You’re offline. This is a read only version of the page.
5
Hi !
What would be the minimum rights to create a record for a custom entity ? I've tried the following:
However, I faced the following error when creating a new Author:
Which is odd, since as you can see, my entity only has 2 fields ... The name and the owner, both default fields ...
While I was trying to troubleshoot this error I was able to collect 2 logs, the first one is the StackTrace of the Exception:
[View:/cfs-file/__key/communityserver-discussions-components-files/761/stacktrace.txt
And the second one is part of the StackTrace above, is a JSON formatted error response:
Share
Report{
"CallerPrincipal": {
"PrincipalId": "c1723767-6f85-ea11-a811-000d3a33f858",
"Type": 8,
"IsOrganizationPrincipal": false,
"IsUserPrincipal": true,
"IsTeamPrincipal": false,
"TypeName": "user"
},
"OwnerPrincipal": {
"PrincipalId": "c1723767-6f85-ea11-a811-000d3a33f858",
"Type": 8,
"IsOrganizationPrincipal": false,
"IsUserPrincipal": true,
"IsTeamPrincipal": false,
"TypeName": "user"
},
"CallerInfo": {
"IsSystemUser": false,
"IsSupportUser": false,
"IsAdministrator": false,
"IsCustomizer": false,
"IsDisabled": false,
"IsIntegrationUser": false,
"Privileges": null,
"Teams": null,
"Roles": null
},
"ObjectId": "00000000-0000-0000-0000-000000000000",
"ObjectTypeCode": 10062,
"ObjectBusinessUnitId": "f77e5e0f-6381-ea11-a811-000d3a30f195",
"OrganizationId": "ae4ce2c8-d17c-40b7-8578-d8c9b0a440d2",
"EntityName": "eax_author",
"EntityOwnershipTypeMask": 1,
"EntityPrivileges": [
{
"Id": "51bd38d4-073a-436d-b161-1b020c97930d",
"ObjectTypeCode": 10062,
"Name": "prvCreateeax_Author",
"AccessRight": 32,
"PrivilegeType": 0,
"CanBeBasic": true,
"CanBeLocal": true,
"CanBeDeep": true,
"CanBeGlobal": true,
"CanBeEntityReference": true,
"CanBeParentEntityReference": true
},
{
"Id": "4ef0be9f-193c-4d69-89db-221335586b88",
"ObjectTypeCode": 10062,
"Name": "prvReadeax_Author",
"AccessRight": 1,
"PrivilegeType": 1,
"CanBeBasic": true,
"CanBeLocal": true,
"CanBeDeep": true,
"CanBeGlobal": true,
"CanBeEntityReference": true,
"CanBeParentEntityReference": true
},
{
"Id": "8c98cffb-c44a-489f-a634-431bcd5d76ab",
"ObjectTypeCode": 10062,
"Name": "prvWriteeax_Author",
"AccessRight": 2,
"PrivilegeType": 2,
"CanBeBasic": true,
"CanBeLocal": true,
"CanBeDeep": true,
"CanBeGlobal": true,
"CanBeEntityReference": true,
"CanBeParentEntityReference": true
},
{
"Id": "20a57d83-8b4a-4aa7-9c57-72f4c04f9d9d",
"ObjectTypeCode": 10062,
"Name": "prvDeleteeax_Author",
"AccessRight": 65536,
"PrivilegeType": 3,
"CanBeBasic": true,
"CanBeLocal": true,
"CanBeDeep": true,
"CanBeGlobal": true,
"CanBeEntityReference": true,
"CanBeParentEntityReference": true
},
{
"Id": "30cc55d1-f53f-42bd-b61a-254026b18b44",
"ObjectTypeCode": 10062,
"Name": "prvAssigneax_Author",
"AccessRight": 524288,
"PrivilegeType": 4,
"CanBeBasic": true,
"CanBeLocal": true,
"CanBeDeep": true,
"CanBeGlobal": true,
"CanBeEntityReference": true,
"CanBeParentEntityReference": true
},
{
"Id": "1e339baf-9f75-4df1-bab2-bbc5bb0e33ea",
"ObjectTypeCode": 10062,
"Name": "prvShareeax_Author",
"AccessRight": 262144,
"PrivilegeType": 5,
"CanBeBasic": true,
"CanBeLocal": true,
"CanBeDeep": true,
"CanBeGlobal": true,
"CanBeEntityReference": true,
"CanBeParentEntityReference": true
},
{
"Id": "6ee91c31-d6c2-4f86-b8c5-6da0ab88458c",
"ObjectTypeCode": 10062,
"Name": "prvAppendeax_Author",
"AccessRight": 4,
"PrivilegeType": 6,
"CanBeBasic": true,
"CanBeLocal": true,
"CanBeDeep": true,
"CanBeGlobal": true,
"CanBeEntityReference": true,
"CanBeParentEntityReference": true
},
{
"Id": "23a58368-d315-4612-a026-484a01e457fb",
