I had a call the other day from a client who was having some issues with security roles. He had just hired a new inside sales rep and had assigned her the same security role as the other reps. But, she wasn’t able to properly access the data the way the others were. He examined the security roles and was unable to see any differences. So, he called me. As he was showing me the security role settings for the new and existing users, I asked him to show me the Team membership of the new user. She was not assigned to any teams. Then I asked to see the teams the existing users belonged to. Sure enough they were in an inside sales team. I asked him to check the security roles assigned to the team. There was one, the Salesperson role. I recommended he add the new user to the team. Problem solved!
CRM 2011 has added a new wrinkle (feature) of Team Ownership of records. In order to own records, a team must have a security role assigned to it. Members of the team acquire the access privileges provided by the team’s security roles.
When troubleshooting security roles in CRM 2011, be sure to check team membership, and the security roles that might be assigned to those teams as well.
The other day I attempted to open my CRM 2011 and was asked to enter my user name and password. Strange I thought but I entered it nonetheless. It asked me for it again, apparently not liking what I had entered. I tried again, more carefully. And once again I was prompted for my user name and password. A third try resulted in a 401 Unauthorized error. Oh NO!! Had my CRM been hacked? Had someone messed with it? Everything seemed in order on the server.
I am running an Internet Facing Deployment, IFD, using Active Directory Federated Services, ADFS. Perhaps there is a problem with ADFS. I had a look there and it appeared OK as well. So I decided to temporarily disable IFD and Claims Based Authentication and see what happened. Much to my delight I was able to access CRM and found my data intact. So, the problem must be with the authentication.
I did a little digging with my favorite CRM troubleshooting tool, Bing, and eventually found a Knowledge Base article, http://support.microsoft.com/kb/2642530, that recommended setting the anonymous authentication permissions on the CRM 4 service end point (look to the article for the details.) I tried this but it still didn’t work Then, although the article didn’t include this step, I decided to run IISRESET. Yea! That did work and I now have my CRM back and life is good once again.