CRM 2013: A Little Change To Security Role Can Kill Your User Access …

How does one go around killing all users’ CRM 2013 access by making a wee little change to a security permission role in CRM2013? To find out how I did it, read on…

So it was a Friday afternoon, a big customer deployment deadline looming on the horizon. Nothing like some last minute changes to add extra pressure to the whole deployment process right?

We needed to remove any unnecessary permissions from a particular security role in CRM 2013 to ensure users granted this security role only have the minimum rights to perform their jobs and nothing else. So I started checking through all the tabs in the security role and in my haste I accidentally removed the READ permission to something called “Process Configuration” in the “Customization” tab of the security role…

ComplexControl-01

A Little Security Role Change …

Fifteen minutes after deployment, Mr. Customer rang and said….

All our users cannot access CRM records right now. They are getting the error:

“You do not have permission to access these records. Contact your Microsoft Dynamics CRM administrator.”

O-oh…

All my hasty change had done is to make all users granted with that particular security role unable to create and view main entities such as accounts, contacts, leads, opportunities etc.

Pretty fundamental mistake eh? Turning on CRM tracing immediately gave me the following error:

Crm Exception: Message: Principal user (Id=df2b95d6-b4cb-e311-9407-00155d02e733, type=8) is missing prvReadComplexControl privilege (Id=a4736385-9763-4a64-a44b-cd5933edc631)

What on earth is a “Complex Control” I hear you ask? A bit of google led me to the following lovely page from MSDN:

Security role UI to privilege mapping

Turns out this “Complex Control” is of course an internal CRM entity. However this is what’s needed by all users if they wish to see the “updated forms” for the refreshed entities.

D’oh!

Advertisements

One thought on “CRM 2013: A Little Change To Security Role Can Kill Your User Access …

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s