New tool: Access Checker

Hello everyone,

It's been a while that I'm back but I have a lot of work and so little time for this blog.

However, things promise is a promise, here is a small tool that could make your life easier.

Have you ever encountered this error message:

SecLib::AccessCheckEx failed. Returned hr = -2147187962, ObjectID: 1ef9f412-6601-dd11-8655-0019b9dfe618, OwningUser: 98bbc999-96a2-de11-aeaf-0019b9dfe227 and CallingUser: 037c1c90-96a2-de11-aeaf-0019b9dfe227

You do not really know what object and what user it is and especially what rights might fail him. With this tool, you can put all these IDs and know what are the privileges of the user regarding this record.

With this tool, you can:

  • Indicate which entity you want to inspect
  • Enter the identifier of the object in question
  • Searching for a user with its name or its unique identifier
Click the “Retrieve rights” button and the program will tell you what rights the user with respect to the record.

As usual, if you need improvment or detect a bug, do not hesitate to contact me

The tool can be downloaded just below (and in the archive with all tools)


Andrew Zimmer said…
Hi Tanguy,
Welcome back! This is a very useful application. Good work.

If you ever find yourself making other changes to this app, I can see it being useful to see the ID in CRM that corresponds to the each privilege (create, read, ect). When you scroll over the privilege you would see the GUID for that privilege. I mention this because sometime CRM throws back an error message mentioning the privilege ID that the current user is lacking. It would be useful to be able to match up the privilege with the ID. Then again, you can always run a simple SQL query to get the privilege that's failing.

Just wanted to throw out the suggestions.

Great app!
-Andrew Zimmer
Tanguy said…
Hi Andrew,

Your idea is interesting, I will add this when I have time (which doesn't seem to happen soon :/)

Thanks anyway for the feedback
Vincent said…
Hi! I would really like to use your tool, but I can't get passed the connection creation. I get no error messages, the program just crashes.

Maybe I'm doing something wrong?
1- I specify a connection name (I guess anything goes)
2- I use the windows integrated Authentication. My active directory user is a CRM admin, so it should be okay.
3- I don't check SSL or IFD
4- I specify the server name. I guess you only give the server name. So no special format like: "http://myserver/myorg". I only put: "myserver"
5- I specify the port
6- I press "get orgs" and it crashes at this point.

Can someone give me a hand?

Thanks in advance!
Tanguy said…
Hi Vincent, I updated the tool (I forgot to catch some exceptions...).

But if ut crashed, it seems that something is wrong in your configuration (name or port, for example)
Vincent said…
Thanks a lot Tanguy! It doesn't crash anymore and I can get it to work now! It's great! :)
Tanguy said…
I'm glad to hear that!
Unknown said…
Thanks alot for this tool. It quickly helped me find the right permissions that needed to be applied.

One thought.. Is there a way to determine what type of entity an objectID is? I had to try several entity types getting failures (no object ID of that type) before I figured out which type I was dealing with.

My issue was that a salesperson could not create a quote from an opportunity that had been assigned to him. Turned out you need to have the Append and Append To rights on the Account record... These rights also allow the salesperson to Create Order from an Active quote.

Thanks again.
Tanguy said…
Hi Doug,

Unfortunately, it is not possible to determine the entity from the ID...

I could add a global search through all entities but that would take a very long time to proceed...

The true goal of this tool is to avoid you to browse all roles of a user to determine which privileges he has or not regarding a specific record
Unknown said…
Hi. thank you, the application works. but sometimes the application itself generates an error
SecLib::AccessCheckEx failed. Returned hr = -2147187962, ObjectID: 6879CD2C-5C4A-E011-BD80-001AA0C35C21 , OwningUser: 8848f924-d62d-df11-881a-001aa00c35c21 and CallingUser: 4469c4a2-182a-e011-b294-0011aa00c35c21
when I chek the objekt with ID 6879CD2C-5C4A-E011-BD80-001AA0C35C21
help me, please)
Tanguy said…
Well, this tool is intented to be used with an account having system administrator that avoid to get security exception message...
Eric W. Cahoon said…
Great Tool Tanguy! Will you post the source code so we can learn how you accomplished this functionality and also extend the tool? You could post it to CodePlex or SourceForge.
ePartners UK said…
How can I use this tool to connect to CRM Online?
Tanguy said…
You can't.

CRM 4.0 tools I developed are just designed for OnPremise and IFD deployments
Anonymous said…
Just found this - looks great. Can you push to Codeplex? My company blocks personal storage sites.
Tanguy said…
I don't have time to do it...

If you can give me an email address, I will send it to you
AfterDark said…
Very helpful tool.
I find an unwanted privilege ID but how can I find out which Security Role/Sharing/or Assignment caused this unwanted access?
AfterDark said…
Very helpful tool.
I find an unwanted privilege ID but how can I find out which Security Role/Sharing/or Assignment caused this unwanted access?
Tanguy said…
You can't... At least, there is no tool that allows to see that information.

The only way is to review all roles for that specific privilege. If you can't find it, then you have to look in the sharing dialog. If it is not there, it could also be an inherited sharing (see parent record sharing dialog)
AfterDark said…
Is there any SQL code to find out that?
Recently we faced to a new problem with MS CRM 4 User's access to others objects: Some users have unwanted access rights to other business units that they prohibited in their Roles definitions. Therefore we need to track and find out which Role, Sharing, or assignment is the source of this problem?! Can you help me? (any recommend in SQL will be helpful + I have the unwanted privilege ID with Access Checker)

If not, is there any way to reset/reconfigure/rebuild every privileges to the whole of microsoft crm 4 database?
Tanguy said…
The problem you describe is typically due to sharing. So there is no possibility to reset/reconfigure

But you can look in the table PrincipalObjectAccess. This table list all security access.
If the column AccessRightMask is filled, then it is an explicit sharing. if the column InheritedAccessRightMask is filled, then it is an inherited sharing (see parent record).
The column ObjectId refers to the entity record
The column PrincipalId refers to a team or a user
AfterDark said…
Thanks for your fast and helpful response...
Can you write a simple a sql for listing all parent records of an entity please?
Tanguy said…
No I can't. I can give some advice but I'm not working for you and I have already too many things to do. Sorry

Popular posts from this blog

New tool: CrmDiagTool 2011

New tool: SiteMap Editor for Microsoft Dynamics CRM 2011

Full featured CRM grid in HTML/JS