markmpn.securitydebugger's People
markmpn.securitydebugger's Issues
The message is not currently recognized (Dynamics 365 CE On Premises v9.1)
We are using Dynamics 365 CE On Premises v9.1 in latest CU and tried to use this tool but it is failing to recognize the message.
Here is the message text
{"CallerPrincipal":{"PrincipalId":"a7e83e3c-7d76-e911-80f5-005056b9fd8f","Type":8,"IsUserPrincipal":true},"OwnerPrincipal":{"PrincipalId":"f2317880-4a89-e311-93f5-00155d01173f","Type":9,"IsUserPrincipal":false},"ObjectId":"40bc562a-3d9b-e311-93fa-00155d01156b","ObjectTypeCode":10161,"EntityName":"h21_project","ObjectBusinessUnitId":"9ee3a9cb-b88d-e211-9f16-00155d011622","RightsToCheck":"AppendToAccess","RoleAccessRights":"None","PoaAccessRights":"None","HsmAccessRights":"None","GrantedAccessRights":"None","Messages":["PrincipalHasOwnerPrincipalWithAtLeastBasicPrivilegeDepth = False","EntityUserGroupRights = None","MinimumPrivilegeDepthRequired = Local","SecLib::AccessCheckEx2 failed. Owner Data: teamType=0, privilegeCount=65; Principal Data: roleCount=89, privilegeCount=190, accessMode=0"],"EntityOwnershipTypeMask":1,"CallerInfo":{"IsSystemUser":false,"IsSupportUser":false,"IsAdministrator":false,"IsCustomizer":false,"IsDisabled":false,"IsIntegrationUser":false,"Teams":null,"Roles":null},"ReadOnlyState":"UserAndOrgFullAccess","IsHsmEnabled":false,"HsmInfo":null} at Microsoft.Crm.Sandbox.SandboxCodeUnit.ProcessException(Exception originalException, IExecutionContext context, SandboxClient client, SandboxCallTracker callTracker, Boolean isSafeToRetry, DateTime performanceExecutionStartTime, SandboxTracker tracker, Guid parentExecutionId, CrmException& crmException, String& assemblyContents)
Tool unable to identify for this error
Principal with id 6d8973eb-f44a-ee11-be6f-6045bd3d33e6 does not have CreateAccess right(s) for record with id 00000000-0000-0000-0000-000000000000 of entity userentityuisettings. Details: {"CallerPrincipal":{"PrincipalId":"6d8973eb-f44a-ee11-be6f-6045bd3d33e6","Type":8,"IsUserPrincipal":true},"OwnerPrincipal":{"PrincipalId":"6d8973eb-f44a-ee11-be6f-6045bd3d33e6","Type":8,"IsUserPrincipal":true},"ObjectId":"00000000-0000-0000-0000-000000000000","ObjectTypeCode":2500,"EntityName":"userentityuisettings","ObjectBusinessUnitId":"6d105fbe-df6f-e811-a959-000d3ae13d8d","RightsToCheck":"CreateAccess","RoleAccessRights":"None","PoaAccessRights":"None","HsmAccessRights":"None","GrantedAccessRights":"None","Messages":["BasicMinimumPrivilegeDepthRequired = None","EntityUserGroupRights = None","LocalMinimumPrivilegeDepthRequiredRights = CreateAccess","SecLib::AccessCheckEx2 failed. Owner Data: roleCount=1, privilegeCount=0, accessMode='0 Read-Write', AADObjectId='f152aaaa-cdc0-4154-b474-cb719d36afbb', MetadataCachePrivilegesCount=9994, businessUnitId=6d105fbe-df6f-e811-a959-000d3ae13d8d; Principal Data: roleCount=1, privilegeCount=0, accessMode='0 Read-Write', AADObjectId='f152aaaa-cdc0-4154-b474-cb719d36afbb', MetadataCachePrivilegesCount=9994, businessUnitId=6d105fbe-df6f-e811-a959-000d3ae13d8d"],"EntityOwnershipTypeMask":1,"CallerInfo":{"IsSystemUser":false,"IsSupportUser":false,"IsAdministrator":false,"IsCustomizer":false,"IsDisabled":false,"IsIntegrationUser":false,"Teams":null,"Roles":null},"ReadOnlyState":"UserAndOrgFullAccess","IsHsmEnabled":false,"HsmInfo":null,"AccessOrigin":null}
Failed parsing permission error for Calendar entity
Attached ErrorDetails.txt
- Deployment: Online
- DB Version: 9.2.24013.164
- Connection Controls Version: 1.2023.6.56
- XrmToolBox Version: 1.2023.12.68
- Tool Version: 1.1.0.0
Message Not Recognized as Permissions Related
Just letting you know that I was attempting to use the tool and received the notification that my error message was not recognized.
