Insufficient Permissions on Contacts

Back to Blog
Author: 
Peggy Weiss
Posted: Jul 27th, 2017

Recently, one of our projects underwent an update to their Dynamics 365 deployment and discovered certain users were unable to create, read or update contact records.  The custom security roles assigned to these users specifically had read only access to contacts and the users were previously able to view everything they needed regarding a contact.  We tried all the known “hacks” to get them back to where they needed to be – make them system administrator, copy the role they had to a new role and assign them to it, etc.  Nothing worked.  The strangest thing was that their dashboards that contained contacts were fine – they could view the contact information exposed on the dashboard, but when they tried to open a contact, no deal!

Here’s what their screens displayed when opening a contact:

This is what we saw when we clicked “View the data that will be sent to Microsoft”:

Microsoft Dynamics 365 Error Report Contents

<CrmScriptErrorReport>

  <ReportVersion>1.0</ReportVersion>

  <ScriptErrorDetails>

   <Message>Unable to get property 'length' of undefined or null reference</Message>

   <Line>189</Line>

   <URL>/_static/_common/scripts/jquery-2.1.1.min.js?ver=777900021</URL>

   <PageURL>/main.aspx#933928015</PageURL>

   <Function>anonymousr:Unabletogetproperty'length'ofundefinedornullreference</Function>

   <FunctionRaw>TypeError: Unable to get property 'length' of undefined or null reference</FunctionRaw>

   <CallStack>

    <Function>anonymousr:Unabletogetproperty'length'ofundefinedornullreference</Function>

   </CallStack>

  </ScriptErrorDetails>

  <ClientInformation>

   <BrowserUserAgent>Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; zoomrc 4.4.0; rv:11.0) like Gecko</BrowserUserAgent>

   <BrowserLanguage>en-US</BrowserLanguage>

   <SystemLanguage>en-US</SystemLanguage>

   <UserLanguage>en-US</UserLanguage>

   <ScreenResolution>2182x1227</ScreenResolution>

   <ClientName>Web</ClientName>

   <ClienState>Online</ClienState>

   <ClientTime>2017-07-24T16:04:40</ClientTime>

  </ClientInformation>

  <ServerInformation>

    <OrgLanguage>1033</OrgLanguage>

    <OrgCulture>1033</OrgCulture>

    <UserLanguage>1033</UserLanguage>

    <UserCulture>1033</UserCulture>

    <OrgID>{AF3BF697-586A-455A-BAB2-E51ED7D9D375}</OrgID>

    <UserID>{8A5C6E01-E15C-E711-810D-E0071B716AB1}</UserID>

    <CRMVersion>8.2.1.207</CRMVersion>

  </ServerInformation>

</CrmScriptErrorReport>

 

Since this didn’t tell us what we wanted to know, we felt there was a setting in the new update that was conflicting with their system settings.  We decided to check their system settings and found that Legacy Form Rendering was turned on – so we turned it off:

 

Then, we reloaded the client and received a new error message (we’re making progress!):

 

Ah! Let’s look at the technical details and download the log file:

Unhandled Exception:

System.ServiceModel.FaultException`1[[Microsoft.Xrm.Sdk.OrganizationServiceFault, Microsoft.Xrm.Sdk, Version=8.0.0.0, Culture=neutral, PublicKeyToken=xxxxxxxxxxxxxxxx]]: System.Web.HttpUnhandledException: Microsoft Dynamics CRM has experienced an error. Reference number for administrators or support: #843D4ACDDetail:

<OrganizationServiceFault xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/xrm/2011/Contracts">

  <ActivityId>0954c5c5-3c9b-4ab7-8c89-2a2a503a69ad</ActivityId>

  <ErrorCode>-2147220970</ErrorCode>

  <ErrorDetails xmlns:d2p1="http://schemas.datacontract.org/2004/07/System.Collections.Generic" />

  <Message>System.Web.HttpUnhandledException: Microsoft Dynamics CRM has experienced an error. Reference number for administrators or support: #843D4ACD</Message>

  <Timestamp>2017-07-24T21:08:18.5123995Z</Timestamp>

  <ExceptionRetriable>false</ExceptionRetriable>

  <ExceptionSource i:nil="true" />

  <InnerFault>

    <ActivityId>0954c5c5-3c9b-4ab7-8c89-2a2a503a69ad</ActivityId>

    <ErrorCode>-2147220960</ErrorCode>

    <ErrorDetails xmlns:d3p1="http://schemas.datacontract.org/2004/07/System.Collections.Generic" />

    <Message>Principal user (Id=8a5c6e01-e15c-e711-810d-e0071b716ab1, type=8) is missing prvReadComplexControl privilege (Id=a4736385-9763-4a64-a44b-cd5933edc631)</Message>

    <Timestamp>2017-07-24T21:08:18.5123995Z</Timestamp>

    <ExceptionRetriable>false</ExceptionRetriable>

    <ExceptionSource i:nil="true" />

    <InnerFault i:nil="true" />

    <OriginalException i:nil="true" />

    <TraceText i:nil="true" />

  </InnerFault>

  <OriginalException i:nil="true" />

  <TraceText i:nil="true" />

</OrganizationServiceFault>

 

Now, let’s look for the culprit!  You know the Activity ID is 0954c5c5-3c9b-4ab7-8c89-2a2a503a69ad from the Insufficient Permissions Technical Details. Now look for that in the log file and you’ll find the missing privilege to grant the user/security role:

    <ActivityId>0954c5c5-3c9b-4ab7-8c89-2a2a503a69ad</ActivityId>

    <ErrorCode>-2147220960</ErrorCode>

    <ErrorDetails xmlns:d3p1="http://schemas.datacontract.org/2004/07/System.Collections.Generic" />

    <Message>Principal user (Id=8a5c6e01-e15c-e711-810d-e0071b716ab1, type=8) is missing prvReadComplexControl privilege (Id=a4736385-9763-4a64-a44b-cd5933edc631)</Message>

    <Timestamp>2017-07-24T21:08:18.5123995Z</Timestamp>

    <ExceptionRetriable>false</ExceptionRetriable>

    <ExceptionSource i:nil="true" />

    <InnerFault i:nil="true" />

    <OriginalException i:nil="true" />

    <TraceText i:nil="true" />

  </InnerFault>

  <OriginalException i:nil="true" />

  <TraceText i:nil="true" />

</OrganizationServiceFault>

 

But what in the world is that? A little search in the Microsoft Library/SDK regarding this privilege showed this:

ComplexControl entity is for internal use only. However, users need read access to this entity in order to see the updated experience for lead and opportunity forms (and we assume contacts).

A little further search into privilege mapping shows where this privilege setting is – Customizations Process Configuration.  So now that you have the security setting you need to add, navigate to the security role and select the Customization tab, find the Process Configuration setting and grant Read access:

Save the setting and reload the client.

Voila! Access granted!