markmpn / markmpn.securitydebugger Goto Github PK

We are using Dynamics 365 CE On Premises v9.1 in latest CU and tried to use this tool but it is failing to recognize the message.

Here is the message text
{"CallerPrincipal":{"PrincipalId":"a7e83e3c-7d76-e911-80f5-005056b9fd8f","Type":8,"IsUserPrincipal":true},"OwnerPrincipal":{"PrincipalId":"f2317880-4a89-e311-93f5-00155d01173f","Type":9,"IsUserPrincipal":false},"ObjectId":"40bc562a-3d9b-e311-93fa-00155d01156b","ObjectTypeCode":10161,"EntityName":"h21_project","ObjectBusinessUnitId":"9ee3a9cb-b88d-e211-9f16-00155d011622","RightsToCheck":"AppendToAccess","RoleAccessRights":"None","PoaAccessRights":"None","HsmAccessRights":"None","GrantedAccessRights":"None","Messages":["PrincipalHasOwnerPrincipalWithAtLeastBasicPrivilegeDepth = False","EntityUserGroupRights = None","MinimumPrivilegeDepthRequired = Local","SecLib::AccessCheckEx2 failed. Owner Data: teamType=0, privilegeCount=65; Principal Data: roleCount=89, privilegeCount=190, accessMode=0"],"EntityOwnershipTypeMask":1,"CallerInfo":{"IsSystemUser":false,"IsSupportUser":false,"IsAdministrator":false,"IsCustomizer":false,"IsDisabled":false,"IsIntegrationUser":false,"Teams":null,"Roles":null},"ReadOnlyState":"UserAndOrgFullAccess","IsHsmEnabled":false,"HsmInfo":null} at Microsoft.Crm.Sandbox.SandboxCodeUnit.ProcessException(Exception originalException, IExecutionContext context, SandboxClient client, SandboxCallTracker callTracker, Boolean isSafeToRetry, DateTime performanceExecutionStartTime, SandboxTracker tracker, Guid parentExecutionId, CrmException& crmException, String& assemblyContents)

Principal with id 6d8973eb-f44a-ee11-be6f-6045bd3d33e6 does not have CreateAccess right(s) for record with id 00000000-0000-0000-0000-000000000000 of entity userentityuisettings. Details: {"CallerPrincipal":{"PrincipalId":"6d8973eb-f44a-ee11-be6f-6045bd3d33e6","Type":8,"IsUserPrincipal":true},"OwnerPrincipal":{"PrincipalId":"6d8973eb-f44a-ee11-be6f-6045bd3d33e6","Type":8,"IsUserPrincipal":true},"ObjectId":"00000000-0000-0000-0000-000000000000","ObjectTypeCode":2500,"EntityName":"userentityuisettings","ObjectBusinessUnitId":"6d105fbe-df6f-e811-a959-000d3ae13d8d","RightsToCheck":"CreateAccess","RoleAccessRights":"None","PoaAccessRights":"None","HsmAccessRights":"None","GrantedAccessRights":"None","Messages":["BasicMinimumPrivilegeDepthRequired = None","EntityUserGroupRights = None","LocalMinimumPrivilegeDepthRequiredRights = CreateAccess","SecLib::AccessCheckEx2 failed. Owner Data: roleCount=1, privilegeCount=0, accessMode='0 Read-Write', AADObjectId='f152aaaa-cdc0-4154-b474-cb719d36afbb', MetadataCachePrivilegesCount=9994, businessUnitId=6d105fbe-df6f-e811-a959-000d3ae13d8d; Principal Data: roleCount=1, privilegeCount=0, accessMode='0 Read-Write', AADObjectId='f152aaaa-cdc0-4154-b474-cb719d36afbb', MetadataCachePrivilegesCount=9994, businessUnitId=6d105fbe-df6f-e811-a959-000d3ae13d8d"],"EntityOwnershipTypeMask":1,"CallerInfo":{"IsSystemUser":false,"IsSupportUser":false,"IsAdministrator":false,"IsCustomizer":false,"IsDisabled":false,"IsIntegrationUser":false,"Teams":null,"Roles":null},"ReadOnlyState":"UserAndOrgFullAccess","IsHsmEnabled":false,"HsmInfo":null,"AccessOrigin":null}

Attached ErrorDetails.txt

• Deployment: Online
• DB Version: 9.2.24013.164
• Connection Controls Version: 1.2023.6.56
• XrmToolBox Version: 1.2023.12.68
• Tool Version: 1.1.0.0

Just letting you know that I was attempting to use the tool and received the notification that my error message was not recognized.

Per the suggestion in the error message I am providing an attachment with the log file.

