Error “The signed-in user does not have the appropriate security permissions to view these records or perform the specific action” while setting up dynamics crm outlook client

Tuesday, November 1, 2011

Hi,

While setting up CRM 2011 Outlook Client I came across the following error:

“The signed-in user does not have the appropriate security permissions to view these records or perform the specific action..”

As I could fine almost no information about this issue I decided to share here the steps I went through to sort this out:

Downloaded CrmDiagTool 2011 from here.
Run the tool and Enable Tracing.

Tried again Configuration Wizard in order to reproduce the error.
Once reproduced, I disabled tracing and then click on “Open Trace Directory” within the CRMDiagTool (usually, it will be folder “C:\Program Files\Microsoft Dynamics CRM\Trace”).
Opened last modified file with the name “xxx-CRMWeb-xxx” and search for “Checking Privilege” text.

I got several results similar to:

Checking Privilege for UserId: {FB5B699E-754E-46F2-AAD9-2AA98304ECB7}, PrivilegeId: {94C3AC2C-EB23-41CB-A903-4E2E49E910B4}. Returned hr = 0

Copied the PrivilegeId GUID.
Then, opened SQL Server Management Studio and run the following query against your Organization DB:

select Name, * from PrivilegeBase where PrivilegeId = 'privilege id without brackets’ , for instance:

select Name, * from PrivilegeBase where PrivilegeId = '94C3AC2C-EB23-41CB-A903-4E2E49E910B4'

In my case, this query returned the following result:

So, I could see that what the user needs privileges to read sdk messages. So, I opened the role he belongs to and grant that privilege:

Saved the role and tried again Configuration Wizard.
Unfortunately, it failed again .

So, I decided to go over each result in the log file and find out each privilege the system were checking against. I found out that the privileges that were being checked were the following ones:

{94C3AC2C-EB23-41CB-A903-4E2E49E910B4} prvReadSdkMessage: Customization –> Sdk Message

{902D70D3-2FF8-4D93-92F9-8EFDCF889AF8} prvReadQuery: Customization –> View

{B9C59CEF-F5D1-46B4-8C3B-8A38906C8C0E} prvReadSystemForm: Customization –> System Form

{7BB3B531-AC45-4977-89C8-B99768E55AB8} prvReadCustomization: Customization –> Customizations

{B64E92C8-5D2A-4052-A026-1B73EFF9CEBF} prvReadSolution: Customization –> Solution

{8CDEBADE-6187-440D-B041-5B3F3D84DB53} prvReadPublisher: Customization –> Publisher

{DB10A828-EC49-4035-8B7E-C58EFAF169EC} prvReadSdkMessageProcessingStep: Customization –> Sdk Message Processing Step

{122E085F-8C52-47E8-8415-875DEE1C961E} prvReadSdkMessageProcessingStepImage: Customization –> Sdk Message Processing Step Image

{F5B50296-A212-488A-BE92-CBCCA8971717} prvReadPluginAssembly: Customization –> Plug-in Assembly

{76FAAD15-BC44-4F4D-84DC-DD1E1DDA74D9} prvReadUser: Business Management –> User

{DBD3AD17-B6BD-46C8-8DB7-179FEC82C937} prvReadOrganization: Business Management –> Organization

{4156DB68-93E2-4A83-8CBB-5BB344EBAF47} prvReadWebResource: Customization –> Web Resource

{8437FA7C-3681-4FC7-BFD8-53A23FDECD65} prvReadUserSettings: Business Management –> User Settings

{663D1920-56E1-4166-89F0-47F3330923A8} prvReadTeam: Business Management –> Team

{222A920A-2778-4564-85CB-E78DDE8E4276} prvReadRole: Business Management –> Security Role

{6B4A9461-0105-4F4A-A047-FE1B4FEF02E7} prvReadWizardAccessPrivilege: Core Records –> Web Wizard Access Privilege

{D55D6EB9-D1E7-4EE9-A492-775015CF2F1F} prvReadWebWizard: Core Records –> Web Wizard

{024CA4FF-65BD-4381-84A5-A531285E9CE1} prvReadWizardPage: Core Records –> Wizard Page

{BD57CFA5-8495-4B3E-B358-DA246BA797B5} prvCreateWebResource: Customization –> Web Resource – create privileges

So, after granting ALL of the above privileges, I could finally set up CRM Outlook Client.

TIP: You can also look for the string ‘is missing’ to go straight to the lines where the trace says exactly which privileges are missing and preventing from running the operation. Obviously, I found it a bit later but it’s also useful in other cases where appears the same error :p).

Hope it helps to save you some time ;).

PP [twitter: @pabloperalta]

Nice write-up Pablo, thanks!

Donna Edwards - Friday, December 2, 2011 8:59:40 PM

Thank YOU dear Donna!

pablop - Tuesday, December 20, 2011 2:30:45 AM

...still not workin for me :-/

Jan Schwarz - Tuesday, June 12, 2012 3:09:32 PM

@Jan, if you look for the string ‘is missing’ in the log, do you find some error? If so, you may need to add those privileges to the user as shown above.

If not the case, have you tried with an IIS reset (if possible), just to be sure to remove any potential cached data?

thanks
PP

pablop - Tuesday, June 12, 2012 5:38:32 PM

atm i got no possibility to debug on our live system cause of sysadmin... im just buildin a test setup, to install debug tool there... can you send me screenshots of a security role, that got minimum rights with possible outlook integration, maybe i can use it as base role.

Jan Schwarz - Friday, June 22, 2012 9:10:10 AM

I actually went as far as adding the user to the System Admin role. He has all rights. I still get the same error. This problem is happening to me on three different machines in my environment. I've set up all other machine no problem.

Brad - Thursday, July 26, 2012 4:13:36 PM

Great tips, thanks. Saved me loads of time!

MikeL - Tuesday, November 20, 2012 1:54:16 PM

Thank you for helping, Pablo

Tim - Wednesday, April 10, 2013 3:04:50 PM

Thank you Pablo for the detailed list of privileges!

Roman - Wednesday, September 4, 2013 8:02:21 PM

9 Comments