CRM 2011 and Security Exception enhancement

Do you remember the difficulty it was to identify a missing privilege when reading security exception logs in Microsoft Dynamics CRM 4.0? We had to query the database which was quite annoying… The messages were the same kind as one of the below messages:

  • When you try to perform an action that is affected by another user security limitation

SecLib::AccessCheckEx failed. Returned hr = -2147187962, ObjectID: 1ef9f412-6601-dd11-8655-0019b9dfe618, OwningUser: 98bbc999-96a2-de11-aeaf-0019b9dfe227 and CallingUser: 037c1c90-96a2-de11-aeaf-0019b9dfe227

  • When you try to perform an action when you don’t have the privilege to actually do it

CrmSecurityException: SecLib::CrmCheckPrivilege failed. Returned hr = -2147220960 on UserId: 60826d61-2be1-db11-821c-000423b79351 and PrivilegeId: 588725dd-c878-41c5-a4c3-5efc93cd3ffd

Microsoft Dynamics CRM 2011 improve drastically the error message to avoid a fastidious search in database:

  • When you try to perform an action that is affected by another user security limitation

SecLib::CrmCheckPrivilege failed. Returned hr = -2147220943 on UserId: 9d67828d-a13e-e011-af72-0800273a66a6 and PrivilegeType: Read

We can see that the only userId displayed is the one who actually causes the exception and the privilege is named instead of being displayed through its unique identifier.

  • When you try to perform an action when you don’t have the privilege to actually do it

Principal user (Id=9d67828d-a13e-e011-af72-0800273a66a6, type=8) is missing prvDeleteAccount privilege (Id=ca6c7690-c935-46b3-bfd2-abb306c2acc0)

Again, the privilege is named

Conclusion

It seems that headaches caused by security exceptions are behind us with this new version of Dynamics CRM. Another good point!

Comments

Anonymous said…
I have a migrated CRM3.0 to CRM2011 system. When I try to add a Contact with privilege to create "own contacts" from within an Account - owned by another user - I get the following error:

Crm Exception: Message: SecLib::AccessCheckEx failed. Returned hr = -2147187962, ObjectID: 00000000-0000-0000-0000-000000000000, OwnerId: 0e191dc7-795c-dc11-8e20-000802de3a5e, OwnerIdType: 8 and CallingUser: 819789fa-8b67-dc11-922a-000802de3a5e. ObjectTypeCode: 2, objectBusinessUnitId: 5b08dffc-9719-dc11-b1c9-000802de3a5e, AccessRights: CreateAccess , ErrorCode: -2147187962

If I add a Contact directly, this is possible and I am able to associated the parent account.

Any ideas?

Regards,

René

Popular posts from this blog

Use feature flags in your plugins

New XrmToolBox plugin : Import/Export NN relationships

Searchable Propery Attribute Updater