Microsoft KB Archive/890589

= Microsoft CRM &quot;Parent: Child Business Unit&quot; privileges only work with records that are one level under the current business unit =

Article ID: 890589

Article Last Modified on 8/26/2006

-

APPLIES TO


 * Microsoft CRM 1.2

-





SYMPTOMS
After you reassign a child business unit, you cannot see records in child business units or in the subunits of a child business unit that are more than one level under the current business unit. This problem occurs when the child business unit that you reassigned uses the same security group name in the Active Directory directory service that is used by the new parent business unit. After the change, the MSCRM DEEP Active Directory security group that is used by the child business unit does not link to the MSCRM DEEP Active Directory security group that is used by the new parent business unit.



RESOLUTION
Microsoft CRM has a fix for this problem that is part of a cumulative update. The cumulative update information is described in the following Microsoft Knowledge Base article:

904435 Update Rollup 2 is available for Microsoft CRM 1.2



Steps to reproduce the problem
Note Only create the business units and the security roles that are mentioned in the following steps in a test system. We provide the following steps to describe the business unit structure and the Microsoft CRM security roles that cause the problem that is described in the &quot;Symptoms&quot; section.

In this scenario, each business unit has at least one Microsoft CRM user who is associated with that business unit. That user owns multiple contacts, accounts, and leads.

The original business unit structure contains a root business unit. The root business unit has two child business units. The child business units of the root business unit are Region 1 and Region 2. The Region 1 and Region 2 business units each have two child business units. The child business units of Region 1 are Area 1A and Area 1B. The child business units of Region 2 are Area 2A and Area 2B.

Each Area business unit also has two children. The child business units of Area 1A are Biz 1A_1 and Biz 1A_2. The child business units of Area 1B are Biz 1B_1 and Biz1B_2. The child business units of Area 2A are Biz 2A_1 and Biz 2A_2. The child business units of Area 2B are Biz 2B_1 and Biz 2B_2. Table 1 shows the organization of these business units.



Table 1

 Create a custom Microsoft CRM security role at the level of the root business unit. Name the security role C1_REGION1, and then give &quot;Parent: Child Business Unit&quot; privileges to the security role. To do this, follow these steps:  On the GoTo menu, point to Home, and then click Settings. On the Settings page, click Business Unit Settings. On the Business Unit Settings page, click Security Roles. In the Business Unit list, click Root Unit. Click Create a new Role.</li> In the Role Name box, type C1_REGION1 .</li> On the Core Records tab, click Account three times to change the privileges to Parent: Child Business Unit. Then, click the Save and Close button.</li></ol> </li> Create a new user. Name the user User_Region1. Then, assign the C1_REGION1 custom Microsoft CRM security role to this user in the Region 1 business unit. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> On the GoTo menu, point to Home, and then click Settings.</li> On the Settings page, click Business Unit Settings.</li> On the Business Unit Settings page, click Users.</li> Click New User.</li> In the First Name box and in the Last Name box, type User_Region1 .</li> In the Domain Logon Name box, type adventure-works\User_Region1 .</li> Click the lookup button next to the Business Unit box.</li> In the Look Up Records dialog box, click Go.</li> Select Region 1, click OK, and then click Save.</li> On the Actions menu bar, click Manage Roles.</li> In the Role Name column, click to select the C1_REGION1 check box, and then click OK.</li></ol> </li> Create another custom Microsoft CRM security role at the level of the root business unit. Name the security role C1_REGION2, and then give &quot;Parent: Child Business Unit&quot; privileges to the security role. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> <li>Repeat step 1a through step 1e.</li> <li>In the Role Name box, type C1_REGION2 .</li> <li>On the Core Records tab, click Account three times to change the privileges to Parent: Child Business Unit. Then, click the Save and Close button.</li></ol> </li> <li>Create a new user. Name the user User_Region2. Then, assign the C1_REGION2 custom Microsoft CRM security role to this user in the Region 2 business unit. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> <li>Repeat step 2a through step 2d.</li> <li>In the First Name box and in the Last Name box, type User_Region2 .</li> <li>In the Domain Logon Name box, type adventure-works\User_Region2 .</li> <li>Click the lookup button next to the Business Unit box.</li> <li>In the Look Up Records dialog box, click Go.</li> <li>Select Region 2, click OK, and then click Save.</li> <li>On the Actions menu bar, click Manage Roles.</li> <li>In the Role Name column, click to select the C1_REGION1 check box, and then click OK.</li></ol> </li> <li>Log on to the Microsoft CRM Web client as User_Region1 to verify that you can read and update account records in all the child business units and the subunits of the child business units in Region 1.</li> <li>Log on to the Microsoft CRM Web client as  to verify that you can read and update account records in all the child business units and the subunits of the child business units in Region 2.</li> <li>Log on to the Active Directory server as a user who can view the Microsoft CRM organizational units (OU) and the child organizational units.</li> <li>Start the Active Directory Users and Computers snap-in. To do this, click Start, click Run, type dsa.msc, and then click OK.

