Git Product home page Git Product logo

markmpn.securitydebugger's People

Contributors

markmpn avatar

Stargazers

 avatar  avatar  avatar

Watchers

 avatar  avatar

markmpn.securitydebugger's Issues

The message is not currently recognized (Dynamics 365 CE On Premises v9.1)

We are using Dynamics 365 CE On Premises v9.1 in latest CU and tried to use this tool but it is failing to recognize the message.

Here is the message text
{"CallerPrincipal":{"PrincipalId":"a7e83e3c-7d76-e911-80f5-005056b9fd8f","Type":8,"IsUserPrincipal":true},"OwnerPrincipal":{"PrincipalId":"f2317880-4a89-e311-93f5-00155d01173f","Type":9,"IsUserPrincipal":false},"ObjectId":"40bc562a-3d9b-e311-93fa-00155d01156b","ObjectTypeCode":10161,"EntityName":"h21_project","ObjectBusinessUnitId":"9ee3a9cb-b88d-e211-9f16-00155d011622","RightsToCheck":"AppendToAccess","RoleAccessRights":"None","PoaAccessRights":"None","HsmAccessRights":"None","GrantedAccessRights":"None","Messages":["PrincipalHasOwnerPrincipalWithAtLeastBasicPrivilegeDepth = False","EntityUserGroupRights = None","MinimumPrivilegeDepthRequired = Local","SecLib::AccessCheckEx2 failed. Owner Data: teamType=0, privilegeCount=65; Principal Data: roleCount=89, privilegeCount=190, accessMode=0"],"EntityOwnershipTypeMask":1,"CallerInfo":{"IsSystemUser":false,"IsSupportUser":false,"IsAdministrator":false,"IsCustomizer":false,"IsDisabled":false,"IsIntegrationUser":false,"Teams":null,"Roles":null},"ReadOnlyState":"UserAndOrgFullAccess","IsHsmEnabled":false,"HsmInfo":null} at Microsoft.Crm.Sandbox.SandboxCodeUnit.ProcessException(Exception originalException, IExecutionContext context, SandboxClient client, SandboxCallTracker callTracker, Boolean isSafeToRetry, DateTime performanceExecutionStartTime, SandboxTracker tracker, Guid parentExecutionId, CrmException& crmException, String& assemblyContents)

Tool unable to identify for this error

Principal with id 6d8973eb-f44a-ee11-be6f-6045bd3d33e6 does not have CreateAccess right(s) for record with id 00000000-0000-0000-0000-000000000000 of entity userentityuisettings. Details: {"CallerPrincipal":{"PrincipalId":"6d8973eb-f44a-ee11-be6f-6045bd3d33e6","Type":8,"IsUserPrincipal":true},"OwnerPrincipal":{"PrincipalId":"6d8973eb-f44a-ee11-be6f-6045bd3d33e6","Type":8,"IsUserPrincipal":true},"ObjectId":"00000000-0000-0000-0000-000000000000","ObjectTypeCode":2500,"EntityName":"userentityuisettings","ObjectBusinessUnitId":"6d105fbe-df6f-e811-a959-000d3ae13d8d","RightsToCheck":"CreateAccess","RoleAccessRights":"None","PoaAccessRights":"None","HsmAccessRights":"None","GrantedAccessRights":"None","Messages":["BasicMinimumPrivilegeDepthRequired = None","EntityUserGroupRights = None","LocalMinimumPrivilegeDepthRequiredRights = CreateAccess","SecLib::AccessCheckEx2 failed. Owner Data: roleCount=1, privilegeCount=0, accessMode='0 Read-Write', AADObjectId='f152aaaa-cdc0-4154-b474-cb719d36afbb', MetadataCachePrivilegesCount=9994, businessUnitId=6d105fbe-df6f-e811-a959-000d3ae13d8d; Principal Data: roleCount=1, privilegeCount=0, accessMode='0 Read-Write', AADObjectId='f152aaaa-cdc0-4154-b474-cb719d36afbb', MetadataCachePrivilegesCount=9994, businessUnitId=6d105fbe-df6f-e811-a959-000d3ae13d8d"],"EntityOwnershipTypeMask":1,"CallerInfo":{"IsSystemUser":false,"IsSupportUser":false,"IsAdministrator":false,"IsCustomizer":false,"IsDisabled":false,"IsIntegrationUser":false,"Teams":null,"Roles":null},"ReadOnlyState":"UserAndOrgFullAccess","IsHsmEnabled":false,"HsmInfo":null,"AccessOrigin":null}

Message Not Recognized as Permissions Related

Just letting you know that I was attempting to use the tool and received the notification that my error message was not recognized.

