Brian Cryer

Cry about...
Dynamics CRM 365 Troubleshooting

Insufficient Permissions

Symptom:

Microsoft Dynamics displays a rather unhelpful page stating simply:

Insufficient Permissions

You do not have permissions to access these records. Contact your Microsoft Dynamics 365 administrator.

Try Again Close

Cause:

The error (whilst unhelpful) does mean what it says. The user requires a permission but does not have it.

What is unhelpful is that that error gives no indication of what permission is required.

This error is typically seen when creating a new custom security role, and assigning insufficient permissions to it.

Possible Remedies:

  • If this error is encountered whilst creating a new security role, then consider recreating the security role by copying one of the existing roles and the customising it.

    This approach may side step the problem because the out-of-the-box roles already have permissions assigned that will allow viewing of out-of-the-box entities.

  • Grant the System Admin role - No, don't!!

    If you are unconvinced that this error is caused by a role conveying insufficient rights, then you can demonstrate that it is role related by temporarily granting the system admin role to the user account. The user should then be able to view anything. However, granting the system-admin role is undesirable (unless by change the user is a system administrator), so once you have convinced yourself that it is indeed role related be sure to remove the system admin role from the user account.

  • Track down which permissions are missing. Once you have identified the missing permissions you can add them.

    This is easier said than done.

    Fortunatly I have yet to face this problem using Dynamics 365 OnLine. On Premise it is easier, because you have access to the server.

    So, for on premise:

    1. Enable tracing using PowerShell on the server:

      PS C:\> Add-PSSnapin Microsoft.Crm.PowerShell

      PS C:\> $settings = Get-CrmSetting TraceSettings

      PS C:\> $settings.Enabled=$True

      PS C:\> $settings.Categories="*.Error"

      PS C:\> Set-CrmSetting $settings

    2. Ask the user to refresh the page giving the error.
    3. There should be log files on the server in the folder C:\CrmDrop\Logs.

      The log file of interest will be:

      ServerName-w3wp(0000#XXXXXXXX)-CRMWeb-YYYYMMDD-1.log

      where "ServerName" is the name of the dynamics server, "0000" is a series of numbers, "XXXXXXXX" a series of letters and "YYYYMMDD" represents todays date.

      On my server there were two files that

    4. Jump to the end of the file and search back (up towards the front) for a line that starts with:

      >Crm Exception: Message: Principal User ( ...

      The line will indicate a permission that is missing. Scroll up and check that the timestamp corresponds with when the user refreshed the page and last got the error.

    5. Grant the missing privilege - by editing an existing role or by creating a new role, as appropriate.

      In my scenario, the error line was:

      >Crm Exception: Message: Principal user (Id=c386fb6f-a686-e911-9675-00155d6b8e03, type=8) is missing prvReadWebResource privilege (Id=4156db68-93e2-4a83-8cbb-5bb344ebaf47), ErrorCode: -2147220960, InnerException: Microsoft.Crm.CrmSecurityException: Principal user (Id=c386fb6f-a686-e911-9675-00155d6b8e03, type=8) is missing prvReadWebResource privilege (Id=4156db68-93e2-4a83-8cbb-5bb344ebaf47)

      The key part of this is "missing prvReadWebResource privilege", which I have highlighted in bold above. The privilege that is missing in your case will almost certainly be different.

      The privilege is always named according to the convention:

      prv Access-Type Resource-Name

      So missing prvReadWebResource means that the user is missing "Read" on "WebResource".

    6. Once you have granted the missing privilege, ask the user to refresh and see if the error has gone away.

      If the error remains then there will be another privilege that needs to be granted. Tracing should still be enabled (unless you have disabled it) so you need to re-open the logs and identify the next privilege that is missing. Repeat until the user no longer gets the error.

    7. Disable tracing.

      PS C:\> Add-PSSnapin Microsoft.Crm.PowerShell

      PS C:\> $settings = Get-CrmSetting TraceSettings

      PS C:\> $settings.Enabled=$False

      PS C:\> Set-CrmSetting $settings

FYI, the absolute minimum set of permissions I have found necessary to show the home page are (YMMV):

  • prvReadSystemForm (on "Customisation" tab of the role edtior)
  • prvReadUser (on "Business Management" tab of the role editor)
  • prvReadWebResource (on "Customisation" tab of the role editor)

Although, you may need additional permissions to see anything on the home page.

Gotchas

  • You may have trouble finding prvReadQuery, this is because instead of "Query" it is shown as "View" on the "Customization" tab of the role editor.

  • Likewise for prvReadWorkflow instead of "Workflow" it is shown as "Process" on the "Customization" tab of the role editor.

These notes have been tested with Microsoft Dynamics CRM 365 (on premise), and may apply to other versions as well.

About the author: is a dedicated software developer and webmaster. For his day job he develops websites and desktop applications as well as providing IT services. He moonlights as a technical author and consultant.