locked
Difference in response from RetrievePrincipalAccessRequest & RetrieveSharedPrincipalsAndAccessRequest (CRM 2013 SP1 UR1 on-premise) RRS feed

  • Question

  • Hi all,

    I've been fighting this for 2 days now. I'm trying to check if an account is already shared with a team before modifying or granting the access. I noticed at first that when I shared, and then checked at the next run, Sharing and Assign privs where not returned by RetrievePrincipalAccessRequest. So I mitigated this by not checking for those two.

    However for some of my accounts, an already shared record (verified in the UI) is returning "None" when retrieved using RetrievePrincipalAccessRequest but the full set when listed using RetrieveSharedPrincipalsAndAccessRequest. I created the code below to verify this - the output from this run is:

    team 4b7ec141-81f3-e211-940a-00155deab80e
    ReadAccess, WriteAccess, AppendAccess, AppendToAccess, ShareAccess, AssignAccess
    None
    ------------------------------------------------------------------------
    team 4d7ec141-81f3-e211-940a-00155deab80e
    ReadAccess, WriteAccess, AppendAccess, AppendToAccess, ShareAccess, AssignAccess
    ReadAccess, WriteAccess, AppendAccess, AppendToAccess, ShareAccess, AssignAccess
    ------------------------------------------------------------------------

    Is there anybody that can offer an explanation on this behaviour? Retrieving the full list does seem like a waste of ressources but I guess that is what I will have to do for now.

    Thank's
    Nicolai

     EntityReference targetref = new EntityReference("account", new Guid("a2a56119-0501-e311-940e-00155deab80e"));
                RetrieveSharedPrincipalsAndAccessRequest req = new RetrieveSharedPrincipalsAndAccessRequest()
                {
                    Target = targetref
                };
                RetrieveSharedPrincipalsAndAccessResponse resp = (RetrieveSharedPrincipalsAndAccessResponse)_orgService.Execute(req);
                foreach (PrincipalAccess pa in resp.PrincipalAccesses)
                {
                    Console.WriteLine(pa.Principal.LogicalName + " " + pa.Principal.Id);
                    Console.WriteLine(pa.AccessMask.ToString());
                    RetrievePrincipalAccessRequest req2 = new RetrievePrincipalAccessRequest()
                    {
                        Principal = pa.Principal,
                        Target = req.Target
                    };
                    RetrievePrincipalAccessResponse resp2 = (RetrievePrincipalAccessResponse)_orgService.Execute(req2);
                    Console.WriteLine(resp2.AccessRights.ToString());
                    Console.WriteLine("------------------------------------------------------------------------");
                }


    -- Please vote as helpful / mark as answer where appropriate ;)


    Wednesday, April 8, 2015 7:25 AM

Answers

  • I've not tested this in any detail, but based on the message names, it may be that RetrievePrincipalAccessRequest only returns the rights that a user gets via their security roles (and not any rights granted via sharing), whereas RetrieveSharedPrincipalsAndAccessRequest returns the rights via security roles and via sharing. Does this match the behaviour that you see ?

    Microsoft CRM MVP - http://mscrmuk.blogspot.com/ http://www.excitation.co.uk

    Tuesday, April 14, 2015 6:16 AM
    Moderator

All replies

  • Are you trying to check the rights, or are you just trying to see if the record is assigned to a team or a user?

    If all you need to know is if the record is assigned to a team, you can check the OwnerId.logicalname attribute for a string containing either 'systemuser' or 'team'.

    Or maybe I am misunderstanding the root question?

    Monday, April 13, 2015 8:18 PM
  • Hi Chris, thank's for getting back to me.

    I needed to check that all the rights where the same as the requested, and if not replace them.

    What I found was that quering for the specific team for a specific target (RetrievePrincipalAccessRequest ) gave me sometimes "None" other times "ReadAccess, WriteAccess, AppendAccess, AppendToAccess" when infact the team also had "ShareAccess, AssignAccess" in addition.

    But requesting the entire set of princiaps and rights (RetrieveSharedPrincipalsAndAccessRequest) gave me all the info.

    I do not believe the performance impact is so huge here since most targets are shared with max 3 principals, so I have implemtented it using RetrieveSharedPrincipalsAndAccessRequest now.

    Did this make the issue more clear? For the benefit of other users that may run into this problem, I would still like to find out what happened.


    -- Please vote as helpful / mark as answer where appropriate ;)

    Tuesday, April 14, 2015 5:39 AM
  • I've not tested this in any detail, but based on the message names, it may be that RetrievePrincipalAccessRequest only returns the rights that a user gets via their security roles (and not any rights granted via sharing), whereas RetrieveSharedPrincipalsAndAccessRequest returns the rights via security roles and via sharing. Does this match the behaviour that you see ?

    Microsoft CRM MVP - http://mscrmuk.blogspot.com/ http://www.excitation.co.uk

    Tuesday, April 14, 2015 6:16 AM
    Moderator
  • Hi David,

    That does make sense yes. I would say we decide that is the explanation for now - at least until more evidence shows up.

    I'm leaving for vacation in a few days but if I get time i'll do some more testing on this.

    Thank's.


    -- Please vote as helpful / mark as answer where appropriate ;)

    Tuesday, April 14, 2015 6:24 AM