eService security role requirements

Jan 6, 2009 at 7:41 PM

Does anyone have a definitive list of the security role requirements to allow the eService Accelerator access CRM?  I have it working using an admin account, but fails with my limited security role. 

I found this in the documentation:

- Read/Create/Update Cases, Notes and Document Attachments (annotations)

- Read/Create service activities

- Read/Send emails

- Read/Create/Update the custom entities included with this accelerator

 

I found this in the code:

-The portal Web User must have Read, Write, and AppendTo permissions on the Account, Contact, Incident, and Activity entities.

 

I set permissions as noted, but it still fails on a service.execute request.  Does anyone know the security role requirements? 

Thanks for reading.

Jan 17, 2009 at 5:29 AM
I am having a similar problem even when I set the role for the account to system admin-- it reports an error of "The portal Web User must have Read, Write, and AppendTo permissions on the Account, Contact, Incident, and Activity entities."  Over the course of trying to get this working, I've even gone so far as to use this same account for the IIS anonymous user, the app pool service account, dbo of the accessdb SQL database, and gave it read/write/modify/etc. on the file system where the sample site resides.  I've checked that all the web.config "msa." entries are correct by logging in to CRM from the server using the account in question.  In spite of all this I still get the following error: 

Server Error in '/' Application.

The portal Web User must have Read, Write, and AppendTo permissions on the Account, Contact, Incident, and Activity entities.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.ApplicationException: The portal Web User must have Read, Write, and AppendTo permissions on the Account, Contact, Incident, and Activity entities.

Source Error:

Line 72: 		if (retrieveResponse.BusinessEntityCollection.BusinessEntities.Count != privilegeNames.Count)
Line 73: 		{
Line 74: throw new ApplicationException("The portal Web User must have Read, Write, and AppendTo permissions on the Account, Contact, Incident, and Activity entities.");Line 75: 		}
Line 76: 	}

Source File: [snip]\eservice\App_Code\eService\PermissionsUtility.cs    Line: 74

Stack Trace:

[ApplicationException: The portal Web User must have Read, Write, and AppendTo permissions on the Account, Contact, Incident, and Activity entities.]
   PermissionsUtility.ValidateCrmPermissions(CrmService service, Guid userId, String[] entitiesToCheck) in [snip]\eservice\App_Code\eService\PermissionsUtility.cs:74
   Controls_LoginControl.OnInit(EventArgs e) in [snip]\eservice\Controls\LoginControl.ascx.cs:17
   System.Web.UI.Control.InitRecursive(Control namingContainer) +333
   System.Web.UI.Control.InitRecursive(Control namingContainer) +210
   System.Web.UI.Control.InitRecursive(Control namingContainer) +210
   System.Web.UI.Control.InitRecursive(Control namingContainer) +210
   System.Web.UI.Control.InitRecursive(Control namingContainer) +210
   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +378


Version Information: Microsoft .NET Framework Version:2.0.50727.3053; ASP.NET Version:2.0.50727.3053


From the error it looks like a problem authenticating to the CRM service to me, the only other thing I can think of that isn't using the same login that has all these obscenely high permissions is my SQL connection strings, which are:

<

 

add name="SQLConnectionString" connectionString="Data Source=.\SQLExpress;integrated security=true;attachdbfilename=|App_Data|SmallCompanyDB.mdf;user instance=true"/>
[have tried with the default =|DataDirectory|SmallCompanyDB.mdf; etc. as well] 

 

<

 

add name="LocalSqlServer" connectionString="Server=MSDYNCRM02\CRMS;Database=aspnetdb;integrated security=true;"/>
[have tried without the \CRMS instance identifier as well]

 


As noted, the account used is a dbo for the second of those strings.  What should I be looking at?

