Personalized Community is here!
Quickly customize your community to find the content you seek.
Have questions on moving to the cloud? Visit the Dynamics 365 Migration Community today! Microsoft’s extensive network of Dynamics AX and Dynamics CRM experts can help.
2021 Release Wave 2Discover the latest updates and new features releasing from October 2021 through March 2022.
2021 release wave 2 plan
The FastTrack program is designed to help you accelerate your Dynamics 365 deployment with confidence.
FastTrack Community | FastTrack Program | Finance and Operations TechTalks | Customer Engagement TechTalks | Upcoming TechTalks | All TechTalks
We are using CRM 2011 on premise and would like to set up our security roles on teams instead of on individual users. However, every time we try to configure it this way, we end up with seemingly random results. The users will have access to some of the things their teams permissions grant them and not others. The most recent testing we did with this was to add the system administrator role to a team. We then gave one of our system admins a base role on their user and added them to the system admin team. They can access most entities and do customizations with no problems, however, they were trying to disable a user and could not. I tried this with system admin on my user account and could disable the user. Anyone had any luck with using teams for security roles?
Sadly I can't give you a solution but I would like to flag that I too have tried to take a team/role based approach to security rather than assigning permissions specifically to a user and I have had the same result as you. From what I can see currently it would appear that the system does not provide the capability to manage purely by team assigned security roles, we still need to assign security to the individual user. I would love to be shown to be wrong, for now based on my experience I am proceeding with that premise.
Do you have update rollup 1 installed and still see this? I didn't see anything in the release notes regarding this, so I doubt it was fixed, but wanted to check. Oddly, the issues seem to pop up randomly and therefore make it somewhat hard to verify if it is working or not. Thanks for your response.
Hi Justin, I am actually using the online version and to my understanding yes, rollup 1 is applied. I had a user that for all intents and purposes has full access to pretty much everything based on the security role assigned to his team but I had nothing assigned to him, he seemed to be able to do most things but as soon as he went to users and tried to look at someone he got an inadequate permissions error, I assigned the same role to him directly and suddenly permissions weren't a problem. Best of luck.
This is my interpretation. A team and user's security role combination can be used on entities or functionalities where ownership is defined as team or user. In case of a user entity, the ownership is business unit so I assume that it only takes the user's security role into consideration and not the team's (I guess MS has left this functionality as-is like previous versions 4.0 or 3.0)
I haven't really found a way to get around this but here's how you can replicate the problem:
1 - Create a role with basic or full privileges to 2 different entities, say Entity1 and Entity2
2 - Create a team
3 - Assign the new role to your team
4 - Add a member to your team, say User1
5 - Login as User1
6 - Create or open an Entity1 record - you will get SecLib::AccessCheckEx failed
7 - Login as administrator and explicitly assign the new role to User1
8 - Login as User1 and open an Entity1 record, works just fine
9 - Login as administrator and remove the new role from User1
10 - Login as User1 and notice that when you open an Entity1 record, it now works as compared from step 6 above
11 - Now, still logged in as User1, open an Entity2 record. Again you will get SecLib::AccessCheckEx failed
12 - Unless you repeat steps 7-10 for Entity2, it will not work
My conclusion is, until you explicitly assign a role to a user then open an entity record, the user won't inherit the team's roles.
You are correct on your conclusion. That is my conclusion as well.
Hi , I follow u r steps & i am able to create record with little change at security role. We have to give user level permission at 1) Businessmangment tab -->usersettings 2) customization tab--> read permission on webresource,view ....etc.
Hope this will help you.
Has there ever been solution to this? I am trying to follow the traditional AGDLP technic, but this looks like a bug.
I can provide example how to replicate this issue, I try to send email to a contact and I pick a template, if my user has security role X than this process works fine,
If I remove this role X from user, put him in a Team and give team only one role X this message popup:
SecLib::AccessCheckEx failed. Returned hr = -2147187962, ObjectID: 427cf7c0-7558-e611-80e9-0050569464f5, OwnerId: ae8d789e-9e48-e611-80e8-0050569464f5, OwnerIdType: 8 and CallingUser: ae8d789e-9e48-e611-80e8-0050569464f5. ObjectTypeCode: 2500, objectBusinessUnitId: f5175b81-863e-e611-80e7-0050569464f5, AccessRights: WriteAccess
Role has user level write access to userentityUIsettings table (2500)
First... never try to add SystemAdmin-SecRole via teams. I have experienced many problems do so. Special flags in the SysAdmin-SecRole are no longer working and a SystemAdmin is no longer a SystemAdmin.
Is it a bug? I don't know, but this behavior can be found in 2011, 2013, 2015 and 2016.
Who is the calling user? Who is the owner of the Object? Do you use a plugin to set owner after creating?
Hi Karsten, calling user is me, record it tries to access in userentityUIsettings owned by me as well, Security Role given to team has read/write Own access, user and team are in the same business unit, in fact there is only 1 business unit in the system. No plugins anywhere its Out of the Box CRM.
OR what your are saying that since record is owned by me but I have no role but my team has Role with Read/Write Own does this mean if record had been own by the Team then it will work? and if it owned by me regardless of my team membership the access will be denied?
When you are the owner of a dataset and the SecRole gives read access to this entity on user/team (quarter cake), no other user is able to open the dataset. When a team is the owner of a dataset, only users assigned to this team can open the dataset.
Create copies and give team/user roles different names even if it is exactly the same role.
Thanks, Biplab, for the reply. The use of the Team role is not yet useful. Is there any new update on this?
Business Applications communities