Insufficient Permissions Error on Assigning a record in Dynamics 365

Introduction

While working on one of our client requirement, we came across with one interesting scenario about security roles access level setup for Read and Assign privileges, which leads to errors on Dynamics CRM forms.

Scenario:

The requirement was to allow a user with specific security role in Dynamics CRM say “Salesperson” to assign lead record owned by them to other users on the basis of some criteria.

Below is how Salesperson security role setup for lead entity,

Read and Assign privilege both are user level.

Process flow advised to follow was:

1. Sales people will check their leads (Since salesperson has user level privilege for read they can view only leads those are owned by them).
2. Open lead record, and click on “Assign” button and choose the user to assign the lead to.

Simple process, the privileges setup allow for assigning records, so they should be good to do the steps requested above.

However, in the above case we received an error saying Access Is Denied as shown below.

When we downloaded error log, it stated insufficient privileges for reading lead record.

“SecLib::AccessCheckEx failed. Returned hr = -2147187962, ObjectID: d014dcb3-c77f-e611-8127-fc15b4284c10, OwnerId: 3f92c9a1-f49f-e611-8127-c4346bad3608,  OwnerIdType: 8 and CallingUser: 3f92c9a1-f49f-e611-8127-c4346bad3608. ObjectTypeCode: 4, objectBusinessUnitId: d7cf13e4-717f-e611-811c-c4346badf550, AccessRights: ReadAccess”

“ReadAccess” error was confusing as we actually assigned record and the user to which the record was being assigned also had similar privileges.

To dig a little deeper into this, we tried a couple of things;

• We tried to assign the record from the home page grid: In this case, record is assigned to other user and it is removed from the “My Open leads” view. No error was thrown at all!

• Then we tried to assign record from entity form: In this case, we get the Insufficient Privilege error.

Navigate to the My Open Leads View. The record does not show up on the view. This means the record was successfully assigned to the user. We received the error because the logged in user only had user level privilege to the lead. With the lead assigned to another user, they were no longer the owner of this record and therefore the “Insufficient permission error”.

Conclusion:

Dynamics 365 knows its security right!!! When it says you have insufficient privileges – you do have insufficient privileges

Want to evaluate user adoption for Dynamics 365? Try User Adoption Monitor!