This tool has been created to answer two business needs:
- Be able to know if an object is accessible to a user and if so, with what privilege
- Be able to understand, in a quick way, what is the missing privilege when getting MSCRM error messages involving user (calling user, owning user), object (ObjectId) and privileges (privilegeId).
This tool can help you if you receive the following message:
| SecLib::AccessCheckEx failed. Returned hr = -2147187962, ObjectID: 1ef9f412-6601-dd11-8655-0019b9dfe618, OwningUser: 98bbc999-96a2-de11-aeaf-0019b9dfe227 and CallingUser: 037c1c90-96a2-de11-aeaf-0019b9dfe227 |
In this case, you know that a user (CallingUser) tried to access an object (ObjectID) that belongs to another user (OwningUser).
But you don’t know what was the privilege involved. With the Access Checker, you can put all these values on the tool and display the list of user’s privileges.
Nevertheless, you need to know which entity is involved.
How to use this tool
- Define the entity against which you want to test user access. You can type in the logical name of the entity or click on the retrieve button to display the list of the entities available.
- Type in the unique identifier of the object against which you want to test user access. The unique identifier is required to ease the search and also because this unique identifier is displayed in CRM error message when there is an access error in CRM logs and traces.
During the privileges retrieval, the unique identifier will be resolved to the entity primary attribute value. - Select the user you want to test by clicking on the browsing button (“…”). For the search, you can use the firstname, lastname, fullname or systemuserid attribute.
- Click on the button “Retrieve rights” to display the privileges of the user against the specified object.
You can also view the privilege unique identifier by putting the mouse cursor over the privilege icon
Really helpful tool. Thanks!
Really helpful tool. Thanks!
Getting “Given key not found” when retriving privilege for “Notes” entity.
I have updated the tool.
It should work now
Would this work for CRM 3.0? Thanks!
No, it only works with CRM 4.0
Okay. Thanks for the quick reply.
Hi Tanguy
Is there any chance of a CRM 2011 version of this please?
(Strange first time I ran this it failed but it seems to be working now.)
I’m quite new to CRM and I’m having trouble finding which type of object is referred to by the ObjectId in a AccessCheckEx error. Is there a way that the entity can be determined from the ObjectId?
Regards,
Mark
Sorry I forgot to say; there is a small bug in the app if you select the ‘Retrieve entities’ button more than once it starts to duplicate entries in the ‘Entity Name’ dropdown list.
Hi,
There’s no need of a CRM 2011 version of this tool since the privilege, user and record involved are much more explicit.
See this post on my main blog : http://mscrmtools.blogspot.com/search/label/Security%20Role
It appears that you can still get these errors in CRM 2011. This is an extract from the trace on a live system from today (21/10/2011):
SecLib::AccessCheckEx failed. Returned hr = -2147187962, ObjectID: 1e554039-a822-dd11-a36a-001a4bf11b78, OwnerId: c696559a-1674-df11-a017-001b78939b60, OwnerIdType: 8 and CallingUser: 2491b7f6-3edd-e011-a55d-001b78939b60. ObjectTypeCode: 2, objectBusinessUnitId: ed18013d-1774-df11-a017-001b78939b60, AccessRights: AppendToAccess , ErrorCode: -2147187962
I have seen the new style error messages but there was no corresponding new style error message for the above error. I have solved it now using the 4.0 tool. I guessed that the object was either an Account or Contact. It turned out to be a Contact that was in a different Business Unit to the User so he had no privileges to anything with the Contact.