Thank you for your work on this tool it is very beneficial.
ErrorDetails (2).txt

Doesn't recognize below error.

-2147187962:Principal with id does not have CreateAccess right(s) for record with id 00000000-0000-0000-0000-000000000000 of entity userentityuisettings. Details: {"CallerPrincipal":{"PrincipalId":"","Type":8,"IsUserPrincipal":true},"OwnerPrincipal":{"PrincipalId":"","Type":8,"IsUserPrincipal":true},"ObjectId":"00000000-0000-0000-0000-000000000000","ObjectTypeCode":2500,"EntityName":"userentityuisettings","ObjectBusinessUnitId":"","RightsToCheck":"CreateAccess","RoleAccessRights":"None","PoaAccessRights":"None","HsmAccessRights":"None","GrantedAccessRights":"None","Messages":["BasicMinimumPrivilegeDepthRequired = None","EntityUserGroupRights = None","LocalMinimumPrivilegeDepthRequiredRights = CreateAccess","SecLib::AccessCheckEx2 failed. Owner Data: roleCount=6, privilegeCount=236, accessMode=0; Principal Data: roleCount=6, privilegeCount=236,

Hi @MarkMpn,

I have found that if a user gets a security error message because he tries to create a record with a different owner, the tool does not find the record (which is normal because it does not exist) and stop interpretating the error.

It could be nice if the tool was able to indicates the problem when creating a record with another owner

Here is the error message:

Principal with id 9bc81194-9ebb-ea11-a812-000d3ab2a6be does not have CreateAccess right(s) for record with id 00000000-0000-0000-0000-000000000000 of entity incident. Details: {"CallerPrincipal":{"PrincipalId":"9bc81194-9ebb-ea11-a812-000d3ab2a6be","Type":8,"IsUserPrincipal":true},"OwnerPrincipal":{"PrincipalId":"5d957f62-9ebb-ea11-a812-000d3ab2a6be","Type":8,"IsUserPrincipal":true},"ObjectId":"00000000-0000-0000-0000-000000000000","ObjectTypeCode":112,"EntityName":"incident","ObjectBusinessUnitId":"0e7fb2ad-df4d-ec11-8c62-000d3aba6882","RightsToCheck":"CreateAccess","RoleAccessRights":"None","PoaAccessRights":"None","HsmAccessRights":"None","GrantedAccessRights":"None","Messages":["PrincipalHasOwnerPrincipalWithAtLeastBasicPrivilegeDepth = False","EntityUserGroupRights = None","MinimumPrivilegeDepthRequired = Local","SecLib::AccessCheckEx2 failed. Owner Data: roleCount=4, privilegeCount=1350, accessMode=0; Principal Data: roleCount=5, privilegeCount=1580, accessMode=0"],"EntityOwnershipTypeMask":1,"CallerInfo":{"IsSystemUser":false,"IsSupportUser":false,"IsAdministrator":false,"IsCustomizer":false,"IsDisabled":false,"IsIntegrationUser":false,"Teams":null,"Roles":null},"ReadOnlyState":"UserAndOrgFullAccess","IsHsmEnabled":false,"HsmInfo":null,"AccessOrigin":null}

Ie:

Exception Message: User with ID does not have Create permissions for the xxxx attribute in the account entity. Count secured attributes in entity 19. User has 60 secured attribute privileges. callerAp.CanCreate=0

ErrorCode: -2147158782
HexErrorCode: 0x8004f502

ErrorDetails:
ApiExceptionSourceKey: Plugin/Microsoft.Crm.Common.ObjectModel.AccountService
ApiStepKey: 6e3b8615-ecd8-db11-b397-0019b9204da9
ApiDepthKey: 1
ApiActivityIdKey: 1d215960-d05b-496e-a6fb-6f24363aa6f5
ApiPluginSolutionNameKey: System
ApiStepSolutionNameKey: System
ApiExceptionCategory: ClientError
ApiExceptionMessageName: AttributePrivilegeCreateIsMissing
ApiExceptionHttpStatusCode: 403

HelpLink: http://go.microsoft.com/fwlink/?LinkID=398563&error=Microsoft.Crm.CrmException%3a8004f502&client=platform

Activity Id: 58f120c0-8966-4706-a9d8-f5581f0311cb

Principal user (Id=3a2a0f00-62d6-ec11-a7b5-0022489345ca, type=8, roleCount=4, privilegeCount=7693, accessMode=4, applicationId: 7e966ef8-789f-48ce-a548-1263be75412a), is missing prvShareOpportunity privilege (Id=240edd9b-83e1-46b4-aa25-576ad3c75186) on OTC=3 for entity 'opportunity' (LocalizedName='Opportunity'). context.Caller=3a2a0f00-62d6-ec11-a7b5-0022489345ca. Or identityUser.SystemUserId=d2ebb27b-7d54-48cc-802d-6cb744960124, identityUser.Privileges.Count=8565, identityUser.Roles.Count=0 is missing prvShareOpportunity privilege (Id=240edd9b-83e1-46b4-aa25-576ad3c75186) on OTC=3 for entity 'opportunity' (LocalizedName='Opportunity').

