How to assign prvReadActivity to a prinicipal team - dynamics-crm-online

We are trying to create a web application that can create Service Activity entities in CRM Online. The web application stalls out with the error "Principal team (Id=fee1cfb8-9e6e-e511-80e7-3863bb36ebd8, type=9) is missing prvReadActivity privilege (Id=650c14fe-3521-45fe-a000-84138688e45d)."
I have located the Security Roles area of CRM Online but I am unable to determine WHICH of the roles corresponds to prvReadActivity, and for which entity.
Does anyone know how to apply prvReadActivity privilege to a team?
Thank you everyone!

prvReadActivity is a privileges for read of the activity entities. Check out Security role UI to privilege mapping for a mapping.
A single security role can contain many privileges. If you open a security role on the core tab, at the top there should be a row for activity. So give your team a security role which contains access to the activity entity, try testing with system administrator to be sure as that has access to everything.

Related

In Oracle ERP cloud how to get deeper details of Roles which includes Function Security Policies,DataSecurityPolicies,RoleHierarchy of particular Role

We are doing lot of analysis around this but not getting solution for this requirement
Basically we want to fetch deeper details of Roles which includes Function Security Policies, Data Security Policies, Role Hierarchy of particular Role
Theses details we are easily getting from Oracle ERP Cloud UI in Security Console but we want to fetch these details from Rest/Soap API due to some of our business needs
We found one API which works great but gives us only basic info of Role
/hcmRestApi/scim/Roles/
Is there any way to get these details, this is becoming roadblock for us to use Oracle ERP cloud.
Thanks In Advance..!!
SCIM REST API you cannot get the function security policies, data security policies and role hierarchy of particular role but by running the "User And Role Access Audit Report" you can View all roles, privileges, and data security
You would have to run "Import User and Role Application Security Data process" to get data populated before running the "user and role access audit report"
So we have to go via Reporting

Dynamics CRM entity Security roles

Which Dynamics CRM entity should be assigned to a Security role, so that the user has access to the Security roles module and in turn they can create security roles?
You will have to assign System Customizer role in Dynamics CRM to the user.
Please mark my answer verified if i were helpful
Have you provided read access to SettingsSiteMap under CustomEntities?
If not request you add that, it might help.
Also provide Create, Read and Write access to Security Role entity under Business Management if not done already.
Thanks!
You should create a new custom security role that only has access to "Security Role" entity and give to whoever needed it.
Create an administrative user and prevent elevation of security role privilege

Which security role in Dynamics CRM can disable users from modifying access teams?

I am customizing Dynamics CRM, and I am modifying access teams through coding. But I don't want users to be able to add access teams from screen. I cannot find the permission for that; can someone tell me where is it in the security role?
You have to identify the security role for users to limit the permission and remove the share privilege on that security role for that Access teams enabled entity. Read more
You can control who can add members to the Access Team subgrid. Only users with share privilege for the entity on which the access team exists can add or remove members from the Access Team subgrid. This makes sense—by adding people to the Access Team, you are in effect sharing the record with the people on the team.
You need a developer do that because it should modify the ribbon command in the systemuser entity.

How to grant read-write access request to a specific record of an entity to an user in Dynamics 365?

In Dynamics-365 crm, I want to grant read-write access request to an user of D-365 to a specific record of an entity if the user is not privileged with that privileges.
I did that by assigning some sort of security roles to that user. But I can't do that by modifying security role.
So how can I do that without assigning security role?
You can achieve the same share functionality in code using GrantAccessRequest, refer my another Stack Overflow answer for C# plugin example.
For web api, your org has to be greater than v9.0 as GrantAccess message was not available in web api till v8.2
Still to achieve this object based security model, you should give users privilege to read-write that entity records through role based security model. Without user having entity edit privilege in security role they cannot edit by getting record sharing.
Read more: Use record-based security to control access to records
If you do not wish to change/update your security Roles, then you can do so by sharing a particular Record with Either Team or User.Below 2 images will help you explain how to share a Record.
Now this process below is manual and you could achieve this process programmatically as well using C# i.e server side coding
Note:
If this solves your problem do mark this answer as solved.

Creating a security role to be able to only create roles and users without having system admin role

CRM 2015: I want to be able to create a role for local IT to be able to add user accounts and assign roles.
Regarding the 'adding roles' portion, is it simple enough just to create a role for local IT to 'write' to 'security' roles in the'business management' tab of 'security roles' at the user level?
No, this is not that simple. User cannot give another user privilege higher than he has (it would be a serious security hole). So for example you have role to edit Security roles and you have Read access for Accounts in your Business Units. If somebody in your Business unit has no Read access and only User access, you can add him Read access for Business Unit (the same you have), but you will not be able to give him Organizational access (so higher than yours). You could imagine that if this would be possible, you will be able to basically give yourself Admin privilege and do whatever you want in CRM.
Knowing that, it should be possible for you to create a role that for example have full access to Accounts, Contacts, Custom entities etc. and Security Roles. This role would be able to modify other users access levels to Accounts, Contacts etc. but no other entities that they don't have privilege to.
Exactly the same logic applies to assigning the Security Roles. So user A cannot assign a Security Role to user B, if it gives user B privileges higher than has User A.
In the end, it is very hard to properly implement the scenario that you described, because there are so many privileges and user needs to have a lot of them to even use the CRM. I've tried this once but could not satisfy the business requirement - it always ended up with using System Admin role, because there was always some scenario that could have not been handled by a user only with this "specific" security modification role.
Assigning 'System Administrator' security role and changing Access Mode in user record to 'Administrative' helped me to achieve this. User still cannot access any transaction data. So, I think you can go for this approach.

Resources