Notes <ul> <li>The Region 1 organizational unit has the MSCRM ROLE (C1_REGION1) security group and the MSCRM DEEP (C1_REGION1) security group for the C1_REGION1 custom Microsoft CRM security role. All the child organizational units under Region 1 have the MSCRM ROLE (C1_REGION1) security group and the MSCRM DEEP (C1_REGION1) security group for this custom Microsoft CRM security role.</li> <li>The Region 2 organizational unit has the MSCRM ROLE (C1_REGION2) group and the MSCRM DEEP (C1_REGION2) security group for the C1_REGION2 custom Microsoft CRM security role. All the child organizational units under Region 2 have the MSCRM ROLE (C1_REGION2) security group and the MSCRM DEEP (C1_REGION2) security group for this custom Microsoft CRM security role.</li></ul> </li> <li>Reassign the Biz 2B_2 business unit to the Area 2A business unit. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> <li>Log on to the Microsoft CRM Web client as a user who has administrative privileges.</li> <li>On the GoTo menu, point to Home, and then click Settings.</li> <li>On the Settings page, click Business Unit Settings.</li> <li>On the Business Unit Settings page, click Business Units.</li> <li>Double-click Biz 2B_2 to open the business unit.</li> <li>On the Actions menu bar, click Change Parent Business.</li> <li>Click the lookup button next to the New Parent Business box.</li> <li>In the Look Up Records dialog box, click Go.</li> <li>Select Area 2A, and then click OK.</li> <li>Click OK in the Confirm Change Parent Business dialog box.

Note After you reassign the business unit, the business unit structure contains a root business unit. The root business unit has two child business units. The child business units of the root business unit are Region 1 and Region 2. Region 1 has three child business units, and Region 2 has one child business unit. The child business units of Region 1 are Area 1A, Area 1B, and Area 2B. The child business unit of Region 2 is Area 2A.

Each Area business unit also has two child business units. The child business units of Area 1A are Biz 1A_1 and Biz 1A_2. The child business units of Area 1B are Biz 1B_1 and Biz 1B_2. The child business units of Area 2A are Biz 2A_1 and Biz 2A_2. The child business units of Area 2B are Biz 2B_1 and Biz 2B_2. Figure 2 shows the organization of these business units.

Table 2

</li></ol> </li> <li>Wait until the Microsoft CRM security descriptors are updated.

Note To determine when the security descriptors are updated, open the \Program Files\Microsoft CRM\Server\Bin directory, where   is the letter of your drive. Wait for the SSPCQC.bin file to disappear. Your settings for the \Program Files\Microsoft CRM\Server\Bin directory must be set to show hidden files for this file to appear. The SSPCQC.bin file is present after you perform an action that updates Microsoft CRM security roles. This file is also present after you create a new Microsoft CRM role. The file disappears after all security descriptors are updated.</li> <li>Log on to the Microsoft CRM Web client as User_Region1 to verify that you can see and write to accounts that belong to the users of the Area 2B business unit. This behavior is expected.

Note You cannot see or write to accounts that belong to the child business units in Area 2B. This behavior is not expected.</li> <li>Log on to the Active Directory server as a user who can view the Microsoft CRM organizational units and the child organizational units.</li> <li>Start the Active Directory Users and Computers snap-in. To do this, click Start, click Run, type dsa.msc, and then click OK.</li> <li>View the Biz 2B_1 organizational unit and the Biz 2B_2 organizational unit. No roles exist for the MSCRM ROLE (C1_REGION1) security group or for the MSCRM DEEP (C1_REGION1) security group. However, these organizational units still have the MSCRM ROLE (C1_REGION2) security group and the MSCRM DEEP (C1_REGION2) security group.</li></ol>

<div class="references_section">