Solved

Microsoft CRM 4.0 - Custom Security Role Issue

Posted on 2011-03-11
10
1,381 Views
Last Modified: 2012-05-11
We have created a role that is intended to allow managers at each business unit to setup security roles without giving the managers the system administrator role.  

We have not been able to get this to work - when creating a role, we get the following message: "The logged on user does not have the appropriate security permissions to view these records or perform the specific action"

This happens even if a user with this role clicks New, types in a Security Role name and clicks Save.

I have searched the internet and found various attempts to overcome this issue but if anyone has a definite solution, it would be much appreciated.

Thanks
0
Comment
Question by:apollo7
  • 7
  • 3
10 Comments
 
LVL 10

Expert Comment

by:Jeff Wight
ID: 35115957
Have you enabled CRM tracing?  If not, I would suggest trying that.  Enable tracing using the directions in this KB:

http://support.microsoft.com/kb/907490

Once tracing is enabled, try creating the security role again to generate the error.  Then analyze the trace log.  It should give you an error that contains the ID of the privilege that is missing.  You can then run the following query against the CRM database to identify the missing permission:

SELECT *
FROM [PrivilegeBase]
WHERE PrivilegeId = '[ID]'

If you can't find the error containing the missing privilege, post the trace log and I'll take a look.


0
 
LVL 1

Author Comment

by:apollo7
ID: 35150895
I have a question on the above:

I am on the CRM 4.0 server and opened the registry.  I do not see the registry entry on the server: as indicated in the link above:

"The Microsoft CRM server tracing registry entries are located in the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\MSCRM"

I am running MSCRM 4.0 on Server 2008 - is there another place to change the registry entries to enable a trace?

Thanks
0
 
LVL 10

Expert Comment

by:Jeff Wight
ID: 35151231
That's where they should be.   You could try searching the registry for "TraceEnabled" and see if it appears elsewhere.  If not, I would just create the keys as describe in the KB.
0
 
LVL 1

Author Comment

by:apollo7
ID: 35182742
Still working on this...will be back with questions if needed.
0
 
LVL 1

Author Comment

by:apollo7
ID: 35183323
I ran the trace and received two errors with PrivilegeId indicated.  They are:

PrivilegeId                        Name
CA4A3B9F-6887-4B5D-90F4-E918ED17E175      prvReadService
B14AB968-E16A-4613-A90F-B093E9320D6D      prvReadNew_center

Any idea on what these translate to in the Manage Roles UI or what else can be done to resolve these Privilege errors?

Thanks
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 1

Author Comment

by:apollo7
ID: 35191845
Please ignore the statement above.  I have been able to run the trace and add a number of privileges to the Security Role I am creating but some privileges do not appear under the Security Role form. These priveleges are:

A7C82854-36CE-4616-B7C2-84EC619D3378      prvAppendToAsyncOperation
8FDEEA95-80AB-47DC-974B-52D71B88C8AF      prvAppendRole
B5C6CE9F-6ED4-4330-BF1E-24B146573CAE      prvSendInviteForLive
4440769E-8D79-41FC-AE45-CD65480FFDBA      prvWriteAsyncOperation

Can you tell me how to add these privileges if they are not shown under Security Roles (for the user role I am creating)

Thanks
0
 
LVL 10

Accepted Solution

by:
Jeff Wight earned 500 total points
ID: 35191967
The role to priv mapping is defined in the table called [RolePrivileges].  

Modifying these privs through the UI isn't possible.  This article talks says that you can make the change via custom development:
http://blogs.msdn.com/b/crm/archive/2009/08/04/viewing-all-crm-privileges-including-hidden-privileges.aspx

The other option would be to make the change directly in the database in the [RolePrivileges] table.  This is not supported, but might be possible...



0
 
LVL 1

Author Comment

by:apollo7
ID: 35192119
Thanks, will check this out and get back with any questions.
0
 
LVL 1

Author Comment

by:apollo7
ID: 35193632
Here is where I am - I tried the link but cannot get the zip file (which contains the Role Editor) to download.  I also looked at the Role Privileges table but determined it is not something I would modify directly.

I need to create a role that can create other roles but is restricted by Business Unit.

My latest approach was to copy the System Administrator role and then adjust to assign roles only at the Parent - Business Unit level.  My problem is that when I adjust down from the Organization level (even for accounts, contacts, etc) it breaks the BU Administrator role (throws an error)

Any ideas would be greatly appreciated, any other links or tools that can be used for this.

Let me know if you need any more detail.

Thanks for your help.

0
 
LVL 1

Author Closing Comment

by:apollo7
ID: 35241174
Thanks - this worked perfectly and my role is defined.
0

Featured Post

Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

Join & Write a Comment

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now