Dynamics CRM Security is not always about Roles

Occasionally, I find myself wasting time because I didn't check all of my facts. I ran into an issue today where I was getting the strangest error trying to assign a Contact to a specific user.

I checked and rechecked their security role, restarted IIS, etc., but still this error persisted.

Here is the error, as documented by CRM Tracing:

Principal user (Id=a39a5555-3c77-e011-8720-00155da5304e, type=8)
is missing prvReadContact privilege

This could not be more explicit.  The user doesn't have Read access to Contacts.

Except he does:



Hmm. This is very strange; and I know strange.  If you didn't know, I actually wrote a book on CRM Security, so you would think I would know what I'm doing. But this was baffling me.

Finally, it occurred to me that the only thing left is the user's client access license.

I opened the user record up and sure enough, this is what I found:



Problem solved.

Users with Administrator Access do not have access to normal CRM data so the message was indeed correct.

Keep License type in mind next time you run into what seems to be an incorrect security message.

2 thoughts on “Dynamics CRM Security is not always about Roles”

  1. Thanks Mitch! I'm ran into exactly this scenario during a data migration. A handful of records wouldn't import for a specific user, and it didn't make sense, because he's a sysadmin in the new system. After reading your blog, I checked his CAL, and sure enough, it was an admin license.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>