Per the suggestion in the error message I am providing an attachment with the log file.
Thank you for your work on this tool it is very beneficial.
ErrorDetails (2).txt
Priviledges for userentityuisettings
Doesn't recognize below error.
-2147187962:Principal with id does not have CreateAccess right(s) for record with id 00000000-0000-0000-0000-000000000000 of entity userentityuisettings. Details: {"CallerPrincipal":{"PrincipalId":"","Type":8,"IsUserPrincipal":true},"OwnerPrincipal":{"PrincipalId":"","Type":8,"IsUserPrincipal":true},"ObjectId":"00000000-0000-0000-0000-000000000000","ObjectTypeCode":2500,"EntityName":"userentityuisettings","ObjectBusinessUnitId":"","RightsToCheck":"CreateAccess","RoleAccessRights":"None","PoaAccessRights":"None","HsmAccessRights":"None","GrantedAccessRights":"None","Messages":["BasicMinimumPrivilegeDepthRequired = None","EntityUserGroupRights = None","LocalMinimumPrivilegeDepthRequiredRights = CreateAccess","SecLib::AccessCheckEx2 failed. Owner Data: roleCount=6, privilegeCount=236, accessMode=0; Principal Data: roleCount=6, privilegeCount=236,
Message not interpreted when the error occurs for a record creation
Hi @MarkMpn,
I have found that if a user gets a security error message because he tries to create a record with a different owner, the tool does not find the record (which is normal because it does not exist) and stop interpretating the error.
It could be nice if the tool was able to indicates the problem when creating a record with another owner
Here is the error message:
Principal with id 9bc81194-9ebb-ea11-a812-000d3ab2a6be does not have CreateAccess right(s) for record with id 00000000-0000-0000-0000-000000000000 of entity incident. Details: {"CallerPrincipal":{"PrincipalId":"9bc81194-9ebb-ea11-a812-000d3ab2a6be","Type":8,"IsUserPrincipal":true},"OwnerPrincipal":{"PrincipalId":"5d957f62-9ebb-ea11-a812-000d3ab2a6be","Type":8,"IsUserPrincipal":true},"ObjectId":"00000000-0000-0000-0000-000000000000","ObjectTypeCode":112,"EntityName":"incident","ObjectBusinessUnitId":"0e7fb2ad-df4d-ec11-8c62-000d3aba6882","RightsToCheck":"CreateAccess","RoleAccessRights":"None","PoaAccessRights":"None","HsmAccessRights":"None","GrantedAccessRights":"None","Messages":["PrincipalHasOwnerPrincipalWithAtLeastBasicPrivilegeDepth = False","EntityUserGroupRights = None","MinimumPrivilegeDepthRequired = Local","SecLib::AccessCheckEx2 failed. Owner Data: roleCount=4, privilegeCount=1350, accessMode=0; Principal Data: roleCount=5, privilegeCount=1580, accessMode=0"],"EntityOwnershipTypeMask":1,"CallerInfo":{"IsSystemUser":false,"IsSupportUser":false,"IsAdministrator":false,"IsCustomizer":false,"IsDisabled":false,"IsIntegrationUser":false,"Teams":null,"Roles":null},"ReadOnlyState":"UserAndOrgFullAccess","IsHsmEnabled":false,"HsmInfo":null,"AccessOrigin":null}
Add support for field security related error messages
Ie:
Exception Message: User with ID does not have Create permissions for the xxxx attribute in the account entity. Count secured attributes in entity 19. User has 60 secured attribute privileges. callerAp.CanCreate=0
ErrorCode: -2147158782
HexErrorCode: 0x8004f502
ErrorDetails:
ApiExceptionSourceKey: Plugin/Microsoft.Crm.Common.ObjectModel.AccountService
ApiStepKey: 6e3b8615-ecd8-db11-b397-0019b9204da9
ApiDepthKey: 1
ApiActivityIdKey: 1d215960-d05b-496e-a6fb-6f24363aa6f5
ApiPluginSolutionNameKey: System
ApiStepSolutionNameKey: System
ApiExceptionCategory: ClientError
ApiExceptionMessageName: AttributePrivilegeCreateIsMissing
ApiExceptionHttpStatusCode: 403
Activity Id: 58f120c0-8966-4706-a9d8-f5581f0311cb
This message did not work: prvShareOpportunity
Principal user (Id=3a2a0f00-62d6-ec11-a7b5-0022489345ca, type=8, roleCount=4, privilegeCount=7693, accessMode=4, applicationId: 7e966ef8-789f-48ce-a548-1263be75412a), is missing prvShareOpportunity privilege (Id=240edd9b-83e1-46b4-aa25-576ad3c75186) on OTC=3 for entity 'opportunity' (LocalizedName='Opportunity'). context.Caller=3a2a0f00-62d6-ec11-a7b5-0022489345ca. Or identityUser.SystemUserId=d2ebb27b-7d54-48cc-802d-6cb744960124, identityUser.Privileges.Count=8565, identityUser.Roles.Count=0 is missing prvShareOpportunity privilege (Id=240edd9b-83e1-46b4-aa25-576ad3c75186) on OTC=3 for entity 'opportunity' (LocalizedName='Opportunity').
