It is quite common when users do usual tasks such as read/write records and then they encounter an error related to not having enough permissions. This is most likely due to the fact that the user does not have enough permissions when trying to read/write to records owned by a user of a different business unit, like in my particular scenario.

With this in consideration, we need to do some investigation on the users that are getting these errors and their associated security roles as well as the roles that have been assigned to their teams that they are in. We then need to amend them accordingly to grant users the desired access.

One great tool to do this analysis is the Privileges Discovery Tool which is part of the XrmToolBox.

troubleshoot permission issues - dynamics crm 2016

 

The Problem

We have users that could not:

  1. View certain Opportunities
  2. Delete Leads

So I ran the tool and did some analysis.

I loaded all entities and I did a search for Opportunity in the search box and selected ‘Read’ and permission level to be ‘Division and sub-Divisions (Parent and Child BU in CRM terminology) and got two roles.

division-and-sub-divisions

 

I then did a search for Lead and selected ‘Delete’ and permission level to be ‘None ‘.

search-for-a-lead

 

This provided results from the combined searches of Opportunity and Lead, and I was able to identify which security role(s) to update.

What the Tool doesn’t Do

No support for Activities – Meaning you can’t find privileges associated with any activity record, ie phone call, task, etc. This is a huge shame as these are heavily used in the real world.

Cannot combine different permission levels for SAME ENTITIES – If I want to combine two or more permission levels for say Opportunity (no read access OR business unit only access), this is not possible.

So now we have seen an easier way to troubleshoot security related issues.

Hope this helps!