"User A" has permission on model driven app having "Entity A" and also a member of team "Team A" which is a "Direct User Access Level and Teams only" member's privilege inheritance.
"Team A" is assigned with "Security Role A" which has a Assign permission set as org level for "Entity A"
Now, when "User A" is trying to change the owner as "Team A" or "Team B" - he is facing following error:
The selected team does not have sufficient privileges for this action. Assign a security role with the required privileges to this team, and then try again.
Can you please share what is wrong here?
when you got that error, was there the option to download a log? That would tell you more detail.
This error could be telling you one of two different things:
1. the user doesn't have permission to assign records
2. The team the record is being assigned to does not have permission on the record being assigned or one of its children
When you assign a record, related records linked to that record are also reassigned based on the relationship cascading settings. So even though the team has org level on the main entity, there could be a related entity like one of the activity entities that it is having trouble reassigning to that user.
so if you get an error log, it likely will give you relevant details.
If you don't, one thing to look at is the relationships between the entity and other entities--are any of them parental relationships?
Thank you @jlindstrom for the explanation!
Please find my comments as follows:
1. the user doesn't have permission to assign records -> "User A" has permission assigned by security roles "CDS User" and "Security Role A" with 'assign' rights at org level as follows:
Note : "User A" doesn't have permission explicitly assigned at user level, but team level with "Direct User Access Level"
2. The team the record is being assigned to does not have permission on the record being assigned or one of its children ->Hmmm.. when the record was originally created, Owner was the "User A", and I assume "User A" can change the ownership of the record with team as well by assigning the "Team A", if not, in this case, how do I decide whether "Team A" has permission on the record?
Note : There is no child record/team/business unit.
Also, Log Error is as follows:
at Microsoft.Crm.Extensibility.OrganizationSdkServiceInternal.Update(Entity entity, InvocationContext invocationContext, CallerOriginToken callerOriginToken, WebServiceType serviceType, Boolean checkAdminMode, Boolean checkForOptimisticConcurrency, Dictionary`2 optionalParameters) at Microsoft.Crm.Extensibility.OData.CrmODataExecutionContext.Update(Entity entity, UpdateOption updateOption) at Microsoft.Crm.Extensibility.OData.CrmODataServiceDataProvider.UpdateEdmEntity(CrmODataExecutionContext context, String edmEntityName, String entityKeyValue, EdmEntityObject entityObject) at Microsoft.Crm.Extensibility.OData.EntityController.PatchEntityImplementation(String& entityName, String key, EdmEntityObject entityDelta) at Microsoft.Crm.Extensibility.OData.CrmODataUtilities.<>c__DisplayClass10_0`2.<InvokeActionAndLogMetric>b__0() at Microsoft.PowerApps.CoreFramework.ActivityLoggerExtensions.Execute[TResult](ILogger logger, EventId eventId, ActivityType activityType, Func`1 func, IEnumerable`1 additionalCustomProperties) at Microsoft.Xrm.Telemetry.XrmTelemetryExtensions.Execute[TResult](ILogger logger, XrmTelemetryActivityType activityType, Func`1 func) at lambda_method(Closure , Object , Object ) at System.Web.Http.Controllers.ReflectedHttpActionDescriptor.ActionExecutor.<>c__DisplayClass10.<GetExecutor>b__9(Object instance, Object methodParameters) at System.Web.Http.Controllers.ReflectedHttpActionDescriptor.ExecuteAsync(HttpControllerContext controllerContext, IDictionary`2 arguments, CancellationToken cancellationToken) --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Web.Http.Controllers.ApiControllerActionInvoker.<InvokeActionAsyncCore>d__0.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Web.Http.Controllers.ActionFilterResult.<ExecuteAsync>d__2.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Web.Http.Dispatcher.HttpControllerDispatcher.<SendAsync>d__1.MoveNext() Activity Id: b6105e89-bbcb-43d7-b8a8-45a9aba82e07
Thank you for your time!
When I say children you need to check the system entities like note and activity. If you have a entity enabled for notes and activities, a relationship is created between these entities and the default relationship type is parental. This means that reassigns will cascade to thess related records
if the user who is changing the owner of the record A doesn’t also have assign privileges high enough on notes and activities you will get that error
what security roles does team A have? Is team A an owner type team? Does the role that team a has have permission to read write that entity as well as related system entities like activities and notes
Join us for the next call on August 17, 2022 at 8am PDT.
The first Microsoft-sponsored Power Platform Conference is coming in September. 100+ speakers, 150+ sessions, and what's new and next for Power Platform.
Join us for two optional days of workshops and a 3-day conference, you can choose from over 130 sessions in multiple tracks and 25 workshops.