Microsoft KB Archive/890587

= Users cannot view records when the records are in a child business unit or in the subunit of a child business unit that was reassigned to a new parent business unit in Microsoft CRM 1.2 =

Article ID: 890587

Article Last Modified on 12/21/2005

-

APPLIES TO


 * Microsoft CRM 1.2

-





Microsoft Business Solutions CRM users who have &quot;Parent: Child Business Unit&quot; privileges cannot read or write to any records that are owned by users in a Microsoft CRM business unit. This problem occurs after the business unit is reassigned to a different parent business unit that is in the same business unit structure.

For example, if you use a Microsoft CRM view such as the All Leads view, the users in the root business unit who have &quot;Parent: Child Business Unit&quot; privileges cannot see the records that these users own when those records are in a child business unit or in a subunit of a child business unit.



CAUSE
This problem occurs after you reassign a child business unit under a new parent business unit. This problem occurs because the child business unit and the new parent business unit are both using the MSCRM Deep security group name in the Active Directory directory service. After the change, the MSCRM DEEP Active Directory security group of the child business unit does not link to the MSCRM DEEP security group of the parent business unit. For more information about the conditions that exist when this problem occurs, see the &quot;Steps to reproduce this problem&quot; section.

This problem can be avoided in some organizations where the following conditions are true:
 * The organization can use the standard security roles.
 * The organization does not make changes to the standard security roles.
 * The organization sets up the business unit structure without changing the parent business unit of any business unit in the Microsoft CRM installation.

Some organizations may be able to operate under these conditions. However, these conditions may not be reasonable for other organizations based on the business needs and the requirements of the organization.



RESOLUTION
Microsoft CRM has a fix for this problem that is part of a cumulative update. The cumulative update information is described in the following Microsoft Knowledge Base article:

904435 Update Rollup 2 is available for Microsoft CRM 1.2



Steps to reproduce the problem
Note Do not create these business units and security roles except in a test system. We provide the following steps to describe the business unit structure and the Microsoft CRM security roles that cause the problem that is described in the &quot;Symptoms&quot; section.

In this scenario, each business unit has at least one Microsoft CRM user who is associated with that business unit. That user owns multiple contacts, accounts, and leads.

The original business unit structure contains a root business unit. The root business unit has two child business units. The child business units of the root business unit are Region 1 and Region 2. Region 1 and Region 2 each have two child business units. The child business units of Region 1 are Area 1A and Area 1B. The child business units of Region 2 are Area 2A and Area 2B.

Each Area business unit also has two child business units. The child business units of Area 1A are Biz 1A_1 and Biz 1A_2. The child business units of Area 1B are Biz 1B_1 and Biz 1B_2. The child business units of Area 2A are Biz 2A_1 and Biz 2A_2. The child business units of Area 2B are Biz 2B_1 and Biz 2B_2. Table 1 shows the organization of these business units.

Table 1

 Create a custom Microsoft CRM security role at the level of the root business unit. Name the security role C1_REGION1, and then give &quot;Parent: Child Business Unit&quot; privileges to the security role. To do this, follow these steps:  On the GoTo menu, point to Home, and then click Settings. On the Settings page, click Business Unit Settings. On the Business Unit Settings page, click Security Roles. In the Business Unit list, click Root Unit. On the Actions menu bar, click New Role.</li> In the Role Name box, type C1_REGION1 .</li> On the Core Records tab, click Account three times to change the privileges to Parent: Child Business Unit. Then, click the Save and Close button.</li></ol> </li> Create a new user. Name the user User_Region1. Then, assign the C1_REGION1 custom Microsoft CRM security role to this user in the Region 1 business unit. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> On the GoTo menu, point to Home, and then click Settings.</li> On the Settings page, click Business Unit Settings.</li> On the Business Unit Settings page, click Users.</li> On the Actions menu bar, click New User.</li> In the First Name box and in the Last Name box, type User_Region1 .</li> In the Domain Logon Name box, type adventure-works\User_Region1 .</li> Click the lookup button next to the Business Unit box.</li> In the Look Up Records dialog box, click Go.</li> Select Region 1, click OK, and then click Save.</li> On the Actions menu, select Manage Roles.</li> In the Role Name column, click to select the C1_REGION1 check box.</li></ol> </li> Create another custom Microsoft CRM security role at the level of the root business unit. Name the security role C1_REGION2, and then give &quot;Parent: Child Business Unit&quot; privileges to the security role. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> <li>Repeat step 1a through step 1e.</li> <li>In the Role Name box, type C1_REGION2 .</li> <li>On the Core Records tab, click Account three times to change the privileges to Parent: Child Business Unit. Then, click Save and Close.</li></ol> </li> <li>Create a new user. Name the user User_Region2. Then, assign the C1_REGION2 custom Microsoft CRM security role to this user in the Region 2 business unit. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> <li>Repeat step 2a through step 2d.</li> <li>In the First Name box and in the Last Name box, type User_Region2 .</li> <li>In the Domain Logon Name box, type adventure-works\User_Region2 .</li> <li>Click the lookup button next to the Business Unit box.</li> <li>In the Look Up Records dialog box, click Go.</li> <li>Select, click OK, and then click Save.</li> <li>On the Actions menu, select Manage Roles.</li> <li>In the Role Name column, click to select the C1_REGION1 check box.</li></ol> </li> <li>Log on to the Microsoft CRM Web client as User_Region1 to verify that you can read and update account records in all the child business units of Region 1 and their subunits.</li> <li>Log on to the Microsoft CRM Web client as User_Region2 to verify that you can read and update account records in all the child business units of Region 2 and their subunits.</li> <li>Log on to the Active Directory server as a user who can view the Microsoft CRM organizational units (OU) and the child organizational units.</li> <li>Start the Active Directory Users and Computers snap-in. To do this, click Start, click Run, type dsa.msc, and then click OK.

