How does one go around killing all users’ CRM 2013 access by making a wee little change to a security permission role in CRM2013? To find out how I did it, read on…
So it was a Friday afternoon, a big customer deployment deadline looming on the horizon. Nothing like some last minute changes to add extra pressure to the whole deployment process right?
We needed to remove any unnecessary permissions from a particular security role in CRM 2013 to ensure users granted this security role only have the minimum rights to perform their jobs and nothing else. So I started checking through all the tabs in the security role and in my haste I accidentally removed the READ permission to something called “Process Configuration” in the “Customization” tab of the security role…
A Little Security Role Change …
Fifteen minutes after deployment, Mr. Customer rang and said….
All our users cannot access CRM records right now. They are getting the error:
“You do not have permission to access these records. Contact your Microsoft Dynamics CRM administrator.”
All my hasty change had done is to make all users granted with that particular security role unable to create and view main entities such as accounts, contacts, leads, opportunities etc.
Pretty fundamental mistake eh? Turning on CRM tracing immediately gave me the following error:
Crm Exception: Message: Principal user (Id=df2b95d6-b4cb-e311-9407-00155d02e733, type=8) is missing prvReadComplexControl privilege (Id=a4736385-9763-4a64-a44b-cd5933edc631)
What on earth is a “Complex Control” I hear you ask? A bit of google led me to the following lovely page from MSDN:
Turns out this “Complex Control” is of course an internal CRM entity. However this is what’s needed by all users if they wish to see the “updated forms” for the refreshed entities.