web
You’re offline. This is a read only version of the page.
close
Skip to main content
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Microsoft Dynamics CRM (Archived) / Inherited sharing perm...
Microsoft Dynamics CRM (Archived)

Inherited sharing permissions are not cleaned up

(0) ShareShare
ReportReport
Posted on by Lior Abel 5

Or as I like to call it - Fun with PrincipalObjectAccess records!

Consider the following scenario.

  1. My organisation has the Parent Account (account_parent_account) relationship set up with the following:
    1. 'Cascade Share' behaviour set to 'Cascade User-owned'.
    2. 'Cascade UnShare' behaviour set to 'Cascade User-owned'.
  2. User1 creates an account and names it "Test Parent".
  3. User1 then creates a child account to the previous named "Test Child".
  4. User1 shares "Test Parent" to User2 with the 'read' permission. This causes the system to create an inherited share for "Test Child" for User2.
  5. User3 takes ownership of "Test Child".
  6. User1 now revokes sharing on "Test Parent" from User2.
  7. Result - User2 is left with 'read' permissions to "Test Child" which no one has any way of removing or even seeing as inherited permissions are not visible in the CRM UI.

Test it, works every time.

Going to a more technical view, the PrincipalObjectAccess table is designed to store both directly granted permissions (AccessRightsMask) and indirectly granted permissions (InheritedAccessRightsMask). These will generally come in pairs or chains where one or more inherited permissions have a directly granted permission at the top.

What happens in the sequence described above is that we are left with inherited permissions to records that are not linked to directly granted permissions. As a result they cannot be removed and are just left as orphaned permissions floating in the system.

Back to my real-life CRM system. It now appears that I have thousands (if not more) of these ghost permissions floating around as I have no easy or supported way of removing them. Some users have access to data they are not supposed to see.

Any ideas?
You know you want to, it's a challenging problem! ;)

To keep this post short, I have not provided any queries or heavy technical details. I will provide those in another post.

*This post is locked for comments

I have the same question (0)
  • Lior Abel Profile Picture
    Lior Abel 5 on at
    RE: Inherited sharing permissions are not cleaned up

    As promised, some more technical details.

    The query I used to output the data below is this:

    select a.OwnerIdName,
	a.Name,
	poa.PrincipalId,
	poa.AccessRightsMask,
	poa.InheritedAccessRightsMask,
	poa.ChangedOn
from PrincipalObjectAccess poa full join
	Account a on a.AccountId = poa.ObjectId
		and poa.ObjectTypeCode = 1
where a.AccountId in (
	'1162C09C-4E89-E511-80CB-005056B42EC5', --Parent
	'F3C656B5-4E89-E511-80CB-005056B42EC5' --Child
	)


    Taking my example sequence step by step, the results for this query are the following:

    Before sharing

    OwnerIdName Name PrincipalId AccessRightsMask InheritedAccessRightsMask ChangedOn
    Lior Abel Test Parent NULL NULL NULL NULL
    Lior Abel Test Child NULL NULL NULL NULL

    Neither of the accounts has any POA records linked to them. They were never shared.

    After sharing the parent

    OwnerIdName Name PrincipalId AccessRightsMask InheritedAccessRightsMask ChangedOn
    Lior Abel Test Parent 58C44DFE-E958-E311-ABF7-005056A54D8B 1 0 2015-11-12 15:59:17.450
    Lior Abel Test Child 58C44DFE-E958-E311-ABF7-005056A54D8B 0 134217729 2015-11-12 15:59:17.467

    This is again as expected. The parent account has a direct permission of '1' and the child has an inherited permission of '134217729' (this is just a '1' with the additional Inherited flag in a high bit).

    After child ownership change

    OwnerIdName Name PrincipalId AccessRightsMask InheritedAccessRightsMask ChangedOn
    Lior Abel Test Parent 58C44DFE-E958-E311-ABF7-005056A54D8B 1 0 2015-11-12 15:59:17.450
    pcrm-admin crm-admin Test Child 58C44DFE-E958-E311-ABF7-005056A54D8B 0 134217729 2015-11-12 15:59:17.467

    Here we see CRM's security model beginning to crumble. While I can still logically expect a '1' permission for the parent, this should no longer be inherited by the child as the rule for 'Cascade User-owned' is no longer valid. However, I could live with this if it stopped here. It's about to get much worse.

    After parent sharing revoking

    OwnerIdName Name PrincipalId AccessRightsMask InheritedAccessRightsMask ChangedOn
    Lior Abel Test Parent 58C44DFE-E958-E311-ABF7-005056A54D8B 0 0 2015-11-12 16:07:08.807
    pcrm-admin crm-admin Test Child 58C44DFE-E958-E311-ABF7-005056A54D8B 0 134217729 2015-11-12 15:59:17.467

    And there you have it. The child account now has ghost permissions assigned to it. These are inherited from... Nowhere. They are not visible in the UI and cannot be modified.

    The only way to revoke these ghost permissions would be to revert the ownership change, return the parent sharing, and then revoke it again.

    Of course, there is always direct database deletions but we all know that's not the way to go.

     

  • Moshe Hayun Profile Picture
    Moshe Hayun 365 on at
    RE: Inherited sharing permissions are not cleaned up

    Hi Lior,

    Did you find an answer to this question?

  • Community Member Profile Picture
    Community Member on at
    RE: Inherited sharing permissions are not cleaned up

    Any update on this?

  • Lior Abel Profile Picture
    Lior Abel 5 on at
    RE: Inherited sharing permissions are not cleaned up

    No solution to this was found.

  • Mohan Kumar Profile Picture
    Mohan Kumar 90 on at
    RE: Inherited sharing permissions are not cleaned up

    Wow! These inherited permissions can't be revoked even programmatically. I too have the same problem. Its really challenging!

  • Suggested answer
    Marcel Lathouwers Profile Picture
    Marcel Lathouwers 175 on at
    RE: Inherited sharing permissions are not cleaned up

    Lior Abel , Mohan Kumar

    I think that can be executed by learn.microsoft.com/.../microsoft.xrm.sdk.messages.createasyncjobtorevokeinheritedaccessrequest

    Never tried myself

  • Suggested answer
    Laurent Crm Profile Picture
    Laurent Crm 10 on at
    RE: Inherited sharing permissions are not cleaned up

    Hi,

    take a look at the option CleanInheritedAccessWhenReparentOrShareCascadingNone with "OrgDBOrgSettings tool for Microsoft Dynamics CRM"

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Join experts in person to explore low code and AI agents at the Power Platform Community Conference sponsored by Microsoft

Quick Links

Responsible AI policies

As AI tools become more common, we’re introducing a Responsible AI Use…

Abhilash Warrier – Community Spotlight

We are honored to recognize Abhilash Warrier as our Community Spotlight honoree for…

Congratulations to the September Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > 🔒一 Microsoft Dynamics CRM (Archived)

#1
HR-09070029-0 Profile Picture

HR-09070029-0 2

#2
ED-30091530-0 Profile Picture

ED-30091530-0 1

Last 30 days Overall leaderboard

Featured topics

Product updates

Dynamics 365 release plans