Notes <ul> <li>The Region 1 organizational unit has the MSCRM ROLE (C1_REGION1) security group and the MSCRM DEEP (C1_REGION1) security group for the C1_REGION1 custom Microsoft CRM security role. All the child organizational units under Region 1 have the MSCRM ROLE (C1_REGION1) security group and the MSCRM DEEP (C1_REGION1) security group for this custom Microsoft CRM security role.</li> <li>The Region 2 organizational unit has the MSCRM ROLE (C1_REGION2) security group and the MSCRM DEEP (C1_REGION2) security group for the C1_REGION2 custom Microsoft CRM security role. All the child organizational units under Region 2 have the MSCRM ROLE (C1_REGION2) security group and the MSCRM DEEP (C1_REGION2) security group for this custom Microsoft CRM security role.</li></ul> </li> <li>Reassign the Area 2B business unit under the Region 1 business unit. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> <li>Log on to the Microsoft CRM Web client as a user who has administrative privileges.</li> <li>On the GoTo menu, point to Home, and then click Settings.</li> <li>On the Settings page, click Business Unit Settings.</li> <li>On the Business Unit Settings page, click Business Units.</li> <li>Double-click Area 2B.</li> <li>On the Actions menu, click Change Parent Business.</li> <li>In the New Parent Business box, type Region1, and then click OK.

Note After you reassign the business unit, the business unit structure contains a root business unit. The root business unit has two child business units. The child business units of the root business unit are Region 1 and Region 2. Region 1 has three child business units, and Region 2 has one child business unit. The child business units of Region 1 are Area 1A, Area 1B, and Area 2B. The child business unit of Region 2 is Area 2A.

Each Area business unit also has two child business units. The child business units of Area 1A are Biz 1A_1 and Biz 1A_2. The child business units of Area 1B are Biz 1B_1 and Biz1B_2. The child business units of Area 2A are Biz 2A_1 and Biz 2A_2. The child business units of Area 2B are Biz 2B_1 and Biz 2B_2. Table 2 displays the organization of these business units.

Table 2 </li></ol> </li> <li>Wait until the Microsoft CRM security descriptors are updated.

Note To determine when the security descriptors are updated, open the C:\Program Files\Microsoft CRM\Server\Bin directory, where C: is the letter of your drive. Wait for the SSPCQC.bin file to disappear. Your settings for the \Program Files\Microsoft CRM\Server\Bin directory must be set to show hidden files for this file to appear. The SSPCQC.bin file is present after you perform an action that updates Microsoft CRM security roles. This file is also present after you create a new Microsoft CRM role. The file disappears after all security descriptors are updated.</li> <li>Log on to the Microsoft CRM Web client as User_Region1. Verify that you can see and write to accounts that belong to the Area 2B business unit users. This behavior is expected.

Note You cannot see or write to accounts that belong to any child business unit of Area 2B. This behavior is not expected.</li> <li>Log on to the Active Directory server as a user who can view the Microsoft CRM organizational units and the child organizational units.</li> <li>Start the Active Directory Users and Computers snap-in. To do this, click Start, click Run, type dsa.msc, and then click OK.

Note View the Biz 2B_1 organizational unit and the Biz 2B_2 organizational unit. No roles exist for the MSCRM ROLE (C1_REGION1) security group or the MSCRM DEEP (C1_REGION1) security group. However, this organizational unit still has the MSCRM ROLE (C1_REGION2) security group and the MSCRM DEEP (C1_REGION2) security group.</li></ol>

<div class="references_section">