Hello, Mark!

First, this tool is amazingly helpful, thank you for developing it.

Below is a short grab of the error log I'm looking at. The Security DeBugger doesn't appear to be recognizing it:

Unhandled exception: 
Exception type: System.ServiceModel.FaultException`1[Microsoft.Xrm.Sdk.OrganizationServiceFault]
Message: Plugin execution failed, please contact your system administrator.Detail: 
<OrganizationServiceFault xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/xrm/2011/Contracts">
  <ActivityId>bcf5bc7d-a974-4043-b7eb-d6aa3a5d34c9</ActivityId>
  <ErrorCode>-2147220891</ErrorCode>
  <ErrorDetails xmlns:d2p1="http://schemas.datacontract.org/2004/07/System.Collections.Generic">
    <KeyValuePairOfstringanyType>
      <d2p1:key>ApiExceptionSourceKey</d2p1:key>
      <d2p1:value xmlns:d4p1="http://www.w3.org/2001/XMLSchema" i:type="d4p1:string">Plugin/Microsoft.Crm.ObjectModel.CustomBusinessEntityService</d2p1:value>
    </KeyValuePairOfstringanyType>
    <KeyValuePairOfstringanyType>
      <d2p1:key>ApiOriginalExceptionKey</d2p1:key>
      <d2p1:value xmlns:d4p1="http://www.w3.org/2001/XMLSchema" i:type="d4p1:string">Microsoft.Crm.CrmSecurityException: The user with id 1c1179d0-2ec6-e711-8116-0a1fd24c9324 has not been assigned any roles. They need a role with the prvReadelcn_personname privilege. ---&gt; Microsoft.Crm.CrmSecurityException: The user with id 1c1179d0-2ec6-e711-8116-0a1fd24c9324 has not been assigned any roles. They need a role with the prvReadelcn_personname privilege.
   at Microsoft.Crm.BusinessEntities.SecurityLibrary.ThrowUserNotAssignedRolesException(String methodName, Guid userId, Guid privilegeId, IExecutionContext context)
   at Microsoft.Crm.BusinessEntities.SecurityLibrary.RetrievePrivilegeForUser(IUser user, Guid privilege, IExecutionContext context)
   at Microsoft.Crm.BusinessEntities.SecurityLibrary.&lt;&gt;c__DisplayClass64_0.&lt;TryCheckPrivilegeImpl&gt;b__0()
   at Microsoft.PowerApps.CoreFramework.ActivityLoggerExtensions.Execute[TResult](ILogger logger, EventId eventId, ActivityType activityType, Func`1 func, IEnumerable`1 additionalCustomProperties)
   at Microsoft.Xrm.Telemetry.XrmTelemetryExtensions.Execute[TResult](ILogger logger, XrmTelemetryActivityType activityType, Func`1 func)
   at Microsoft.Crm.BusinessEntities.SecurityLibrary.TryCheckPrivilege(Guid user, Guid privilege, IExecutionContext context)

Any assistance is appreciated!

Best,
Jon

This seems to be related to FLS and wasn't recognized.

User with ID 64708701-9323-eb11-811c-005056956b45 does not have Update permissions for the donotphone attribute in the lead entity. The leadid of the record is 9e5ec118-24a8-e911-8114-005056954a40

Thanks for the tool! It works great for role based and it really helps to show what the options are for correcting the issue.

This was the entire message and I could not get results with the tool:
SecLib::AccessCheckEx failed. Returned hr = -2147187962, ObjectID: 7265de4d- de50-e611 -80e8-0050569b285c, Ownerld: 1133ffab-f4ba-dc11-9690- 005056937dc2, OwnerldType: 8 and CallingUser: f0c06139-f64b-ec11-813b- 0050569b285c. ObjectTypeCode: 2020, objectBusinessUnitld: c68ee5a5-f4ba- dc11-9690-005056937dc2, AccessRights: AppendToAccess

Any other help available?
Thanks, Lyndi

Hi,
this message appears when qualifying a lead, we tried everything to find out what's missing somewhere in security roles but we can not solve it unfortunately.

Errordetails (8).txt