Thanks for any assistance.
Jan 17, 2009 at 6:01 AM

here's the event log output from a failed attempt.  I find it odd to see it's recording the url as localhost instead of the one in the web.config:
<add key="msa.CRMServerUrl" value="http://MSDYNCRM02.domain.com:5555/MSCRMServices"/>

 

 

 

Event Type: Warning
Event Source: ASP.NET 2.0.50727.0
Event Category: Web Event
Event ID: 1309
Date:  1/16/2009
Time:  9:43:05 PM
User:  N/A
Computer: MSDYNCRM02
Description:
Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 1/16/2009 9:43:05 PM
Event time (UTC): 1/17/2009 5:43:05 AM
Event ID: 2a08b27e29ed42d89bcdeea4db59ec82
Event sequence: 12
Event occurrence: 5
Event detail code: 0
 
Application information:
    Application domain: /LM/W3SVC/1754894026/Root-3-128766443094469091
    Trust level: Full
    Application Virtual Path: /
    Application Path: [snip]\eservice\
    Machine name: MSDYNCRM02 
 
Process information:
    Process ID: 6320
    Process name: w3wp.exe
    Account name: ADDomain\eservicedroid
 
Exception information:
    Exception type: ApplicationException
    Exception message: The portal Web User must have Read, Write, and AppendTo permissions on the Account, Contact, Incident, and Activity entities.
 
Request information:
    Request URL: http://localhost:4444/CustomerLogin.aspx?ReturnUrl=An unhandled exception has occurred.feServiceAn unhandled exception has occurred.fDefault.aspx
    Request path: /CustomerLogin.aspx
    User host address: 127.0.0.1
    User: 
    Is authenticated: False
    Authentication Type: 
    Thread account name: ADDomain\eservicedroid
 
Thread information:
    Thread ID: 11
    Thread account name: ADDomain\eservicedroid
    Is impersonating: False
    Stack trace:    at PermissionsUtility.ValidateCrmPermissions(CrmService service, Guid userId, String[] entitiesToCheck) in [snip]\eservice\App_Code\eService\PermissionsUtility.cs:line 74
   at Controls_LoginControl.OnInit(EventArgs e) in [snip]\eservice\Controls\LoginControl.ascx.cs:line 17
   at System.Web.UI.Control.InitRecursive(Control namingContainer)
   at System.Web.UI.Control.InitRecursive(Control namingContainer)
   at System.Web.UI.Control.InitRecursive(Control namingContainer)
   at System.Web.UI.Control.InitRecursive(Control namingContainer)
   at System.Web.UI.Control.InitRecursive(Control namingContainer)
   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
 
 
Custom event details:

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Jan 17, 2009 at 6:05 AM
Using localhost:5555 or localhost:4444 to acces crm/eservice respectively seems to work just fine, however, so that also doesn't seem likely to be the cause.

Could really use some pointers on this one, thank you.
Jan 22, 2009 at 12:09 AM
I have moved my issue to the Issue Tracker thread.  Sorry for misunderstanding the division--the instructions said "discussions" were being split into two areas, not that there was an area called discussions for non-tech and Issues for tech.

That aside, I remain very interested in the definitive accounting of the recommended CRM permission settings for the eservice app login that this gentlemen has requested.  Even the C# comments I saw while trolling through the site code seem to assume the permissions will be quite specific, though I have not seen this to be the case anywhere, nor even possible to do and maintain expected functionality.  Hope we'll hear something  back soon!

 

// The next calculation assumes that there are 3 permissions to check: Read, Write and AppendTo

 

 

// for the default portal setup, this will be multipled by 4 (Account, Contact, Case and Activity)

 

 

// The suggestion is to set up a custom security role for the web account to limit security risks.

 

 

if (retrieveResponse.BusinessEntityCollection.BusinessEntities.Count != privilegeNames.Count)

 

 

 

 

 

{

 

 

 

 

 

throw new ApplicationException("The portal Web User must have Read, Write, and AppendTo permissions on the Account, Contact, Incident, and Activity entities.");

 

 

 

 

 

}

 

Apr 5, 2010 at 1:58 PM

I started with a role with zero rights and began adding rights as needed until the eService application worked.  Here is the customization XML of the role if anyone is interested.

