Introduction
While working on one of our client requirement, we came across with one interesting scenario about security roles access level setup for Read and Assign privileges, which leads to errors on Dynamics CRM forms.
Scenario:
The requirement was to allow a user with specific security role in Dynamics CRM say “Salesperson” to assign lead record owned by them to other users on the basis of some criteria.
Below is how Salesperson security role setup for lead entity,
Read and Assign privilege both are user level.
Process flow advised to follow was:
- Sales people will check their leads (Since salesperson has user level privilege for read they can view only leads those are owned by them).
- Open lead record, and click on “Assign” button and choose the user to assign the lead to.
Simple process, the privileges setup allow for assigning records, so they should be good to do the steps requested above.
However, in the above case we received an error saying Access Is Denied as shown below.
When we downloaded error log, it stated insufficient privileges for reading lead record.
“SecLib::AccessCheckEx failed. Returned hr = -2147187962, ObjectID: d014dcb3-c77f-e611-8127-fc15b4284c10, OwnerId: 3f92c9a1-f49f-e611-8127-c4346bad3608, OwnerIdType: 8 and CallingUser: 3f92c9a1-f49f-e611-8127-c4346bad3608. ObjectTypeCode: 4, objectBusinessUnitId: d7cf13e4-717f-e611-811c-c4346badf550, AccessRights: ReadAccess”
“ReadAccess” error was confusing as we actually assigned record and the user to which the record was being assigned also had similar privileges.
To dig a little deeper into this, we tried a couple of things;
- We tried to assign the record from the home page grid: In this case, record is assigned to other user and it is removed from the “My Open leads” view. No error was thrown at all!
- Then we tried to assign record from entity form: In this case, we get the Insufficient Privilege error.
Navigate to the My Open Leads View. The record does not show up on the view. This means the record was successfully assigned to the user. We received the error because the logged in user only had user level privilege to the lead. With the lead assigned to another user, they were no longer the owner of this record and therefore the “Insufficient permission error”.
Conclusion:
Dynamics 365 knows its security right!!! When it says you have insufficient privileges – you do have insufficient privileges 🙂
One Pic = 1000 words! Analyze data 90% faster with visualization apps!
Get optimum visualization of Dynamics 365 CRM data with –
Kanban Board – Visualize Dynamics 365 CRM data in Kanban view by categorizing entity records in lanes and rows as per their status, priority, etc.
Map My Relationships – Map My Relationships – Visualize connections and relationships between Dynamics 365 CRM entities or related records in a Mind Map view.
Thank you for confirming the behavior. I had exact similar behavior and your scenario made me clear that CRM is correct but why Error on Form level makes Sense.
Thank you very much.
Hello, is there any way to stop showing the error or close the form on assigning from the entity (instead of home grid)
I am a user with Business level privilege. I am assigning my record to a user with same privileges(but in different Business Unit) by changing the owner field and clicking ‘Save’ . I am getting ‘Access denied’ error but the record owner is not changing. Its still me.
Here, as you mentioned that user you are trying to set as owner belong to different business unit so it might be possible that you are having assign permission of respective entity at user level or business unit level due to which you are facing Access denied error.
To assign record to user who does not belong to same business you need to update your security role and provide either Parent Child business unit or Organization level assign privileges based on the business unit of that user.
Please refer the below link :- https://docs.microsoft.com/en-us/power-platform/admin/security-roles-privileges
Hope this helps!