locked
Problem with assign a user to a team without the system administrator role RRS feed

  • Question

  • Hi,

    before I start, I want to ask: do I have to be a system administrator for assign a user to a team?

    the reason that I ask is because every time I try to do it with a role that is different from system administrator I got the privilege error massage.

    when I look at the error log - it refer every time to a different role that is missing.

    I started to open all roles missing and there I got (after 3 hours) back to almost System administrator role.

    I really don't understand why the system want privileges such as sharing account and append internet marketing for example (there are much more weird privileges that the system required) only for assign the user to a team.

    any idea?

     

    Thank you very much,

    Yoav

     

    Thursday, June 6, 2013 1:11 PM

Answers

  • You can't assign a user a security role which has privileges you do not hold yourself.

    You cannot add a user to a Team which has a security role which has privileges you do not hold yourself (because they will be able to act as if they have that role themselves)

    If you could do either of these things you could potentially create a user and use it to gain access to things you should not have - an "elevation of privileges".

    Check the Team you are trying to add the user to, and make sure you have that role, then this should be fine.

    Also note as a matter of best practice you may want to only give roles to Teams which have the exact rights you need the Team to have - if the Team exists so that it can own Case records, don't give it any access to anything else. Then no-one can accidentally assign an Account, or Opportunity to this Team, and you won't have so many issues about adding users to it.


    Hope this helps.
    Adam Vero, Microsoft Certified Trainer | Microsoft Community Contributor 2011
    Blog: Getting IT Right

    Wednesday, June 12, 2013 2:03 PM
  • Hi,

    No! The administrator role is not necessary. The user should have append and append to privileges on the user and team. For a better ideas have a look at this article.



    My Weblog | My Website

    Thursday, June 6, 2013 1:29 PM
    Moderator

All replies

  • Hi,

    No! The administrator role is not necessary. The user should have append and append to privileges on the user and team. For a better ideas have a look at this article.



    My Weblog | My Website

    Thursday, June 6, 2013 1:29 PM
    Moderator
  • hi,

    Thanks, is there any way to make a role that just add the ability to assign users to teams?

    I want this role to be an extra role, only for those I want them to change teams for users.

    for all other privileges of the same user will be managed in his core functionality role.

    Thanks,

    Yoav

    Thursday, June 6, 2013 1:36 PM
  • also I do have the append and append to privileges on the user and team for this role,

    still get the privilege error massage though.. is there any other necessary privileges?

    Thanks,

    Yoav

    Thursday, June 6, 2013 1:42 PM
  • Please paste your error log here.


    My Weblog | My Website

    Thursday, June 6, 2013 1:46 PM
    Moderator
  • Hi,

    This is an error log for example that I got.

    I still get a lot of privileges missing.

    why should I give the user the privilege of write reports and Internet marketing? - only for changing/adding teams for users.

    error log:

    Unhandled Exception: System.ServiceModel.FaultException`1[[Microsoft.Xrm.Sdk.OrganizationServiceFault, Microsoft.Xrm.Sdk, Version=5.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]]: RoleService::VerifyCallerPrivileges failed. User: d855ac4d-9cce-e211-ac96-005056924b33, PrivilegeName: prvWriteReport, PrivilegeId: 158b7eea-002d-4653-9936-4091dea1fe6e, Depth: Global, BusinessUnitId: 9432b019-b4ea-e111-a446-00505683531eDetail:
    <OrganizationServiceFault xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/xrm/2011/Contracts">
      <ErrorCode>-2147220960</ErrorCode>
      <ErrorDetails xmlns:d2p1="http://schemas.datacontract.org/2004/07/System.Collections.Generic" />
      <Message>RoleService::VerifyCallerPrivileges failed. User: d855ac4d-9cce-e211-ac96-005056924b33, PrivilegeName: prvWriteReport, PrivilegeId: 158b7eea-002d-4653-9936-4091dea1fe6e, Depth: Global, BusinessUnitId: 9432b019-b4ea-e111-a446-00505683531e</Message>
      <Timestamp>2013-06-09T06:09:15.174033Z</Timestamp>
      <InnerFault i:nil="true" />
      <TraceText i:nil="true" />
    </OrganizationServiceFault>

    Thanks,

    Yoav

    Sunday, June 9, 2013 6:13 AM
  • Hi,

    More error log that I got below.

    Again, this is just an example.. I get a lot more errors for weird privileges missing..

