How to troubleshoot permissions issue


Microsoft Dynamics CRM includes standard security roles, but almost every organization must adapt these to fit their needs. CRM users are often presented with the following error message, which usually means that one or more privileges are missing from their security role:

clip_image001

“The logged-on user does not have the appropriate security permissions to view these records or perform the specific action.”

Hidden Privileges:

One of the reasons for this error is the lack of “hidden privileges”. These are not visible in the security role form, and by default are not included in a security role if we create it from scratch. We recommend one of the two following resolutions:

· Instead of creating a security role from scratch, copy an existing one and customize it. This way you guarantee that hidden privileges will be present.

· In case you have already created a security role from scratch, apply the latest Update Rollup and follow the steps described in the article 968515

Lack of Privileges

If the problem is not caused by hidden privileges, it might simply come from a missing privilege in the user’s security role. Instead of following the try-and-error method, you can easily identify the faulty privilege.

1. Enable CRM platform traces

2. Reproduce the error

3. Disable the traces

4. Open the traces, and look for the string ‘level: Error’, until you find an error similar to the following:
>Crm Exception: Message: SecLib::CrmCheckPrivilege failed. Returned hr = -2147220960 on UserId: 416cb65c-292c-de11-88a9-0003ffede221 and PrivilegeId: 8b99344e-ebbf-4f84-8438-e1e34d194de9, ErrorCode: -2147220960

5. We obtain the ID of the privilege: 8b99344e-ebbf-4f84-8438-e1e34d194de9

6. Open SQL Server Management Studio and run the following query against the <Organization>_MSCRM database:
select * from privilegebase where privilegeId = ‘8b99344e-ebbf-4f84-8438-e1e34d194de9’

7. We now have the name of the privilege missing in the column ‘Name’: prvAssignActivity

Now you only have to add this privilege to the user’s security role to resolve the issue:

clip_image002

Regards,

Yoann Nesme


Comments (4)

  1. maverick84 says:

    Hi Yoan,

    Quick question related to this problem.

    I'm getting the same error when im trying to use a specific role that I have created. But when im using other roles I can still add it. Its just to the new specific role that I have created that I cant add to the user.

    What do you think is the problem?

    Thanks,

  2. Zing says:

    What do we do in a situation like below where access check fails but trace does not give the privilege guid.

    MSCRM Error Report:

    ——————————————————————————————————–

    Error: Exception has been thrown by the target of an invocation.

    Error Number: 0x80048306

    Error Message: SecLib::AccessCheckEx failed. Returned hr = -2147187962, ObjectID: 1543ccf5-d937-dd11-849e-001279929c21, OwningUser: e2baac99-1753-db11-8603-001279929c21 and CallingUser: 381e783e-a981-4851-96a7-27da606ae3ac

    Error Details: SecLib::AccessCheckEx failed. Returned hr = -2147187962, ObjectID: 1543ccf5-d937-dd11-849e-001279929c21, OwningUser: e2baac99-1753-db11-8603-001279929c21 and CallingUser: 381e783e-a981-4851-96a7-27da606ae3ac

    Source File: Not available                    

    Line Number: Not available

    Request URL:

    Stack Trace Info: [CrmSecurityException: SecLib::AccessCheckEx failed. Returned hr = -2147187962, ObjectID: 1543ccf5-d937-dd11-849e-001279929c21, OwningUser: e2baac99-1753-db11-8603-001279929c21 and CallingUser: 381e783e-a981-4851-96a7-27da606ae3ac]

      at Microsoft.Crm.BusinessEntities.SecurityLibrary.AccessCheckEx(ExecutionContext context, Guid owninguser, Guid objectId, Int32 objectTypeCode, Guid objectBusinessUnitId, AccessRights rights)

      at Microsoft.Crm.BusinessEntities.SecurityLibrary.AccessCheckEx(ExecutionContext context, SecurityAttributes attributes, AccessRights rights)

      at Microsoft.Crm.BusinessEntities.SecurityExtension.PreUpdateHandlerEntityPrivilegeCheck(Object sender, SecurityTraits traits, SecurityAttributes attributes, ExtensionEventArgs e)

      at Microsoft.Crm.BusinessEntities.SecurityExtension.PreUpdateHandler(ExtensionEventArgs e, Object sender)

      at Microsoft.Crm.ObjectModel.ActivityPartySecurityExtension.PreUpdateHandler(ExtensionEventArgs e, Object sender)

      at Microsoft.Crm.ObjectModel.ActivityPartySecurityExtension.PreUpdateHandler(Object sender, ExtensionEventArgs e)

      at Microsoft.Crm.BusinessEntities.BusinessProcessObject.PreUpdateEventHandler.Invoke(Object sender, ExtensionEventArgs e)

      at Microsoft.Crm.BusinessEntities.BusinessProcessObject.Update(IBusinessEntity entity, ExecutionContext context)

      at Microsoft.Crm.ObjectModel.ActivityPartyService.Update(IBusinessEntity entity, ExecutionContext context)

      at Microsoft.Crm.BusinessEntities.BusinessProcessObject.MergeUpdateActivityParty(BusinessEntity masterEntity, Guid masterEntityId, Guid subordinateEntityId, ExecutionContext context)

      at Microsoft.Crm.BusinessEntities.BusinessProcessObject.Merge(BusinessEntityMoniker masterMoniker, Guid subordinateId, IBusinessEntity entity, Boolean bPerformParentingChecks, ExecutionContext context)

  3. Julio says:

    Hi Yoam

    How did you confirm the column ‘Name’: prvAssignActivity after running the query in  SQL' ?!

  4. mckillio says:

    I can give the User Sys Admin role and the error still occurs.