New tool: Access Checker

Hello everyone,

 It's been a while that I'm back but I have a lot of work and so little time for this blog.

 However, things promise is a promise, here is a small tool that could make your life easier.

 Have you ever encountered this error message:

SecLib::AccessCheckEx failed. Returned hr = -2147187962, ObjectID: 1ef9f412-6601-dd11-8655-0019b9dfe618, OwningUser: 98bbc999-96a2-de11-aeaf-0019b9dfe227 and CallingUser: 037c1c90-96a2-de11-aeaf-0019b9dfe227

 You do not really know what object and what user it is and especially what rights might fail him. With this tool, you can put all these IDs and know what are the privileges of the user regarding this record.

With this tool, you can:

  • Indicate which entity you want to inspect
  • Enter the identifier of the object in question
  • Searching for a user with its name or its unique identifier
Click the “Retrieve rights” button and the program will tell you what rights the user with respect to the record.



As usual, if you need improvment or detect a bug, do not hesitate to contact me

The tool can be downloaded just below (and in the archive with all tools)

Comments

Andrew Zimmer said…
Hi Tanguy,
Welcome back! This is a very useful application. Good work.

If you ever find yourself making other changes to this app, I can see it being useful to see the ID in CRM that corresponds to the each privilege (create, read, ect). When you scroll over the privilege you would see the GUID for that privilege. I mention this because sometime CRM throws back an error message mentioning the privilege ID that the current user is lacking. It would be useful to be able to match up the privilege with the ID. Then again, you can always run a simple SQL query to get the privilege that's failing.

Just wanted to throw out the suggestions.

Great app!
-Andrew Zimmer
March 6, 2010 at 6:37 PM
Tanguy said…
Hi Andrew,

Your idea is interesting, I will add this when I have time (which doesn't seem to happen soon :/)

Thanks anyway for the feedback
March 8, 2010 at 11:13 AM
Vincent said…
Hi! I would really like to use your tool, but I can't get passed the connection creation. I get no error messages, the program just crashes.

Maybe I'm doing something wrong?
1- I specify a connection name (I guess anything goes)
2- I use the windows integrated Authentication. My active directory user is a CRM admin, so it should be okay.
3- I don't check SSL or IFD
4- I specify the server name. I guess you only give the server name. So no special format like: "http://myserver/myorg". I only put: "myserver"
5- I specify the port
6- I press "get orgs" and it crashes at this point.

Can someone give me a hand?

Thanks in advance!
March 29, 2010 at 8:39 PM
Tanguy said…
Hi Vincent, I updated the tool (I forgot to catch some exceptions...).

But if ut crashed, it seems that something is wrong in your configuration (name or port, for example)
March 30, 2010 at 2:13 PM
Vincent said…
Thanks a lot Tanguy! It doesn't crash anymore and I can get it to work now! It's great! :)
March 30, 2010 at 3:30 PM
Tanguy said…
I'm glad to hear that!
March 30, 2010 at 3:35 PM
Unknown said…
Thanks alot for this tool. It quickly helped me find the right permissions that needed to be applied.

One thought.. Is there a way to determine what type of entity an objectID is? I had to try several entity types getting failures (no object ID of that type) before I figured out which type I was dealing with.

My issue was that a salesperson could not create a quote from an opportunity that had been assigned to him. Turned out you need to have the Append and Append To rights on the Account record... These rights also allow the salesperson to Create Order from an Active quote.

Thanks again.
Doug
August 19, 2010 at 3:08 PM
Tanguy said…
Hi Doug,

Unfortunately, it is not possible to determine the entity from the ID...

I could add a global search through all entities but that would take a very long time to proceed...

The true goal of this tool is to avoid you to browse all roles of a user to determine which privileges he has or not regarding a specific record
August 23, 2010 at 4:12 PM
Unknown said…
Hi. thank you, the application works. but sometimes the application itself generates an error
SecLib::AccessCheckEx failed. Returned hr = -2147187962, ObjectID: 6879CD2C-5C4A-E011-BD80-001AA0C35C21 , OwningUser: 8848f924-d62d-df11-881a-001aa00c35c21 and CallingUser: 4469c4a2-182a-e011-b294-0011aa00c35c21
when I chek the objekt with ID 6879CD2C-5C4A-E011-BD80-001AA0C35C21
help me, please)
March 9, 2011 at 5:04 PM
Tanguy said…
Well, this tool is intented to be used with an account having system administrator that avoid to get security exception message...
March 9, 2011 at 5:14 PM
Eric W. Cahoon said…
Great Tool Tanguy! Will you post the source code so we can learn how you accomplished this functionality and also extend the tool? You could post it to CodePlex or SourceForge.
April 6, 2011 at 4:27 PM
ePartners UK said…
How can I use this tool to connect to CRM Online?
August 3, 2011 at 4:58 PM
Tanguy said…
You can't.