Per the suggestion in the error message I am providing an attachment with the log file.

Thank you for your work on this tool it is very beneficial.
ErrorDetails (2).txt

Priviledges for userentityuisettings

Doesn't recognize below error.

-2147187962:Principal with id does not have CreateAccess right(s) for record with id 00000000-0000-0000-0000-000000000000 of entity userentityuisettings. Details: {"CallerPrincipal":{"PrincipalId":"","Type":8,"IsUserPrincipal":true},"OwnerPrincipal":{"PrincipalId":"","Type":8,"IsUserPrincipal":true},"ObjectId":"00000000-0000-0000-0000-000000000000","ObjectTypeCode":2500,"EntityName":"userentityuisettings","ObjectBusinessUnitId":"","RightsToCheck":"CreateAccess","RoleAccessRights":"None","PoaAccessRights":"None","HsmAccessRights":"None","GrantedAccessRights":"None","Messages":["BasicMinimumPrivilegeDepthRequired = None","EntityUserGroupRights = None","LocalMinimumPrivilegeDepthRequiredRights = CreateAccess","SecLib::AccessCheckEx2 failed. Owner Data: roleCount=6, privilegeCount=236, accessMode=0; Principal Data: roleCount=6, privilegeCount=236,

Message not interpreted when the error occurs for a record creation

Hi @MarkMpn,

I have found that if a user gets a security error message because he tries to create a record with a different owner, the tool does not find the record (which is normal because it does not exist) and stop interpretating the error.

It could be nice if the tool was able to indicates the problem when creating a record with another owner

Here is the error message:

Principal with id 9bc81194-9ebb-ea11-a812-000d3ab2a6be does not have CreateAccess right(s) for record with id 00000000-0000-0000-0000-000000000000 of entity incident. Details: {"CallerPrincipal":{"PrincipalId":"9bc81194-9ebb-ea11-a812-000d3ab2a6be","Type":8,"IsUserPrincipal":true},"OwnerPrincipal":{"PrincipalId":"5d957f62-9ebb-ea11-a812-000d3ab2a6be","Type":8,"IsUserPrincipal":true},"ObjectId":"00000000-0000-0000-0000-000000000000","ObjectTypeCode":112,"EntityName":"incident","ObjectBusinessUnitId":"0e7fb2ad-df4d-ec11-8c62-000d3aba6882","RightsToCheck":"CreateAccess","RoleAccessRights":"None","PoaAccessRights":"None","HsmAccessRights":"None","GrantedAccessRights":"None","Messages":["PrincipalHasOwnerPrincipalWithAtLeastBasicPrivilegeDepth = False","EntityUserGroupRights = None","MinimumPrivilegeDepthRequired = Local","SecLib::AccessCheckEx2 failed. Owner Data: roleCount=4, privilegeCount=1350, accessMode=0; Principal Data: roleCount=5, privilegeCount=1580, accessMode=0"],"EntityOwnershipTypeMask":1,"CallerInfo":{"IsSystemUser":false,"IsSupportUser":false,"IsAdministrator":false,"IsCustomizer":false,"IsDisabled":false,"IsIntegrationUser":false,"Teams":null,"Roles":null},"ReadOnlyState":"UserAndOrgFullAccess","IsHsmEnabled":false,"HsmInfo":null,"AccessOrigin":null}

Add support for field security related error messages

Ie:

Exception Message: User with ID does not have Create permissions for the xxxx attribute in the account entity. Count secured attributes in entity 19. User has 60 secured attribute privileges. callerAp.CanCreate=0

ErrorCode: -2147158782
HexErrorCode: 0x8004f502

ErrorDetails:
ApiExceptionSourceKey: Plugin/Microsoft.Crm.Common.ObjectModel.AccountService
ApiStepKey: 6e3b8615-ecd8-db11-b397-0019b9204da9
ApiDepthKey: 1
ApiActivityIdKey: 1d215960-d05b-496e-a6fb-6f24363aa6f5
ApiPluginSolutionNameKey: System
ApiStepSolutionNameKey: System
ApiExceptionCategory: ClientError
ApiExceptionMessageName: AttributePrivilegeCreateIsMissing
ApiExceptionHttpStatusCode: 403

HelpLink: http://go.microsoft.com/fwlink/?LinkID=398563&error=Microsoft.Crm.CrmException%3a8004f502&client=platform

Activity Id: 58f120c0-8966-4706-a9d8-f5581f0311cb

This message did not work: prvShareOpportunity

Principal user (Id=3a2a0f00-62d6-ec11-a7b5-0022489345ca, type=8, roleCount=4, privilegeCount=7693, accessMode=4, applicationId: 7e966ef8-789f-48ce-a548-1263be75412a), is missing prvShareOpportunity privilege (Id=240edd9b-83e1-46b4-aa25-576ad3c75186) on OTC=3 for entity 'opportunity' (LocalizedName='Opportunity'). context.Caller=3a2a0f00-62d6-ec11-a7b5-0022489345ca. Or identityUser.SystemUserId=d2ebb27b-7d54-48cc-802d-6cb744960124, identityUser.Privileges.Count=8565, identityUser.Roles.Count=0 is missing prvShareOpportunity privilege (Id=240edd9b-83e1-46b4-aa25-576ad3c75186) on OTC=3 for entity 'opportunity' (LocalizedName='Opportunity').

