Saturday, December 22, 2012

Strange behaviour when using security roles with the teams in CRM2011

I was trying to setup the security roles on teams instead of assigning security role to the individual users. The end result is that it does not work very well.

Here are the details of what happened.

I had a user with security role named “Manager”. Everything was working as expected. The user was able to create and update the entities defined in the security role. We decided to the create a team named “Manager” and assign the  role to the team. I added the user to the team and remove the security role from the user. Here is what happened after that

I was able to open , create and update the entities as defined in the security roles until we created a new for form for an existing entity.

When I tried to  open the newly created form for the entity, I received the following error message.

image

I had a look in the event viewer. It was showing the following warning message.

Exception message: SecLib::AccessCheckEx failed. Returned hr = -2147187962, ObjectID: 3be48aca-0f39-e211-bce1-005056b8253f, OwnerId: 9cc2541a-9137-e211-bce1-005056b8253f,  OwnerIdType: 8 and CallingUser: 9cc2541a-9137-e211-bce1-005056b8253f. ObjectTypeCode: 2500, objectBusinessUnitId: bf221f51-8537-e211-bce1-005056b8253f, AccessRights: WriteAccess

The object type code 2500 represents the entity “User Entity UI Settings”. I checked the permissions on the entity. The user had the required permissions on the entity. The most annoying part was that I was able to open the existing form without a problem.

So I decided to look a bit deeper into the problem and here are my findings.

1. I created a new user and add the user to the team without assigning any role to the user.

I received an error message “Access Is Denied” every time I tried to open any entity form.

2. I added the same security role to the user as security role assigned to the team.

I tried to open account and contact entity form and I was able to open them without an error.

3. I removed the security role from the user again

I was able to open the entity forms I tried in step 2 but, I was unable to open the form for any other entity or different  form for the same entity.

Conclusion:

You have to have a security role assigned to the user to open any entity form minimum for the first time.

3 comments:

  1. Nice article..

    I am facing similar issue with Team and User security model, In my case entity is Case(Incident)

    and user is in team and some Case entities records with ownership of Team cant be accessible by
    user in team, where team have security role with User level access on Case entity.

    Exception:
    Crm Exception: Message: SecLib::AccessCheckEx failed. Returned hr = -2147187962, ObjectID: 3b74c74a-cb50-e211-83b9-005056b0003b, OwnerId: 725f1c22-162e-e011-8836-000c29922112, OwnerIdType: 9 and CallingUser: 5ee3d866-6eec-e111-b29b-005056b0003f. ObjectTypeCode: 112, objectBusinessUnitId: 825f1c22-162e-e011-8836-000c29922011, AccessRights: ReadAccess , ErrorCode: -2147187962

    any idea, i am not getting why user in team cant access the record where team have user level access in security role.

    ReplyDelete