"ObjectTypeCode": 10062,
"Name": "prvAppendToeax_Author",
"AccessRight": 16,
"PrivilegeType": 7,
"CanBeBasic": true,
"CanBeLocal": true,
"CanBeDeep": true,
"CanBeGlobal": true,
"CanBeEntityReference": true,
"CanBeParentEntityReference": true
}
],
"RightsToCheck": "CreateAccess",
"RoleAccessRights": "None",
"PoaAccessRights": "None",
"HsmAccessRights": "None",
"Messages": [
"PrincipalHasOwnerPrincipalWithAtLeastBasicPrivilegeDepth = False",
"EntityUserGroupRights = None",
"MinimumPrivilegeDepthRequired = Local",
"GrantedRights = None",
"SecLib::AccessCheckEx2 failed. Owner Data: roleCount=2, privilegeCount=409, accessMode=0; Principal Data: roleCount=2, privilegeCount=409, accessMode=0"
],
"ReadOnlyState": "UserAndOrgFullAccess",
"IsHsmEnabled": false,
"IsOwnerDirectReport": false,
"IsDirectReportInOwningTeam": false,
"IsReadAccessFromIndirectReport": false
}
Well, what I am trying to do is allow the user to only Create, Delete, Edit, View (his or his BU records), Append, Append To, and Share their records.
It should be a simple task and I couldn't figure out why am I missing ..
Thank you in advance.
Hi Oiluis,
As you want to allow the user to only Create, Delete, Edit, View (his or his BU records), Append, Append To, and Share their records. I think you should give Business Unit level permissions instead of User level
to the privileges of your custom entity.
I think I figured out while I was replying your post ... Changing the flag below to Direct User (Basic) access level and Team privileges solved the issue ...
Now I am trying to understand the trade-off of this solution, however, the docs that I found, IMHO didn't do a great job explaining this feature:
Hi!
For fast resolution I recommend you create an incident with us (Microsoft Technical Support) as we cannot share private information publicly. No need to be a BUG.
The security role is fine with the permissions you created.
As a Common Data Service user, the user will be able to edit others record, as long as you add those permissions to the role, which you haven't.
The security role does not look like it is related to the user team, as permissions of the user are not shown in telemetry.
Regards.
Hi Alex, thanks for the help!
I am trying to solve the issue without creating a support ticket since I think this isn't a bug yet ... Let's try to make it simple though, what would be the minimum rights for a user to create, edit, delete, read, append, append to his/her own records ? I am assuming that the "user" access right for all columns should work, specially because if you check the Common Data Service User Role, this is the same approach they are using for the Contact, Account, Task, etc. entity, however, as a Common Data Service user, the user will be able to edit others record, even if they are not his/her ... Not sure if you were able to reproduce this issue on a custom env ...
Where did you see that the user has a single security role on the logs above ? Just to let you know, the security role is bounded to the user team.
That is not quite right. Still today the user only has a single security role for the organization reported in the error you shared.
Please create an incident so we can share with you the details.
Regards.
Hi!
The security role is not associated to the user. The user only has "Common Data Service User" role.
Regards.
Stay up to date on forum activity by subscribing. You can also customize your in-app and email Notification settings across all subscriptions.
#1
André Arnaud de Cal...
291,253
Super User 2024 Season 2
#2
Martin Dráb
230,188
Most Valuable Professional
#3
nmaenpaa
101,156
All responses (
Answers (