After upgrading to Microsoft Dynamics CRM 2011, an error occurs: "The logged-on user does not have the appropriate security permissions to view these records or perform the specific action"

Applies to: Microsoft Dynamics CRM 2011Dynamics CRM 4.0

Symptoms


After upgrading to Microsoft Dynamics CRM 2011, a user may encounter the error below when trying to perform an action in Microsoft Dynamics CRM:

The logged on user does not have the appropriate security permissions to view these records or perform the specific action.



If the Microsoft Dynamics CRM platform trace is enabled, the platform trace includes the following error information:>MSCRM Error Report:


--------------------------------------------------------------------------------------------------------
Error: Server was unable to process request.
Error Number: 0x80040220
Error Message: SecLib::CrmCheckPrivilege failed. Returned hr = -2147220960 on UserId: e65023ae-54d1-da11-8e39-00145e3d5192 and PrivilegeId: a8ecac53-09e8-4a13-b598-8d8c87bc3d33


Note In this example information, the UserId value and the PrivilegeId value are placeholders for the actual values.

Cause


When you upgrade to Microsoft Dynamics CRM 2011, custom security roles are not automatically granted privileges to all the new features. Only Out-of-the-box roles will be granted default privileges.

This problem may also occur if the user's role is not granted a privilege that is required to perform the action. This situation may occur if one of the following conditions are true:
  • The role was created from scratch.
  • The role was copied from a standard role. Then, the role was edited extensively.

Resolution


To resolve this problem, follow these steps.

Note These steps require you to have information from the Microsoft Dynamics CRM platform trace.
  1. In the error information that appears in the Microsoft Dynamics CRM platform trace, locate the PrivilegeId value.
  2. Determine the missing privilege by running an SQL query that uses the PrivilegeId value. For example, run an SQL query that resembles the following against the OrganizationName_MSCRM database:
    select Name, * from PrivilegeBase where PrivilegeId = 'a8ecac53-09e8-4a13-b598-8d8c87bc3d33'
  3. To grant the missing privilege to the user, follow these steps:
    1. Start Microsoft Dynamics CRM 2011.
    2. Click Settings, click Administration under Settings, and then click Security Roles.
    3. Double-click the role that is assigned to the user.
    4. Grant the missing privilege to the user's role. For example, to grant the prvReadLead privilege to the user's role, click the Core Records tab, and then on the Lead row, click the appropriate Read privilege.
    5. Click Save and Close.