We have created a new user account with CAL Access Mode: Administrative and Security Role: System Administrator just for managing the user accounts in CRM 2015 on premise. But this user account doesn't have access to read or select the Position while creating user accounts. Since we have some business logic based on the selected position, we do not want to create user accounts without position. I am curious to know why Administrative account cannot access Position which is system entity.
Appreciate if you have any solution for this issue.
Thanks
Related
Today I have a very specific problem.
I have four accounts in my organization:
Account_000 - normal account
Account_001 - normal account child
Account_002 - Administrative Account
Account_003 - Root account
I have set set up a cross account Role in Account_002 (administrative) with following permissions:
"organizations:ListAccounts",
"organizations:ListAccountsForParent",
"organizations:ListParents",
"organizations:ListChildren",
"organizations:ListRoots",
"organizations:ListTagsForResource",
"organizations:DescribeOrganizationalUnit",
"account:GetContactInformation">
The Account_001 has a lambda function that uses the cross account role from Account_002 to pull data about all accounts (except root account) into the organization. It pulls following information: tags, account ID, join type, join time, account ARN number and Contact Information
When I execute function on Account_001 lambda gets error not authorized to get contact information.
I can get contact information from each of the accounts in organization using CLI from the root account.
I am unable to get contact information from any of the accounts using any other account than root.
How do I make sure that the Administrative account can access contact information about other accounts?
How do I make sure that the lambda function in Account_001 can access contact information from other accounts?
This will hopefully help to demonstrate what I am trying to accomplish.
I want to create an application user in my Dynamics 365 Environment.
On the Security -> Users -> Application Users -> New User, the Application user form is not present.
I checked in Customize my System -> User Form. The Application user form was inactive.
I activated the form.
However, when I tried to publish all customizations, I was thrown an error:
Insufficient PermissionsPrincipal user (Id=<>, type=8, roleCount=2, privilegeCount=564, accessMode=1(Setup/Stub user with filtered privileges from associated roles. Consider changing user AccessMode to Full (without privilege filtering))), is missing prvReadAppModule privilege (Id=<>) on OTC=9006 for entity 'appmodule'. context.Caller=<>. Or identityUser.SystemUserId=<>, identityUser.Privileges.Count=3016, identityUser.Roles.Count=0 is missing prvReadAppModule privilege (Id=<>) on OTC=<>for entity 'appmodule'. If you contact support, please provide the technical details.
My user account has the "Dynamics 365 Customer Service Enterprise" License assigned.
Make sure, your CRM user profile has System Administrator or System Customizer before publishing any customizations.
Also, CAL Access mode should be either Administrative or Read-Write.
We are trying to create a separate Admin role to assign to users to be able to call the Google Classroom API (domain). If we set them to be 'super admin' it works but we do not want to give these users super admin permissions. Anyone knows any guide or the settings to set on this?
Answer:
There is no role apart from Super Admin that will let a user make all these actions. You can check that by assigning custom admin roles to the user. Even if all possible privileges are checked, if the user is not a Super Admin, the user cannot act as a domain administrator in Classroom API.
What non-Super Admins can do:
Non-super admin users can only access courses they are part of (as teachers, or students), not all courses in the domain.
They can remove students and other teachers from courses they own directly via courses.teachers.delete and courses.students.delete, but they cannot directly add new students and teachers to their courses via courses.teachers.create and courses.students.create. Only domain administrators (Super Admins) can do that. Non-admins must first send an invitation via invitations.create(), and obtain the user's consent.
Update: Service Accounts:
You can also make your application use a Service Account in order to impersonate a Super Admin, so that this account can act on behalf of this admin, and do what the admin can do. To do this, you would have to create the Service Account and delegate domain-wide authority to it, by visiting the Admin console and following the steps specified here.
Beware, granting domain-wide delegation is a very powerful tool, since it gives the Service Account the ability to act on behalf of any user in the domain, so it could be easily abused if not managed carefully (without domain-wide delegation, a Service Account is similar to a regular account, and it can only access resources that have been created by it, shared with it, etc., like a regular account).
Anyway, once the domain-wide delegation is created, using the Service Account in your application is very similar to using a regular account. In the application, you have to build the credentials and then specify which user should be impersonated by the account by writing the user's email address. I don't know which language are you using, but you can find code snippets to do this in Java and Python here, or with Node here.
Reference:
Create custom administrator roles
Manage Teachers and Students
CRM 2015: I want to be able to create a role for local IT to be able to add user accounts and assign roles.
Regarding the 'adding roles' portion, is it simple enough just to create a role for local IT to 'write' to 'security' roles in the'business management' tab of 'security roles' at the user level?
No, this is not that simple. User cannot give another user privilege higher than he has (it would be a serious security hole). So for example you have role to edit Security roles and you have Read access for Accounts in your Business Units. If somebody in your Business unit has no Read access and only User access, you can add him Read access for Business Unit (the same you have), but you will not be able to give him Organizational access (so higher than yours). You could imagine that if this would be possible, you will be able to basically give yourself Admin privilege and do whatever you want in CRM.
Knowing that, it should be possible for you to create a role that for example have full access to Accounts, Contacts, Custom entities etc. and Security Roles. This role would be able to modify other users access levels to Accounts, Contacts etc. but no other entities that they don't have privilege to.
Exactly the same logic applies to assigning the Security Roles. So user A cannot assign a Security Role to user B, if it gives user B privileges higher than has User A.
In the end, it is very hard to properly implement the scenario that you described, because there are so many privileges and user needs to have a lot of them to even use the CRM. I've tried this once but could not satisfy the business requirement - it always ended up with using System Admin role, because there was always some scenario that could have not been handled by a user only with this "specific" security modification role.
Assigning 'System Administrator' security role and changing Access Mode in user record to 'Administrative' helped me to achieve this. User still cannot access any transaction data. So, I think you can go for this approach.
We are trying to create a web application that can create Service Activity entities in CRM Online. The web application stalls out with the error "Principal team (Id=fee1cfb8-9e6e-e511-80e7-3863bb36ebd8, type=9) is missing prvReadActivity privilege (Id=650c14fe-3521-45fe-a000-84138688e45d)."
I have located the Security Roles area of CRM Online but I am unable to determine WHICH of the roles corresponds to prvReadActivity, and for which entity.
Does anyone know how to apply prvReadActivity privilege to a team?
Thank you everyone!
prvReadActivity is a privileges for read of the activity entities. Check out Security role UI to privilege mapping for a mapping.
A single security role can contain many privileges. If you open a security role on the core tab, at the top there should be a row for activity. So give your team a security role which contains access to the activity entity, try testing with system administrator to be sure as that has access to everything.