locked
ID lacking privilege to create Plugin in CRM RRS feed

  • Question

  • Hi,

    I am at a customer site and getting an error registering a plugin details below. I want to confirm if my Windows UserID has to be a CRM Admin or is there another role that will allow me to register a plugin?

     

    I’m having some trouble using the Plugin Registration tool when I try and register a plugin dll.  After selecting to Register a new assembly, browsing to the assembly and then clicking ‘Register Selected Plugins’ I get the following  error

    CrmCheckPrivilege failed. Returned hr = -2147220960 on UserId: e24a84f7-9997-e011-9741-005056920556 and PrivilegeId: 592cb518-880d-492f-bd3c-3558413b8ced

    I did some research and it looks like this is error is caused when the user id submitting the registration is lacking the CRM ‘prvCreatePluginType’ privilege see here http://msdn.microsoft.com/en-us/library/bb955026.aspx for the list of privileges by GUID.

     

    I tried to check my privileges using the Deployment manager on the CRM Dev box but when I access the Deployment Manager link from Start->Program Files I get another error ‘Unable to access the MSCRM_CONFIG’ database the SQL Server does not exist or access denied’. I checked where the physical MSCRM_CONFIG database is located and I do not have access to it.


    Here are the full details of error message from the Plugin Registration tool

     

    Detail: <detail><error>

      <code>0x80040220</code>

      <description>SecLib::CrmCheckPrivilege failed. Returned hr = -2147220960 on UserId: e24a84f7-9997-e011-9741-005056920556 and PrivilegeId: 592cb518-880d-492f-bd3c-3558413b8ced</description>

      <type>Platform</type>

    </error></detail>

       at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)

       at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)

       at PluginRegistrationTool.CrmSdk.CrmService.Create(BusinessEntity entity)

       at PluginRegistrationTool.RegistrationHelper.RegisterPluginType(CrmOrganization org, CrmPlugin plugin)

       at PluginRegistrationTool.PluginRegistrationForm.btnRegister_Click(Object sender, EventArgs e)

     

     

    Monday, June 20, 2011 4:30 PM

All replies

  • If you are performing work like registering plug-ins and other development type work then you'll want to not only be logged in as a local admin account but have full priveledges on the CRM Organization as well as the SQL database.  I'm not saying that you absolutely need all those rights but why introduce potential security issues into the mix when trying to get this type of work completed. 

    Regards, Donna

    Monday, June 20, 2011 4:57 PM
  • In addition to normal CRM privileges, you also need to be a CRM Deployment Administrator to register plugins. This is granted through CRM Deployment Manager, and has to be done by someone who is a CRM Deployment Administrator, and has SQL rights to the MSCRM_Config database. The account used to install CRM will have these rights
    Microsoft CRM MVP - http://mscrmuk.blogspot.com  http://www.excitation.co.uk
    Monday, June 20, 2011 5:26 PM
    Moderator
  • Thank you for your replies. Apparently the Id I am using is already a CRM Deployment Administrator so does that mean the only access I am missing is to the MSCRM_Config database?
    Monday, June 20, 2011 6:10 PM
  • You can try it by just adding the security to the config db but see my previous post for the full recommendation.

    Regards, Donna

    Tuesday, June 21, 2011 10:11 AM
  • In this scenario I don't think you need access to the MSCRM_Config database. The Deployment Administrator role has 2 quite distinct purposes; to allow you to register plugins, and to do admin functions via the Deployment Admin tool. Only the latter requires access to MSCRM_Config. If you are a Deployment Administrator then there's no need for you to use the Deployment Admin tool.

    The  ‘prvCreatePluginType’ privilege referenced in your initial post is a privilege that applies per CRM organisation, and is set via security role assignment within the CRM application, rather than the Deployment Admin tool


    Microsoft CRM MVP - http://mscrmuk.blogspot.com  http://www.excitation.co.uk
    Tuesday, June 21, 2011 3:36 PM
    Moderator