• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1408
  • Last Modified:

Microsoft CRM 4.0 - Custom Security Role Issue

We have created a role that is intended to allow managers at each business unit to setup security roles without giving the managers the system administrator role.  

We have not been able to get this to work - when creating a role, we get the following message: "The logged on user does not have the appropriate security permissions to view these records or perform the specific action"

This happens even if a user with this role clicks New, types in a Security Role name and clicks Save.

I have searched the internet and found various attempts to overcome this issue but if anyone has a definite solution, it would be much appreciated.

Thanks
0
apollo7
Asked:
apollo7
  • 7
  • 3
1 Solution
 
Jeff WightBusiness Solutions ManagerCommented:
Have you enabled CRM tracing?  If not, I would suggest trying that.  Enable tracing using the directions in this KB:

http://support.microsoft.com/kb/907490

Once tracing is enabled, try creating the security role again to generate the error.  Then analyze the trace log.  It should give you an error that contains the ID of the privilege that is missing.  You can then run the following query against the CRM database to identify the missing permission:

SELECT *
FROM [PrivilegeBase]
WHERE PrivilegeId = '[ID]'

If you can't find the error containing the missing privilege, post the trace log and I'll take a look.


0
 
apollo7Author Commented:
I have a question on the above:

I am on the CRM 4.0 server and opened the registry.  I do not see the registry entry on the server: as indicated in the link above:

"The Microsoft CRM server tracing registry entries are located in the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\MSCRM"

I am running MSCRM 4.0 on Server 2008 - is there another place to change the registry entries to enable a trace?

Thanks
0
 
Jeff WightBusiness Solutions ManagerCommented:
That's where they should be.   You could try searching the registry for "TraceEnabled" and see if it appears elsewhere.  If not, I would just create the keys as describe in the KB.
0
Network Scalability - Handle Complex Environments

Monitor your entire network from a single platform. Free 30 Day Trial Now!

 
apollo7Author Commented:
Still working on this...will be back with questions if needed.
0
 
apollo7Author Commented:
I ran the trace and received two errors with PrivilegeId indicated.  They are:

PrivilegeId                        Name
CA4A3B9F-6887-4B5D-90F4-E918ED17E175      prvReadService
B14AB968-E16A-4613-A90F-B093E9320D6D      prvReadNew_center

Any idea on what these translate to in the Manage Roles UI or what else can be done to resolve these Privilege errors?

Thanks
0
 
apollo7Author Commented:
Please ignore the statement above.  I have been able to run the trace and add a number of privileges to the Security Role I am creating but some privileges do not appear under the Security Role form. These priveleges are:

A7C82854-36CE-4616-B7C2-84EC619D3378      prvAppendToAsyncOperation
8FDEEA95-80AB-47DC-974B-52D71B88C8AF      prvAppendRole
B5C6CE9F-6ED4-4330-BF1E-24B146573CAE      prvSendInviteForLive
4440769E-8D79-41FC-AE45-CD65480FFDBA      prvWriteAsyncOperation

Can you tell me how to add these privileges if they are not shown under Security Roles (for the user role I am creating)

Thanks
0
 
Jeff WightBusiness Solutions ManagerCommented:
The role to priv mapping is defined in the table called [RolePrivileges].  

Modifying these privs through the UI isn't possible.  This article talks says that you can make the change via custom development:
http://blogs.msdn.com/b/crm/archive/2009/08/04/viewing-all-crm-privileges-including-hidden-privileges.aspx

The other option would be to make the change directly in the database in the [RolePrivileges] table.  This is not supported, but might be possible...



0
 
apollo7Author Commented:
Thanks, will check this out and get back with any questions.
0
 
apollo7Author Commented:
Here is where I am - I tried the link but cannot get the zip file (which contains the Role Editor) to download.  I also looked at the Role Privileges table but determined it is not something I would modify directly.

I need to create a role that can create other roles but is restricted by Business Unit.

My latest approach was to copy the System Administrator role and then adjust to assign roles only at the Parent - Business Unit level.  My problem is that when I adjust down from the Organization level (even for accounts, contacts, etc) it breaks the BU Administrator role (throws an error)

Any ideas would be greatly appreciated, any other links or tools that can be used for this.

Let me know if you need any more detail.

Thanks for your help.

0
 
apollo7Author Commented:
Thanks - this worked perfectly and my role is defined.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

  • 7
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now