CRM 4.0 tools I developed are just designed for OnPremise and IFD deployments
August 29, 2011 at 1:02 PM
Anonymous said…
Just found this - looks great. Can you push to Codeplex? My company blocks personal storage sites.
December 10, 2012 at 6:24 PM
Tanguy said…
Hi,
I don't have time to do it...

If you can give me an email address, I will send it to you
December 11, 2012 at 11:10 AM
AfterDark said…
Hi,
Very helpful tool.
I find an unwanted privilege ID but how can I find out which Security Role/Sharing/or Assignment caused this unwanted access?
April 25, 2013 at 12:13 PM
AfterDark said…
Hi,
Very helpful tool.
I find an unwanted privilege ID but how can I find out which Security Role/Sharing/or Assignment caused this unwanted access?
April 25, 2013 at 12:14 PM
Tanguy said…
You can't... At least, there is no tool that allows to see that information.

The only way is to review all roles for that specific privilege. If you can't find it, then you have to look in the sharing dialog. If it is not there, it could also be an inherited sharing (see parent record sharing dialog)
April 25, 2013 at 12:20 PM
AfterDark said…
Is there any SQL code to find out that?
Recently we faced to a new problem with MS CRM 4 User's access to others objects: Some users have unwanted access rights to other business units that they prohibited in their Roles definitions. Therefore we need to track and find out which Role, Sharing, or assignment is the source of this problem?! Can you help me? (any recommend in SQL will be helpful + I have the unwanted privilege ID with Access Checker)

If not, is there any way to reset/reconfigure/rebuild every privileges to the whole of microsoft crm 4 database?
April 25, 2013 at 12:24 PM
Tanguy said…
The problem you describe is typically due to sharing. So there is no possibility to reset/reconfigure

But you can look in the table PrincipalObjectAccess. This table list all security access.
If the column AccessRightMask is filled, then it is an explicit sharing. if the column InheritedAccessRightMask is filled, then it is an inherited sharing (see parent record).
The column ObjectId refers to the entity record
The column PrincipalId refers to a team or a user
April 25, 2013 at 12:39 PM
AfterDark said…
Thanks for your fast and helpful response...
Can you write a simple a sql for listing all parent records of an entity please?
April 25, 2013 at 12:56 PM
Tanguy said…
No I can't. I can give some advice but I'm not working for you and I have already too many things to do. Sorry
April 25, 2013 at 1:37 PM
Post a Comment

Popular posts from this blog

New XrmToolBox plugin : Import/Export NN relationships

Image
Two plugins in one day! wow! This one was, in fact, developed a couple of months ago. One of my colleague was using a solution from my fellow MVP Andrii Butenko which allows to import/export NN relationships in a silverlight web resource. This was nice but my colleague was using other attributes than primary key to do the mapping and Andrii’s solution does not support this. So he asked me to develop a XrmToolBox’s plugin that could do this. And, here it is! You can select entities and relationships and moreover, choose mapping attributes on both enitities. I only let text and number attributes selectable as other does not really make sense for mapping purposes. Then you can import or export NN relationships! Here is a preview As usual, this plugin, among other, is available with XrmToolBox on CodePlex
Read more

Searchable Propery Attribute Updater

Image
Hi, The previous post was not the last one... :) You can find in this post the first tool that will make your life easier: Just remember when you customer asked you to remove all these unused attributes form the attribute list of the advanced find form... You navigated through all attrbutes form to modify the Searchable property of each attributes for hours... (maybe am I exaggerating a bit...) The program I give you allows you to update all attributes in a single winform application! Yes it can be! Do not hesitate to give me your comments about this program if you think improvements can be done... Download:
Read more

Full featured CRM grid in HTML/JS

Image
In last December, I was asked to write a web resource to display a grid with CRM records. I was quite frustrated because I didn’t succeed to manage some grid features easily like fixed header with horizontal scrolling among others. I delivered a fixed table which was not so bad but absolutely not something that look like the application grid views. So I decided to work harder to find a way to do this CRM style grid view. After some works (almost two full days), I have succeeded to create a full featured CRM grid view by using only JavaScript. Here is a screenshot: And this is how I can create a grid view from only a div in a HTML page < html > < head > < title > Page de test </ title > < script src ="json2.js"></ script > < script src ="jquery.js"></ script > < script src ="XrmServiceToolKit.js"></ script > < script src ="sdk.metadata.js"></ script > ...
Read more