<ImportExportXml version="4.0.0.0" languagecode="1033" generatedBy="OnPremise">
  <Entities>
  </Entities>
  <Roles>
    <Role id="{7f181b98-e838-df11-9c30-001ec9cbd070}" name="eService Role">
      <RolePrivilege name="prvReadAccount" level="Global" />
      <RolePrivilege name="prvWriteAccount" level="Global" />
      <RolePrivilege name="prvAppendToAccount" level="Global" />
      <RolePrivilege name="prvReadContact" level="Global" />
      <RolePrivilege name="prvWriteContact" level="Global" />
      <RolePrivilege name="prvAppendToContact" level="Global" />
      <RolePrivilege name="prvReadActivity" level="Global" />
      <RolePrivilege name="prvWriteActivity" level="Global" />
      <RolePrivilege name="prvAppendToActivity" level="Global" />
      <RolePrivilege name="prvCreateNote" level="Global" />
      <RolePrivilege name="prvReadNote" level="Global" />
      <RolePrivilege name="prvWriteNote" level="Global" />
      <RolePrivilege name="prvAppendNote" level="Global" />
      <RolePrivilege name="prvAppendToSubject" level="Global" />
      <RolePrivilege name="prvReadDuplicateRule" level="Local" />
      <RolePrivilege name="prvCreateMailMergeTemplate" level="Basic" />
      <RolePrivilege name="prvReadMailMergeTemplate" level="Basic" />
      <RolePrivilege name="prvWriteMailMergeTemplate" level="Basic" />
      <RolePrivilege name="prvDeleteMailMergeTemplate" level="Basic" />
      <RolePrivilege name="prvAssignMailMergeTemplate" level="Basic" />
      <RolePrivilege name="prvShareMailMergeTemplate" level="Global" />
      <RolePrivilege name="prvReadArticle" level="Global" />
      <RolePrivilege name="prvCreateIncident" level="Global" />
      <RolePrivilege name="prvReadIncident" level="Global" />
      <RolePrivilege name="prvWriteIncident" level="Global" />
      <RolePrivilege name="prvAppendIncident" level="Global" />
      <RolePrivilege name="prvAppendToIncident" level="Global" />
      <RolePrivilege name="prvAssignIncident" level="Global" />
      <RolePrivilege name="prvReadOrganization" level="Global" />
      <RolePrivilege name="prvReadBusinessUnit" level="Local" />
      <RolePrivilege name="prvReadUser" level="Local" />
      <RolePrivilege name="prvReadUserSettings" level="Basic" />
      <RolePrivilege name="prvWriteUserSettings" level="Basic" />
      <RolePrivilege name="prvReadTeam" level="Local" />
      <RolePrivilege name="prvReadRole" level="Local" />
      <RolePrivilege name="prvReadLicense" level="Global" />
      <RolePrivilege name="prvReadTransactionCurrency" level="Global" />
      <RolePrivilege name="prvAppendTransactionCurrency" level="Global" />
      <RolePrivilege name="prvAppendToTransactionCurrency" level="Global" />
      <RolePrivilege name="prvMailMerge" level="Global" />
      <RolePrivilege name="prvWebMailMerge" level="Global" />
      <RolePrivilege name="prvCreateMSA_eserviceauditcontact" level="Global" />
      <RolePrivilege name="prvReadMSA_eserviceauditcontact" level="Global" />
      <RolePrivilege name="prvCreateMSA_eserviceauditcase" level="Global" />
      <RolePrivilege name="prvReadMSA_eserviceauditcase" level="Global" />
      <RolePrivilege name="prvCreateMSA_eserviceauditaccount" level="Global" />
      <RolePrivilege name="prvReadMSA_eserviceauditaccount" level="Global" />
      <RolePrivilege name="prvCreateMSA_eserviceconfiguration" level="Global" />
      <RolePrivilege name="prvReadMSA_eserviceconfiguration" level="Global" />
      <RolePrivilege name="prvReadEntity" level="Global" />
      <RolePrivilege name="prvReadAttribute" level="Global" />
      <RolePrivilege name="prvReadRelationship" level="Global" />
      <RolePrivilege name="prvReadCustomization" level="Global" />
      <RolePrivilege name="prvReadQuery" level="Global" />
      <RolePrivilege name="prvReadAsyncOperation" level="Basic" />
      <RolePrivilege name="prvAppendConstraint" level="Global" />
      <RolePrivilege name="prvShareCustomerOpportunityRole" level="Basic" />
      <RolePrivilege name="prvCreateImportFile" level="Local" />
      <RolePrivilege name="prvAssignCustomerOpportunityRole" level="Basic" />
      <RolePrivilege name="prvAppendToQueueItem" level="Global" />
      <RolePrivilege name="prvReadOrganizationUI" level="Global" />
      <RolePrivilege name="prvReadApplicationFile" level="Global" />
      <RolePrivilege name="prvAppendToMailMergeTemplate" level="Basic" />
      <RolePrivilege name="prvReadWizardAccessPrivilege" level="Global" />
      <RolePrivilege name="prvReadSdkMessageProcessingStep" level="Global" />
      <RolePrivilege name="prvReadPluginType" level="Global" />
      <RolePrivilege name="prvAppendToImportData" level="Global" />
      <RolePrivilege name="prvDeleteImportJob" level="Basic" />
      <RolePrivilege name="prvAppendImportLog" level="Global" />
      <RolePrivilege name="prvReadImportFile" level="Local" />
      <RolePrivilege name="prvShareImportLog" level="Global" />
      <RolePrivilege name="prvDeleteUserSettings" level="Basic" />
      <RolePrivilege name="prvReadImportJob" level="Basic" />
      <RolePrivilege name="prvAppendImportJob" level="Basic" />
      <RolePrivilege name="prvReadSdkMessageProcessingStepImage" level="Global" />
      <RolePrivilege name="prvAssignImportFile" level="Local" />
      <RolePrivilege name="prvAppendTeam" level="Global" />
      <RolePrivilege name="prvDeleteImportData" level="Global" />
      <RolePrivilege name="prvWriteImportFile" level="Local" />
      <RolePrivilege name="prvReadPluginAssembly" level="Global" />
      <RolePrivilege name="prvReadQueueItem" level="Global" />
      <RolePrivilege name="prvReadEntityMap" level="Global" />
      <RolePrivilege name="prvCreateImportLog" level="Global" />
      <RolePrivilege name="prvShareImportData" level="Global" />
      <RolePrivilege name="prvAppendToQuery" level="Global" />
      <RolePrivilege name="prvAppendToImportJob" level="Basic" />
      <RolePrivilege name="prvReadImportData" level="Global" />
      <RolePrivilege name="prvCreateQueueItem" level="Global" />
      <RolePrivilege name="prvCreateImportJob" level="Basic" />
      <RolePrivilege name="prvAppendRole" level="Global" />
      <RolePrivilege name="prvCreateImportData" level="Global" />
      <RolePrivilege name="prvAppendImportData" level="Global" />
      <RolePrivilege name="prvAppendToImportLog" level="Global" />
      <RolePrivilege name="prvWriteImportJob" level="Basic" />
      <RolePrivilege name="prvWriteImportData" level="Global" />
      <RolePrivilege name="prvDeleteImportLog" level="Global" />
      <RolePrivilege name="prvAppendToRole" level="Global" />
      <RolePrivilege name="prvQuickCreate" level="Global" />
      <RolePrivilege name="prvAssignImportData" level="Global" />
      <RolePrivilege name="prvReadSdkMessage" level="Global" />
      <RolePrivilege name="prvReadAttributeMap" level="Global" />
      <RolePrivilege name="prvReadImportLog" level="Global" />
      <RolePrivilege name="prvAppendToCustomerOpportunityRole" level="Basic" />
      <RolePrivilege name="prvAppendToWorkflow" level="Basic" />
      <RolePrivilege name="prvShareCustomerRelationship" level="Basic" />
      <RolePrivilege name="prvReadWizardPage" level="Global" />
      <RolePrivilege name="prvWriteQueueItem" level="Global" />
      <RolePrivilege name="prvShareImportFile" level="Deep" />
      <RolePrivilege name="prvAppendImportFile" level="Local" />
      <RolePrivilege name="prvAssignCustomerRelationship" level="Basic" />
      <RolePrivilege name="prvDeleteQueueItem" level="Global" />
      <RolePrivilege name="prvAppendQueueItem" level="Global" />
      <RolePrivilege name="prvAppendToUserSettings" level="Basic" />
      <RolePrivilege name="prvDeleteImportFile" level="Local" />
      <RolePrivilege name="prvReadWebWizard" level="Global" />
      <RolePrivilege name="prvAppendToImportFile" level="Local" />
      <RolePrivilege name="prvAssignImportLog" level="Global" />
      <RolePrivilege name="prvWriteImportLog" level="Global" />
    </Role>
  </Roles>
  <Workflows>
  </Workflows>
  <EntityMaps />
  <EntityRelationships />
  <Languages>
    <Language>1033</Language>
  </Languages>
</ImportExportXml>
May 23, 2010 at 11:39 PM
Nice one cmerrill. Worked a charm.