Security Error Log Does Not Read
Hello, Mark!
First, this tool is amazingly helpful, thank you for developing it.
Below is a short grab of the error log I'm looking at. The Security DeBugger doesn't appear to be recognizing it:
Unhandled exception:
Exception type: System.ServiceModel.FaultException`1[Microsoft.Xrm.Sdk.OrganizationServiceFault]
Message: Plugin execution failed, please contact your system administrator.Detail:
<OrganizationServiceFault xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/xrm/2011/Contracts">
<ActivityId>bcf5bc7d-a974-4043-b7eb-d6aa3a5d34c9</ActivityId>
<ErrorCode>-2147220891</ErrorCode>
<ErrorDetails xmlns:d2p1="http://schemas.datacontract.org/2004/07/System.Collections.Generic">
<KeyValuePairOfstringanyType>
<d2p1:key>ApiExceptionSourceKey</d2p1:key>
<d2p1:value xmlns:d4p1="http://www.w3.org/2001/XMLSchema" i:type="d4p1:string">Plugin/Microsoft.Crm.ObjectModel.CustomBusinessEntityService</d2p1:value>
</KeyValuePairOfstringanyType>
<KeyValuePairOfstringanyType>
<d2p1:key>ApiOriginalExceptionKey</d2p1:key>
<d2p1:value xmlns:d4p1="http://www.w3.org/2001/XMLSchema" i:type="d4p1:string">Microsoft.Crm.CrmSecurityException: The user with id 1c1179d0-2ec6-e711-8116-0a1fd24c9324 has not been assigned any roles. They need a role with the prvReadelcn_personname privilege. ---> Microsoft.Crm.CrmSecurityException: The user with id 1c1179d0-2ec6-e711-8116-0a1fd24c9324 has not been assigned any roles. They need a role with the prvReadelcn_personname privilege.
at Microsoft.Crm.BusinessEntities.SecurityLibrary.ThrowUserNotAssignedRolesException(String methodName, Guid userId, Guid privilegeId, IExecutionContext context)
at Microsoft.Crm.BusinessEntities.SecurityLibrary.RetrievePrivilegeForUser(IUser user, Guid privilege, IExecutionContext context)
at Microsoft.Crm.BusinessEntities.SecurityLibrary.<>c__DisplayClass64_0.<TryCheckPrivilegeImpl>b__0()
at Microsoft.PowerApps.CoreFramework.ActivityLoggerExtensions.Execute[TResult](ILogger logger, EventId eventId, ActivityType activityType, Func`1 func, IEnumerable`1 additionalCustomProperties)
at Microsoft.Xrm.Telemetry.XrmTelemetryExtensions.Execute[TResult](ILogger logger, XrmTelemetryActivityType activityType, Func`1 func)
at Microsoft.Crm.BusinessEntities.SecurityLibrary.TryCheckPrivilege(Guid user, Guid privilege, IExecutionContext context)
Any assistance is appreciated!
Best,
Jon
Field level security message
This seems to be related to FLS and wasn't recognized.
User with ID 64708701-9323-eb11-811c-005056956b45 does not have Update permissions for the donotphone attribute in the lead entity. The leadid of the record is 9e5ec118-24a8-e911-8114-005056954a40
Thanks for the tool! It works great for role based and it really helps to show what the options are for correcting the issue.
Error message not recognized as permissions-related
This was the entire message and I could not get results with the tool:
SecLib::AccessCheckEx failed. Returned hr = -2147187962, ObjectID: 7265de4d- de50-e611 -80e8-0050569b285c, Ownerld: 1133ffab-f4ba-dc11-9690- 005056937dc2, OwnerldType: 8 and CallingUser: f0c06139-f64b-ec11-813b- 0050569b285c. ObjectTypeCode: 2020, objectBusinessUnitld: c68ee5a5-f4ba- dc11-9690-005056937dc2, AccessRights: AppendToAccess
Any other help available?
Thanks, Lyndi
Error message when qualifying a lead
Hi,
this message appears when qualifying a lead, we tried everything to find out what's missing somewhere in security roles but we can not solve it unfortunately.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.