Dynamics CRM 2011: Cannot see all records i own even though i have parent-child business unit level access on create, read, write privileges on Contact entity


  • Hi guys

    I have a security role set up with Deep Level (Parent Child Business Unit) access for the Read, Write and Create privileges on the contact entity in Dynamics CRM 2011. The security role is set up at the Root Business Unit and a user has been assigned the role at a child business unit. I am part of another business unit and have a plug in which assigns ownership to a user based on country of residence of the contact. When I create a contact the plug in kicks in and assigns the contact record to the correct user/owner. However, the new owner can only view the contact details in a list but cannot open the contact record….Why is this??? They have parent-child business unit access on read write and create privileges on contact entity???? very baffling!!!

    Any info would be appreciated!

    Thursday, 1 March 2012 11:05 PM

All replies

  • Hi Dave,

    So the plugin is working, and is setting the new owner correctly?

    However, when the new owner is viewing the contact record, they are unable to open it.

    Do they receive an error when trying to open the record? With the CRM Security model, if you can see the record in a grid view, you can also open the record. This is possibly not related to the security roles.

    Please post the error details.



    Saturday, 24 March 2012 11:27 AM
  • Hi Paul,

    No they don't see an error when they open it but they see the screen which says they have insufficient privileges to open the record even though they're the owner!

    However, when i try and manually assign a record to another user/owner i receive the error below.

    Here is the error message;

    Unhandled Exception: System.ServiceModel.FaultException`1[[Microsoft.Xrm.Sdk.OrganizationServiceFault, Microsoft.Xrm.Sdk, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35]]: System.Web.HttpUnhandledException: Microsoft Dynamics CRM has experienced an error. Reference number for administrators or support: #62715CD4Detail:
    <OrganizationServiceFault xmlns:i="" xmlns="">
      <ErrorDetails xmlns:d2p1="" />
      <Message>System.Web.HttpUnhandledException: Microsoft Dynamics CRM has experienced an error. Reference number for administrators or support: #62715CD4</Message>
        <ErrorDetails xmlns:d3p1="" />
        <Message>An unexpected error occurred.</Message>
        <InnerFault i:nil="true" />
        <TraceText i:nil="true" />
      <TraceText i:nil="true" />



    Thursday, 5 April 2012 8:37 AM
  • Hi Dave,

    If you have created this role from scratch there are several privileges that are required to access the system. I would recommend copying an existing role to ensure the required privilege settings are applied.

    You can also take a look at this blog post that describes the minimum security privileges a users requires to use the system:

    It suggests creating a general role to apply to each user, and then for your custom roles to give any additional access, however you can also apply these privileges directly into your custom role:

    Hope that helps!


    Thursday, 5 April 2012 11:07 AM
  • Hi Paul,

    Thanks for links and info above.

    Yes i have copied an existing role with read, write and delete privileges set to deep level business unit access but still receiving same issue. Really baffling this cannot figure this one out!

    I understand that the owner of the record combined with the security role and business will dictate what the user/owner of the record can see/do.

    What about the createdby field?? If the plugin changes the owner but not the createdby field username would this cause a conflict???



    Friday, 13 April 2012 10:13 PM
  • can you check for append from/to permissions? Can you add lookup attributes to the view and see if the user can still see the records in the view. Make sure to add all lookup fields to the view.



    Dynamics CRM MVP | Inogic || news at inogic dot com

    If this post answers your question, please click "Mark As Answer" on the post and "Mark as Helpful"

    Saturday, 14 April 2012 9:31 PM
  • Hi David, here's what I'd like you to do.

    Since you're not going to get much from the event log, download the diag tool and enable platform tracing (verbose is not needed).

    Scroll to the bottom of your trace file and search for "ChkPrivilege" and get the GUID for the missing privilege, then run the following query based on this article:

    DECLARE @PrivId char(38)
    SET @PrivId = 'id you found'
    --where id you found was in the platform trace
    select Name,  * from PrivilegeBase where PrivilegeId = @PrivId

    This will give you the missing privilege; although I think Sam is on the right track with Append/Append to.

    I hope this helps. If my response answered your question, please mark the response as an answer and also vote as helpful. Michael Mayo

    Sunday, 15 April 2012 12:21 AM
  • Hello Guys,

    Many thanks for all of the suggestions. I have checked the append from/to permissions and the security role assigned to the user has deep level business unit access for append and append to.

    I will ask one of our development team to carry out the checks as described in Michael's note and will let you know the outcome.

    Many thanks


    Monday, 23 April 2012 11:19 AM
  • Hi

    Did you ever get a resolution to this? I've been working on exactly this issue with Microsoft support for a month now, and they are clueless.

    - Richard

    Friday, 24 August 2012 8:13 AM
  • Hi Richard,

    I have resolved this issue.  The problem lay with a customised plugin that was written and was throwing up this error. I found the issue by disabling each plugin and re-enabling them one by one until i found the plug-in creating the problem.

    I have just disabled the plugin now. Do you have a customised plugin written to assign ownership?

    I ended up using the workflow to assign ownership.


    Friday, 24 August 2012 10:10 AM