Access Checker

Interface of Access Checker

This tool has been created to answer two business needs:

  • Be able to know if an object is accessible to a user and if so, with what privilege
  • Be able to understand, in a quick way, what is the missing privilege when getting MSCRM error messages involving user (calling user, owning user), object (ObjectId) and privileges (privilegeId).

This tool can help you if you receive the following message:

SecLib::AccessCheckEx failed. Returned hr = -2147187962, ObjectID: 1ef9f412-6601-dd11-8655-0019b9dfe618, OwningUser: 98bbc999-96a2-de11-aeaf-0019b9dfe227 and CallingUser: 037c1c90-96a2-de11-aeaf-0019b9dfe227

In this case, you know that a user (CallingUser) tried to access an object (ObjectID) that belongs to another user (OwningUser).

But you don’t know what was the privilege involved. With the Access Checker, you can put all these values on the tool and display the list of user’s privileges.

Nevertheless, you need to know which entity is involved.

How to use this tool

  1. Define the entity against which you want to test user access. You can type in the logical name of the entity or click on the retrieve button to display the list of the entities available.
  2. Type in the unique identifier of the object against which you want to test user access. The unique identifier is required to ease the search and also because this unique identifier is displayed in CRM error message when there is an access error in CRM logs and traces.
    During the privileges retrieval, the unique identifier will be resolved to the entity primary attribute value.
  3. Select the user you want to test by clicking on the browsing button (“…”). For the search, you can use the firstname, lastname, fullname or systemuserid attribute.
  4. Click on the button “Retrieve rights” to display the privileges of the user against the specified object.
    You can also view the privilege unique identifier by putting the mouse cursor over the privilege icon 

Result of the tool usage

Advertisements

11 Responses to Access Checker

  1. Really helpful tool. Thanks!

  2. Ahmed says:

    Really helpful tool. Thanks!

  3. Daniel says:

    Getting “Given key not found” when retriving privilege for “Notes” entity.

  4. MscrmTools says:

    I have updated the tool.

    It should work now

  5. Ric says:

    Would this work for CRM 3.0? Thanks!

  6. mscrmtools says:

    No, it only works with CRM 4.0

  7. Ric says:

    Okay. Thanks for the quick reply. 🙂

  8. Mark Cherry says:

    Hi Tanguy

    Is there any chance of a CRM 2011 version of this please?
    (Strange first time I ran this it failed but it seems to be working now.)

    I’m quite new to CRM and I’m having trouble finding which type of object is referred to by the ObjectId in a AccessCheckEx error. Is there a way that the entity can be determined from the ObjectId?

    Regards,
    Mark

  9. Mark Cherry says:

    It appears that you can still get these errors in CRM 2011. This is an extract from the trace on a live system from today (21/10/2011):

    SecLib::AccessCheckEx failed. Returned hr = -2147187962, ObjectID: 1e554039-a822-dd11-a36a-001a4bf11b78, OwnerId: c696559a-1674-df11-a017-001b78939b60, OwnerIdType: 8 and CallingUser: 2491b7f6-3edd-e011-a55d-001b78939b60. ObjectTypeCode: 2, objectBusinessUnitId: ed18013d-1774-df11-a017-001b78939b60, AccessRights: AppendToAccess , ErrorCode: -2147187962

    I have seen the new style error messages but there was no corresponding new style error message for the above error. I have solved it now using the 4.0 tool. I guessed that the object was either an Account or Contact. It turned out to be a Contact that was in a different Business Unit to the User so he had no privileges to anything with the Contact.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: