Strange security role behavior - Urgent please!

TheMSsForum.com: The Microsoft Software Forum

I have a problem with security roles within two business units (B.U.)

In each BU I created a security role that has the following privileges:

Read Accounts - Organization
Read Cases - User

I want all users to be able to access all accounts and to access only cases
created by them.

In B.U.1 with user1: I create an account and in that account I create a case

In B.U.2 with user2: I create a case for that same account.

My problem is: User 1 can access both cases, and user 2 see only that case
that was created by him. In my opinion the systems is working as expected for
User 2, only. I think user1 should not be able to access user2â??s created
incidentâ?¦

Iâ??m saying this because the security roles only have privileges to see cases
of the user.

Anyone can explain me this behavior, please?
Top

RE: Strange security role behavior - Urgent please! by AdamDeLaney

AdamDeLaney
Fri Apr 29 13:42:06 CDT 2005

My guess would be since user 1 created the account he owns the account and
will be able to see anything created in it. Do the same thing reversed and I
bet you will see the same results.

"Pedro Airo" wrote:

>
> I have a problem with security roles within two business units (B.U.)
>
> In each BU I created a security role that has the following privileges:
>
> Read Accounts - Organization
> Read Cases - User
>
> I want all users to be able to access all accounts and to access only cases
> created by them.
>
> In B.U.1 with user1: I create an account and in that account I create a case
>
> In B.U.2 with user2: I create a case for that same account.
>
> My problem is: User 1 can access both cases, and user 2 see only that case
> that was created by him. In my opinion the systems is working as expected for
> User 2, only. I think user1 should not be able to access user2â??s created
> incidentâ?¦
>
> Iâ??m saying this because the security roles only have privileges to see cases
> of the user.
>
> Anyone can explain me this behavior, please?
>
>
Top

Re: Strange security role behavior - Urgent please! by Paul

Paul
Wed May 04 02:49:49 CDT 2005

Pedro Airo wrote:
> I have a problem with security roles within two business units (B.U.)
>
> In each BU I created a security role that has the following privileges:
>
> Read Accounts - Organization
> Read Cases - User
>
> I want all users to be able to access all accounts and to access only cases
> created by them.
>
> In B.U.1 with user1: I create an account and in that account I create a case
>
> In B.U.2 with user2: I create a case for that same account.
>
> My problem is: User 1 can access both cases, and user 2 see only that case
> that was created by him. In my opinion the systems is working as expected for
> User 2, only. I think user1 should not be able to access user2â??s created
> incidentâ?¦
>
> Iâ??m saying this because the security roles only have privileges to see cases
> of the user.
>
> Anyone can explain me this behavior, please?
>
>

In my experience, if you have been experimenting with security roles in
MS CRM and have changed a user's role a few times, check that the role
you want the user to have is the only one listed in their group member
ship in Active Directory.
MS CRM Security roles are set at the AD level by jpoining the user to
the specified group under the users Business Unit. Sometimes the olde
group(s) do not get removed which can cause strange issues.
Go to the user's account in Active Directory amd look at the MSCRM
groups. If you have a signed only one security role but see several,
just remove the other MSCRM groups from the users AD account.

Paul
Top

Re: Strange security role behavior - Urgent please! by Jay

Jay
Sat May 07 04:40:16 CDT 2005

User1 can see the incident created by user2 because it is parented by the
account created by User1. User1 has access to the incident because the
permissions are inherited from the account.


--
Jay Grewal
Microsoft Business Solutions CRM

This posting is provided "AS IS" with no warranties, and confers no rights.

"Paul" <paul@shadwell.ch> wrote in message
news:d59uqs$vp5$1@news.hispeed.ch...
> Pedro Airo wrote:
>> I have a problem with security roles within two business units (B.U.)
>>
>> In each BU I created a security role that has the following privileges:
>>
>> Read Accounts - Organization
>> Read Cases - User
>>
>> I want all users to be able to access all accounts and to access only
>> cases created by them.
>>
>> In B.U.1 with user1: I create an account and in that account I create a
>> case
>>
>> In B.U.2 with user2: I create a case for that same account.
>>
>> My problem is: User 1 can access both cases, and user 2 see only that
>> case that was created by him. In my opinion the systems is working as
>> expected for User 2, only. I think user1 should not be able to access
>> user2's created incident.
>>
>> I'm saying this because the security roles only have privileges to see
>> cases of the user.
>>
>> Anyone can explain me this behavior, please?
>>
>>
>
> In my experience, if you have been experimenting with security roles in MS
> CRM and have changed a user's role a few times, check that the role you
> want the user to have is the only one listed in their group member ship in
> Active Directory.
> MS CRM Security roles are set at the AD level by jpoining the user to the
> specified group under the users Business Unit. Sometimes the olde group(s)
> do not get removed which can cause strange issues.
> Go to the user's account in Active Directory amd look at the MSCRM groups.
> If you have a signed only one security role but see several, just remove
> the other MSCRM groups from the users AD account.
>
> Paul


Top

Re: Strange security role behavior - Urgent please! by Airo

Airo
Tue May 17 04:46:02 CDT 2005

Tnkz for your response. But if the security role of the user1 is to see only
incidents that have been created by users that belongs to the same b.u., then
something is wrong. you say that the permissions are inherited from the
account, but is no way to turn arround this issue. if I want that the user1
only see the incidents that have been created by him, or by someone that
belong to the same b.u.(the account can be created by the user1), this is
possible?


