This tool has been created to answer two business needs:
- Be able to know if an object is accessible to a user and if so, with what privilege
- Be able to understand, in a quick way, what is the missing privilege when getting MSCRM error messages involving user (calling user, owning user), object (ObjectId) and privileges (privilegeId).
This tool can help you if you receive the following message:
|SecLib::AccessCheckEx failed. Returned hr = -2147187962, ObjectID: 1ef9f412-6601-dd11-8655-0019b9dfe618, OwningUser: 98bbc999-96a2-de11-aeaf-0019b9dfe227 and CallingUser: 037c1c90-96a2-de11-aeaf-0019b9dfe227|
In this case, you know that a user (CallingUser) tried to access an object (ObjectID) that belongs to another user (OwningUser).
But you don’t know what was the privilege involved. With the Access Checker, you can put all these values on the tool and display the list of user’s privileges.
Nevertheless, you need to know which entity is involved.
How to use this tool
- Define the entity against which you want to test user access. You can type in the logical name of the entity or click on the retrieve button to display the list of the entities available.
- Type in the unique identifier of the object against which you want to test user access. The unique identifier is required to ease the search and also because this unique identifier is displayed in CRM error message when there is an access error in CRM logs and traces.
During the privileges retrieval, the unique identifier will be resolved to the entity primary attribute value.
- Select the user you want to test by clicking on the browsing button (“…”). For the search, you can use the firstname, lastname, fullname or systemuserid attribute.
- Click on the button “Retrieve rights” to display the privileges of the user against the specified object.
You can also view the privilege unique identifier by putting the mouse cursor over the privilege icon