locked
When saving a custom view from the advanced find option the users get an error message in CRM 2011 rollup 12 failed by plugin Microsoft.Xrm.Portal.Plugins.WebNotificationPlugin: Create of any Entity RRS feed

  • General discussion

  • When saving a custom view from the advanced find option the users get an error message:

    “SecLib::AccessCheckEx failed. Returned hr = -2147187962, ObjectID: ebdcee58-c992-e211-8552-00155d535311, OwnerId: eaec5534-16fa-dd11-b6d7-001ec9b8770b,  OwnerIdType: 8 and CallingUser: eb7e312d-16fa-dd11-b6d7-001ec9b8770b. ObjectTypeCode: 4230, objectBusinessUnitId: 1eed5534-16fa-dd11-b6d7-001ec9b8770b, AccessRights: ReadAccess”
    MessageProcessor fail to process message 'Create' for 'userquery'.
    The user has System Administrator role.

    I have tried the microsoft error in the case 113032210308903 and we have seen the following:

    I could check your user login and got your user id from this.

    CrmSessionAuthenticationManager published CrmClaimsIdentity [UserToken:C:javier.gomez@makesoft.es] [UserId:{3BFED819-88DE-DE11-95C5-02BF5D5A1053}].

    There’s two operations in the trace files that originate this issue, when you save the personal view, the CRM with the plugin enabled sends the following instruction to the SQL Server

    insert into [UserQueryBase]([ModifiedBy], [OwnerId], [QueryType], [ReturnedTypeCode], [CreatedOn], [CreatedBy],

    [ModifiedOnBehalfBy], [Name], [OwnerIdType], [StateCode], [FetchXml], [LayoutXml], [StatusCode], [ModifiedOn],

    [OwningBusinessUnit], [UserQueryId]) values ('3bfed819-88de-de11-95c5-02bf5d5a1053', '3bfed819-88de-de11-95c5-02bf5d5a1053',

    0, 1, '03/27/2013 10:27:41', '3bfed819-88de-de11-95c5-02bf5d5a1053', NULL, 'Active Accounts test with microsoft4', 8, 0,

    '<fetch version="1.0" output-format="xml-platform" mapping="logical" distinct="false"><entity name="account"><attribute name="name"/>

    <attribute name="address1_city"/><attribute name="primarycontactid"/><attribute name="telephone1"/><attribute name="accountid"/>

    <order attribute="name" descending="false"/><filter type="and"><condition attribute="statecode" operator="eq" value="0"/>

    <condition attribute="emailaddress1" operator="not-null"/></filter>

    <link-entity name="contact" from="contactid" to="primarycontactid" visible="false" link-type="outer"

    alias="a_5c4bea09099541918213b76175613744"><attribute name="emailaddress1"/></link-entity></entity></fetch>',

    '<grid name="resultset" object="1" jump="name" select="1" icon="1" preview="1"><row name="result" id="accountid">

    <cell name="name" width="300" /><cell name="telephone1" width="100" /><cell name="address1_city" width="100" />

    <cell name="primarycontactid" width="150" /><cell name="a_5c4bea09099541918213b76175613744.emailaddress1" width="150" disableSorting="1" />

    </row></grid>', 1, '03/27/2013 10:27:41', '1eed5534-16fa-dd11-b6d7-001ec9b8770b', '638dcef3-c896-e211-8552-00155d535311') insert into [UserQueryBase]([ModifiedBy], [OwnerId], [QueryType], [ReturnedTypeCode], [CreatedOn], [CreatedBy],

    [ModifiedOnBehalfBy], [Name], [OwnerIdType], [StateCode], [FetchXml], [LayoutXml], [StatusCode], [ModifiedOn],

    [OwningBusinessUnit], [UserQueryId]) values ('3bfed819-88de-de11-95c5-02bf5d5a1053', '3bfed819-88de-de11-95c5-02bf5d5a1053',

    0, 1, '03/27/2013 10:27:41', '3bfed819-88de-de11-95c5-02bf5d5a1053', NULL, 'Active Accounts test with microsoft4', 8, 0,

    '<fetch version="1.0" output-format="xml-platform" mapping="logical" distinct="false"><entity name="account"><attribute name="name"/>