    Unhandled Exception: System.ServiceModel.FaultException`1[[Microsoft.Xrm.Sdk.OrganizationServiceFault, Microsoft.Xrm.Sdk, Version=5.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]]: RoleService::VerifyCallerPrivileges failed. User: d855ac4d-9cce-e211-ac96-005056924b33, PrivilegeName: prvCreateAttribute, PrivilegeId: 210dfcd8-6b62-423e-aa40-a5a003dedd57, Depth: Global, BusinessUnitId: 9432b019-b4ea-e111-a446-00505683531eDetail:
    <OrganizationServiceFault xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/xrm/2011/Contracts">
      <ErrorCode>-2147220960</ErrorCode>
      <ErrorDetails xmlns:d2p1="http://schemas.datacontract.org/2004/07/System.Collections.Generic" />
      <Message>RoleService::VerifyCallerPrivileges failed. User: d855ac4d-9cce-e211-ac96-005056924b33, PrivilegeName: prvCreateAttribute, PrivilegeId: 210dfcd8-6b62-423e-aa40-a5a003dedd57, Depth: Global, BusinessUnitId: 9432b019-b4ea-e111-a446-00505683531e</Message>
      <Timestamp>2013-06-09T06:45:34.2214041Z</Timestamp>
      <InnerFault i:nil="true" />
      <TraceText i:nil="true" />
    </OrganizationServiceFault>

    Sunday, June 9, 2013 6:49 AM
  • You can't assign a user a security role which has privileges you do not hold yourself.

    You cannot add a user to a Team which has a security role which has privileges you do not hold yourself (because they will be able to act as if they have that role themselves)

    If you could do either of these things you could potentially create a user and use it to gain access to things you should not have - an "elevation of privileges".

    Check the Team you are trying to add the user to, and make sure you have that role, then this should be fine.

    Also note as a matter of best practice you may want to only give roles to Teams which have the exact rights you need the Team to have - if the Team exists so that it can own Case records, don't give it any access to anything else. Then no-one can accidentally assign an Account, or Opportunity to this Team, and you won't have so many issues about adding users to it.


    Hope this helps.
    Adam Vero, Microsoft Certified Trainer | Microsoft Community Contributor 2011
    Blog: Getting IT Right

    Wednesday, June 12, 2013 2:03 PM
  • Hi Adam & Team

    I am facing the same issue, like I am not able to add users to the team. As you mention "You cannot add a user to a Team which has a security role which has privileges you do not hold yourself".

    I am holding the same role as the role mentioned in the team, but still I am not able to add myself to the team.

    Here is the scenario:

    I am user X, having role "R", I have other user say Y, having role "R" and I have  a team say "T1" having Role "R". If I am adding user Y to team "T1" I am getting error:

    Unhandled Exception: System.ServiceModel.FaultException`1[[Microsoft.Xrm.Sdk.OrganizationServiceFault, Microsoft.Xrm.Sdk, Version=7.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]]: System.Xml.XmlException: Microsoft Dynamics CRM has experienced an error. Reference number for administrators or support: #13569B24Detail:
    <OrganizationServiceFault xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/xrm/2011/Contracts">
      <ErrorCode>-2147220970</ErrorCode>
      <ErrorDetails xmlns:d2p1="http://schemas.datacontract.org/2004/07/System.Collections.Generic" />
      <Message>System.Xml.XmlException: Microsoft Dynamics CRM has experienced an error. Reference number for administrators or support: #13569B24</Message>
      <Timestamp>2015-09-01T07:26:22.963097Z</Timestamp>
      <InnerFault>
        <ErrorCode>-2147220960</ErrorCode>
        <ErrorDetails xmlns:d3p1="http://schemas.datacontract.org/2004/07/System.Collections.Generic" />
        <Message>RoleService::VerifyCallerPrivileges failed. User: d64833ae-7150-e511-810b-c4346badc5f4, PrivilegeName: prvAssignAsyncOperation, PrivilegeId: 003d8a0f-c230-411c-a993-cc0a8aeaac96, Depth: Local, BusinessUnitId: 5f2bcedb-0350-e511-8102-c4346bada644</Message>
        <Timestamp>2015-09-01T07:26:22.963097Z</Timestamp>
        <InnerFault i:nil="true" />
        <TraceText i:nil="true" />
      </InnerFault>
      <TraceText i:nil="true" />
    </OrganizationServiceFault>

    and if I am already member of the team, then i am able to add user.

    In the above example the roles are the same for user X,Y and team "T1".


    Thanks & Regards Vijji

    Tuesday, September 1, 2015 7:28 AM