This is the first role I've created from scratch - this user ONLY needs to be able to add/modify items (under the Workplace/Extensions area). Thanks for your help!
*This post is locked for comments
Hey Jeanne,
Glad to hear it! I went ahead and updated that KB article. It is definitely old since the TraceDirectory is only mandatory in CRM 3.0.
Awesome - thank you Josh - the trace I ran yesterday did work - the location I was looking in was wrong. The Microsoft KB said to create a directory and a TraceLocation string - and a file didn't go there - they went to the location you posted above. Thanks for the help - we're good!!
Hi Jeanne,
You will have to create those registry keys on the CRM server within HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\MSCRM.
After doing that, the trace files can be found in:
C:\Program Files\Microsoft Dynamics CRM\Trace
Josh - the Trace* keys do not exist in the MSCRM location on the CRM server. We have an application server and a SQL server - the MSCRM location does not exist on the SQL server. I think I would add the Trace* keys to the CRM server in that location - but just want to be sure before I do.
I got the location from the article - The Microsoft CRM server tracing registry entries are located in the following registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\MSCRM
Josh - I added the Read for Web Resource, and the first error went away (the box that gives the option to send error report, and to look at the detail). Getting just the Insufficient Permissions now. Will run the trace and let you know how it goes. Thanks!
It certainly sounds like you have CRM Onpremise. The following KB article discusses how to enable platform tracing:
http://support.microsoft.com/kb/907490
You can get away with the following three registry keys:TraceEnabled - DWORD
TraceRefresh - DWORD
TraceCategories - STRING
You will want to set TraceEnabled to 1 then set TraceCategories to *:Error. Once that is set, set TraceRefresh to 1. This will enable tracing. Once you've reproduced the issue, then set TraceEnabled to 0 and then increment TraceRefresh to 2. The big thing to note is that anytime you change any of the tracing registry keys, you have to either increment or decrement the TraceRefresh value in order for those settings to take affect.
Let me know if you have further issues.
EDITED for Error level only. Verbose is not needed in this situation and can cause confusion.
Jeanne,
Well the error message is greatly helpful! If you review the error data, it tells you what permissions they are missing.
<URL>/_common/error/errorhandler.aspx?BackUri=http%3a%2f%2fmeicrm.mei.chemring.net%2fCORCR%2fworkplace%2fhome_dashboards.aspx%3fpagemode%3diframe%26sitemappath%3dWorkplace%257cMyWork%257cnav_dashboards&ErrorCode=0x80040220&Parm0=%0d%0a%0d%0aError%20Details%3a%20Principal%20user%20%28Id%3da48ea861-21bf-e211-822e-005056ad07ae%2c%20type%3d8%29%20is%20missing%20prvReadWebResource%20privilege%20%28Id%3d4156db68-93e2-4a83-8cbb-5bb344ebaf47%29&RequestUri=%2fCORCR%2fHandlers%2fWebResource.ashx%3fname%3dRibbon_main_system_library.js</URL>
This error is complaining about prvReadWebResource.
Josh - the trace sounds great - if CRM Onpremise means that we host it on our own sql server, then yes that is what we have. I would appreciate the info to get the trace going. Thanks!
Please update the thread if the above information is helpful. If yes, please mark this thread as answered.
Thanks,
Mohammad
Thanks for your question. My name is Josh Wells and I am a support engineer on the Microsoft Dynamics CRM Support team.
I can understand your requirements for creating a security role. The tricky things about security roles and permissions are that they are not as straight forward as they seem. There are permissions that are dependent on other permissions. For instance, if I want a user to be able to take their CRM for Outlook client offline, one would naturally think that the only required permission to do this is the Go Offline permission. However, the offline functionality also requires users to have user level read rights on the Queue entity. This is not documented in a very easy place nor does the Security Role prompt you that you are missing dependent permissions. It's something we have struggled with since the release of CRM.
There has been a feature request to have CRM handle missing permissions better. You can find that request here:
connect.microsoft.com/.../security-roles-to-prompt-if-you-set-permissions-on-an-object-that-requires-other-permissions
In the mean time, the best way to figure out all of the required permissions are to take CRM server platform traces while creating the custom security role. The platform traces will help explain which permissions you are missing. For instance, if I remove the read permissions on the Account entity for one of my users, I can see in the CRM server platform traces the following error:
>Crm Exception: Message: Principal user (Id=472e7fa0-887f-e211-b85a-00155d0de30d, type=8) is missing prvReadAccount privilege (Id=886b280c-6396-4d56-a0a3-2c1b0a50ceb0), ErrorCode: -2147220960
Obviously this is only good for CRM Onpremise. If you are on CRM Online, then we really don't have the luxury of using the CRM server platform traces.
If you are using Onpremise and not sure how to enable CRM platform tracing, feel free to let me know.
Under review
Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.
As AI tools become more common, we’re introducing a Responsible AI Use…
We are honored to recognize Andrés Arias as our Community Spotlight honoree for…
These are the community rock stars!
Stay up to date on forum activity by subscribing.
Community Member 2
Christoph Pock 1
