locked
Teams & Access Denied RRS feed

  • Question

  • I defined a Team "MyTeam" that has the Security Role "MySecurity". Further I have a user "MyUser". When I add "MyTeam" to the teams "MyUser" belongs to I get an access denial when creating certain entities. However, when I add "MySecurity" to "MyUser" then the same entity can be created.

    I was under the impression that by making a user part of a certain team, that user will inherit all the access rights that the team has to which the user belongs. The above seems to suggest otherwise, though. Is my understanding incorrect? If so what are teams good for? If my understanding is correct than what am I doing wrong?

    Friday, October 4, 2013 6:43 PM

Answers

  • that is really strange or maybe that I have to correct my statement "user gets access based on his role + team role" :-|

    Found a blog which provides insight into the teams & roles and discusses these odd behaviors. Below situation from the blog might be something you are experiencing

    2)If a User has no Access to a particular Privilege in any of their own Roles, and they have a Team Role which grants only “User” level access to that Privilege, then this only allows the User to do that action to records which are owned by the Team


    If my response helps you in finding your answer then please click 'Mark as Answer' and 'Vote as Helpful'


    • Edited by Mamatha Swamy Friday, October 4, 2013 11:02 PM
    • Marked as answer by hfaun Saturday, October 5, 2013 2:28 AM
    Friday, October 4, 2013 10:57 PM

All replies

  • When I add "MyTeam" to the teams "MyUser" belongs to I get an access denial when creating certain entities.  

    I don't understand completely this phrase, but if you want to inherit the privileges, the user needs to be a member of the team that has the security role. In your case MyUser needs to be inside the team MyTeam that has the security role MySecurity.


    My blog: www.crmanswers.net

    • Proposed as answer by Mamatha Swamy Friday, October 4, 2013 9:05 PM
    • Unproposed as answer by hfaun Saturday, October 5, 2013 2:29 AM
    Friday, October 4, 2013 8:58 PM
  • Guido, this is exactly what I did. I have a Team "MyTeam". When I open "MyTeam" there is "Members" and "Security Roles" on the left. Clicking on "Members" I see the user "MyUser". When clicking on "Security Roles" I see "MySecurity". So

    MyTeam->Members = MyUser
    MyTeam->Security Roles = MySecurity

    Now for the following I can not create the entity

    MyUser->Teams = MyTeam, MyOrganization
    MyUser->Security Roles = [empty]

    With the following I can create the entity

    MyUser->Teams = MyOrganization
    MyUser->SecurityRoles = MySecurity

    If the user inherits the security role from the team to which he belongs then the first one should work as well. However, it does not.

    Friday, October 4, 2013 9:20 PM
  • A User should have a security role even if he is part of a team that has a role. Please assign a role to the user and then perform your test. You could add a security role with different privileges and then test. Roles in CRM are additive; the user will get privileges that are by his role and then from the teams he is part of.

    Generally minimal access is given to the user using a role and then the access levels are elevated using the teams.


    If my response helps you in finding your answer then please click 'Mark as Answer' and 'Vote as Helpful'


    Friday, October 4, 2013 9:33 PM
  • Mamatha, I have created a new security role with nothing more enabled than what is enable by default for a new security role (very little). Even with that I get the same error. So it seems the security roles inherited from the team to which the user belongs don't propagate.

    Interestingly, when I remove the team then the user has no access anymore. So it seems to inherit something but not everything because it works fine when I assign that same security role to the user instead of the team.

    Friday, October 4, 2013 9:59 PM
  • hfaun,
    I think you are in a situation where "MyUser" belongs to different business unit than "MyTeam" and the privilege to create records is set to "User" or "Business Unit". 

    It is correct?


    My blog: www.crmanswers.net

    Friday, October 4, 2013 10:37 PM
  • Guido, I first thought you might be right but I checked the user, team and security role and all have the same business unit.

    Btw, there is a team that has the same name as the business unit. I don't think I created that. Also every user belongs to that team. When I try to remove that team it says "You cannot remove one or more of the users selected. The membership of default teams cannot be modified."

    Friday, October 4, 2013 10:56 PM
  • that is really strange or maybe that I have to correct my statement "user gets access based on his role + team role" :-|

    Found a blog which provides insight into the teams & roles and discusses these odd behaviors. Below situation from the blog might be something you are experiencing

    2)If a User has no Access to a particular Privilege in any of their own Roles, and they have a Team Role which grants only “User” level access to that Privilege, then this only allows the User to do that action to records which are owned by the Team


    If my response helps you in finding your answer then please click 'Mark as Answer' and 'Vote as Helpful'


    • Edited by Mamatha Swamy Friday, October 4, 2013 11:02 PM
    • Marked as answer by hfaun Saturday, October 5, 2013 2:28 AM
    Friday, October 4, 2013 10:57 PM
  • Mamatha, the part you quoted did not really help me but the rest of the article did. Basically, when a user use the rights from the team the user is acting as the team rather than him/herself. That's the reason it eventually fails because the owners don't match. I am not sure if that was by intention but I would consider it as a bug.
    Saturday, October 5, 2013 2:28 AM