microsoft Dynamics CRM adapter tries to update a record, say a Sales Order, that resides in Business Unit B a failure will occur since the Dynamics Integration role does not have access to update Sales Orders in Business Unit B.  The error will be similar to this one:

Map: NAV Sales Order to Order

Severity: Warn

Text: [NAV Sales Order to Order] has encountered an error while processing key [{B0F96DFE-3BCE-4B01-ADCB-E83A83B82B05}Sales Header: Order,INT951161]. SecLib::AccessCheckEx failed. Returned hr = -2147187962,
ObjectID: 00000000-0000-0000-0000-000000000000, OwnerId: b84456c4-d30e-e111-9502-d48564795820,  OwnerIdType: 8 and CallingUser: eba7c999-8a85-e111-99da-00155d0d1226. ObjectTypeCode: 1088, objectBusinessUnitId: af37a6c7-705d-e111-a31e-d48564795820, AccessRights: CreateAccess

Error Code:

The simplest fix for this issue is to grant the Dynamics Integration role organizational level access to the entities that it needs increased access to.




Comments (0)