Security Error Log Does Not Read

Hello, Mark!

First, this tool is amazingly helpful, thank you for developing it.

Below is a short grab of the error log I'm looking at. The Security DeBugger doesn't appear to be recognizing it:

Unhandled exception: 
Exception type: System.ServiceModel.FaultException`1[Microsoft.Xrm.Sdk.OrganizationServiceFault]
Message: Plugin execution failed, please contact your system administrator.Detail: 
<OrganizationServiceFault xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/xrm/2011/Contracts">
  <ActivityId>bcf5bc7d-a974-4043-b7eb-d6aa3a5d34c9</ActivityId>
  <ErrorCode>-2147220891</ErrorCode>
  <ErrorDetails xmlns:d2p1="http://schemas.datacontract.org/2004/07/System.Collections.Generic">
    <KeyValuePairOfstringanyType>
      <d2p1:key>ApiExceptionSourceKey</d2p1:key>
      <d2p1:value xmlns:d4p1="http://www.w3.org/2001/XMLSchema" i:type="d4p1:string">Plugin/Microsoft.Crm.ObjectModel.CustomBusinessEntityService</d2p1:value>
    </KeyValuePairOfstringanyType>
    <KeyValuePairOfstringanyType>
      <d2p1:key>ApiOriginalExceptionKey</d2p1:key>
      <d2p1:value xmlns:d4p1="http://www.w3.org/2001/XMLSchema" i:type="d4p1:string">Microsoft.Crm.CrmSecurityException: The user with id 1c1179d0-2ec6-e711-8116-0a1fd24c9324 has not been assigned any roles. They need a role with the prvReadelcn_personname privilege. ---&gt; Microsoft.Crm.CrmSecurityException: The user with id 1c1179d0-2ec6-e711-8116-0a1fd24c9324 has not been assigned any roles. They need a role with the prvReadelcn_personname privilege.
   at Microsoft.Crm.BusinessEntities.SecurityLibrary.ThrowUserNotAssignedRolesException(String methodName, Guid userId, Guid privilegeId, IExecutionContext context)
   at Microsoft.Crm.BusinessEntities.SecurityLibrary.RetrievePrivilegeForUser(IUser user, Guid privilege, IExecutionContext context)
   at Microsoft.Crm.BusinessEntities.SecurityLibrary.&lt;&gt;c__DisplayClass64_0.&lt;TryCheckPrivilegeImpl&gt;b__0()
   at Microsoft.PowerApps.CoreFramework.ActivityLoggerExtensions.Execute[TResult](ILogger logger, EventId eventId, ActivityType activityType, Func`1 func, IEnumerable`1 additionalCustomProperties)
   at Microsoft.Xrm.Telemetry.XrmTelemetryExtensions.Execute[TResult](ILogger logger, XrmTelemetryActivityType activityType, Func`1 func)
   at Microsoft.Crm.BusinessEntities.SecurityLibrary.TryCheckPrivilege(Guid user, Guid privilege, IExecutionContext context)

Any assistance is appreciated!

Best,
Jon

Field level security message

This seems to be related to FLS and wasn't recognized.

User with ID 64708701-9323-eb11-811c-005056956b45 does not have Update permissions for the donotphone attribute in the lead entity. The leadid of the record is 9e5ec118-24a8-e911-8114-005056954a40

Thanks for the tool! It works great for role based and it really helps to show what the options are for correcting the issue.

Error message not recognized as permissions-related

This was the entire message and I could not get results with the tool:
SecLib::AccessCheckEx failed. Returned hr = -2147187962, ObjectID: 7265de4d- de50-e611 -80e8-0050569b285c, Ownerld: 1133ffab-f4ba-dc11-9690- 005056937dc2, OwnerldType: 8 and CallingUser: f0c06139-f64b-ec11-813b- 0050569b285c. ObjectTypeCode: 2020, objectBusinessUnitld: c68ee5a5-f4ba- dc11-9690-005056937dc2, AccessRights: AppendToAccess

Any other help available?
Thanks, Lyndi

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.