Dynamics CRM Security is not always about Roles

Occasionally, I find myself wasting time because I didn’t check all of my facts. I ran into an issue today where I was getting the strangest error trying to assign a Contact to a specific user.

I checked and rechecked their security role, restarted IIS, etc., but still this error persisted.

Here is the error, as documented by CRM Tracing:

Microsoft.Crm.CrmSecurityException:
Principal user (Id=a39a5555-3c77-e011-8720-00155da5304e, type=8)
is missing prvReadContact privilege
(Id=ba09ec92-12c4-4312-ba16-5715c2cbd6da)

This could not be more explicit.  The user doesn’t have Read access to Contacts.

Except he does:

image

 

Hmm. This is very strange; and I know strange.  If you didn’t know, I actually wrote a book on CRM Security, so you would think I would know what I’m doing. But this was baffling me.

Finally, it occurred to me that the only thing left is the user’s client access license.

I opened the user record up and sure enough, this is what I found:

image

 

Problem solved.

Users with Administrator Access do not have access to normal CRM data so the message was indeed correct.

Keep License type in mind next time you run into what seems to be an incorrect security message.

Leave a Reply 2 comments