Regards, Pedro Airo

"Jay Grewal [MSFT]" wrote:

> User1 can see the incident created by user2 because it is parented by the
> account created by User1. User1 has access to the incident because the
> permissions are inherited from the account.
>
>
> --
> Jay Grewal
> Microsoft Business Solutions CRM
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> "Paul" <paul@shadwell.ch> wrote in message
> news:d59uqs$vp5$1@news.hispeed.ch...
> > Pedro Airo wrote:
> >> I have a problem with security roles within two business units (B.U.)
> >>
> >> In each BU I created a security role that has the following privileges:
> >>
> >> Read Accounts - Organization
> >> Read Cases - User
> >>
> >> I want all users to be able to access all accounts and to access only
> >> cases created by them.
> >>
> >> In B.U.1 with user1: I create an account and in that account I create a
> >> case
> >>
> >> In B.U.2 with user2: I create a case for that same account.
> >>
> >> My problem is: User 1 can access both cases, and user 2 see only that
> >> case that was created by him. In my opinion the systems is working as
> >> expected for User 2, only. I think user1 should not be able to access
> >> user2's created incident.
> >>
> >> I'm saying this because the security roles only have privileges to see
> >> cases of the user.
> >>
> >> Anyone can explain me this behavior, please?
> >>
> >>
> >
> > In my experience, if you have been experimenting with security roles in MS
> > CRM and have changed a user's role a few times, check that the role you
> > want the user to have is the only one listed in their group member ship in
> > Active Directory.
> > MS CRM Security roles are set at the AD level by jpoining the user to the
> > specified group under the users Business Unit. Sometimes the olde group(s)
> > do not get removed which can cause strange issues.
> > Go to the user's account in Active Directory amd look at the MSCRM groups.
> > If you have a signed only one security role but see several, just remove
> > the other MSCRM groups from the users AD account.
> >
> > Paul
>
>
>
Top

Re: Strange security role behavior - Urgent please! by Airo

Airo
Tue May 17 04:57:02 CDT 2005

Tnkz for your response. But if the security role of the user1 is to see only
incidents that have been created by users that belongs to the same b.u., then
something is wrong. you say that the permissions are inherited from the
account, but is no way to turn arround this issue. if I want that the user1
only see the incidents that have been created by him, or by someone that
belong to the same b.u.(the account can be created by the user1), this is
possible?


Regards, Pedro Airo


"Jay Grewal [MSFT]" wrote:

> User1 can see the incident created by user2 because it is parented by the
> account created by User1. User1 has access to the incident because the
> permissions are inherited from the account.
>
>
> --
> Jay Grewal
> Microsoft Business Solutions CRM
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> "Paul" <paul@shadwell.ch> wrote in message
> news:d59uqs$vp5$1@news.hispeed.ch...
> > Pedro Airo wrote:
> >> I have a problem with security roles within two business units (B.U.)
> >>
> >> In each BU I created a security role that has the following privileges:
> >>
> >> Read Accounts - Organization
> >> Read Cases - User
> >>
> >> I want all users to be able to access all accounts and to access only
> >> cases created by them.
> >>
> >> In B.U.1 with user1: I create an account and in that account I create a
> >> case
> >>
> >> In B.U.2 with user2: I create a case for that same account.
> >>
> >> My problem is: User 1 can access both cases, and user 2 see only that
> >> case that was created by him. In my opinion the systems is working as
> >> expected for User 2, only. I think user1 should not be able to access
> >> user2's created incident.
> >>
> >> I'm saying this because the security roles only have privileges to see
> >> cases of the user.
> >>
> >> Anyone can explain me this behavior, please?
> >>
> >>
> >
> > In my experience, if you have been experimenting with security roles in MS
> > CRM and have changed a user's role a few times, check that the role you
> > want the user to have is the only one listed in their group member ship in
> > Active Directory.
> > MS CRM Security roles are set at the AD level by jpoining the user to the
> > specified group under the users Business Unit. Sometimes the olde group(s)
> > do not get removed which can cause strange issues.
> > Go to the user's account in Active Directory amd look at the MSCRM groups.
> > If you have a signed only one security role but see several, just remove
> > the other MSCRM groups from the users AD account.
> >
> > Paul
>
>
>
Top