    <attribute name="address1_city"/><attribute name="primarycontactid"/><attribute name="telephone1"/><attribute name="accountid"/>

    <order attribute="name" descending="false"/><filter type="and"><condition attribute="statecode" operator="eq" value="0"/>

    <condition attribute="emailaddress1" operator="not-null"/></filter>

    <link-entity name="contact" from="contactid" to="primarycontactid" visible="false" link-type="outer"

    alias="a_5c4bea09099541918213b76175613744"><attribute name="emailaddress1"/></link-entity></entity></fetch>',

    '<grid name="resultset" object="1" jump="name" select="1" icon="1" preview="1"><row name="result" id="accountid">

    <cell name="name" width="300" /><cell name="telephone1" width="100" /><cell name="address1_city" width="100" />

    <cell name="primarycontactid" width="150" /><cell name="a_5c4bea09099541918213b76175613744.emailaddress1" width="150" disableSorting="1" />

    </row></grid>', 1, '03/27/2013 10:27:41', '1eed5534-16fa-dd11-b6d7-001ec9b8770b', '638dcef3-c896-e211-8552-00155d535311')

    You can see that the OwnerId and the ModifiedBy field is been filled with the GUID 3bfed819-88de-de11-95c5-02bf5d5a1053, that’s your user ID. Then in the trace files you can see that CRM seaches for the privileges for a different user (GUID eb7e312d-16fa-dd11-b6d7-001ec9b8770b), resulting in the error message that you’ve get.

    select MAX((POA.AccessRightsMask|POA.InheritedAccessRightsMask) & 0x00000001) +

    MAX((POA.AccessRightsMask|POA.InheritedAccessRightsMask) & 0x00000002) +

    MAX((POA.AccessRightsMask|POA.InheritedAccessRightsMask) & 0x00010000) +

    MAX((POA.AccessRightsMask|POA.InheritedAccessRightsMask) & 0x00000004) +

    MAX((POA.AccessRightsMask|POA.InheritedAccessRightsMask) & 0x00080000) +

    MAX((POA.AccessRightsMask|POA.InheritedAccessRightsMask) & 0x00040000) +

    MAX((POA.AccessRightsMask|POA.InheritedAccessRightsMask) & 0x00000010) +

    MAX((POA.AccessRightsMask|POA.InheritedAccessRightsMask) & 0x00000020) as 'AccessRights'

    from PrincipalObjectAccess as POA join SystemUserPrincipals sup on POA.PrincipalId = sup.PrincipalId

    where POA.ObjectId = '638dcef3-c896-e211-8552-00155d535311' AND sup.SystemUserId = 'eb7e312d-16fa-dd11-b6d7-001ec9b8770b'

    and POA.ObjectTypeCode = 4230 GROUP BY POA.ObjectId

    When the error occurs It’s possible to see the following information.

    Crm Exception: Message: SecLib::AccessCheckEx failed. Returned hr = -2147187962, ObjectID: 638dcef3-c896-e211-8552-00155d535311, OwnerId: 3bfed819-88de-de11-95c5-02bf5d5a1053,  OwnerIdType: 8 and CallingUser: eb7e312d-16fa-dd11-b6d7-001ec9b8770b. ObjectTypeCode: 4230, objectBusinessUnitId: 1eed5534-16fa-dd11-b6d7-001ec9b8770b, AccessRights: ReadAccess , ErrorCode: -2147187962

    So it seems that the plugin is changing the user context from the personal view.

    The ID being used is identifiable from the following information in the trace file.

    _sdkContext.UserId: {eb7e312d-16fa-dd11-b6d7-001ec9b8770b}

    The UserQuery entity can only have user level read access.  If you look at the System Administrator security role, even that role can only be granted user level read access to the UserQuery entity. Considering this, we know that the calling user of a UserQuery can never be a GUID that is different than the OwnerId, unless the UserQuery is manually shared. 
    No matter what version of CRM, if the calling user is not explicitly shared a UserQuery record, they will not be able to access it and this will occur, thus you would need to manually share the record, or update the context of the plugin.

    Wednesday, April 24, 2013 10:38 AM