Microsoft KB Archive/883463

= Deep privileges are not inherited by the subunits of a child business unit after the parent business unit is reassigned to a different business unit =

Article ID: 883463

Article Last Modified on 12/20/2005

-

APPLIES TO


 * Microsoft CRM 1.2

-





SYMPTOMS
You cannot read or write to Microsoft Business Solutions CRM records when those records are in a subunit of a child business unit. You experience this problem even though your security role has &quot;Parent: Child Business Unit&quot; read and write privileges.



CAUSE
This problem occurs because the &quot;Parent: Child Business Unit&quot; privileges are not inherited by the subunits of a child business unit after the parent business unit is reassigned to a different business unit. See the &quot;Steps to reproduce the problem&quot; section for information about the business unit structure and the steps that cause this problem to occur.



RESOLUTION
Microsoft CRM has a fix for this problem that is part of a cumulative update. The cumulative update information is described in the following Microsoft Knowledge Base article:

904435 Update Rollup 2 is available for Microsoft CRM 1.2



Steps to reproduce the problem
Note Do not create these business units and security roles except in a test system. We provide the following steps to describe the business unit structure and the Microsoft CRM security roles that cause the problem that is described in the &quot;Symptoms&quot; section.

In this scenario, each business unit has at least one Microsoft CRM user who is associated with that business unit. That user owns multiple contacts, accounts, and leads.

The original business unit structure contains a root business unit. The root business unit has two child business units. The child business units of the root business unit are Region 1 and Region 2. The Region 1 and Region 2 business units each have two child business units. The child business units of Region 1 are Area 1A and Area 1B. The child business units of Region 2 are Area 2A and Area 2B.

Each Area business unit also has two child business units. The child business units of Area 1A are Biz 1A_1 and Biz 1A_2. The child business units of Area 1B are Biz 1B_1 and Biz 1B_2. The child business units of Area 2A are Biz 2A_1 and Biz 2A_2. The child business units of Area 2B are Biz 2B_1 and Biz 2B_2. Table 1 shows the organization of these business units.



Table 1

 Create a custom Microsoft CRM security role at the level of the root business unit. Name the security role C1_Region1, and then give &quot;Parent: Child Business Unit&quot; privileges to the security role. To do this, follow these steps:  On the GoTo menu, point to Home, and then click Settings. On the Settings page, click Business Unit Settings. On the Business Unit Settings page, click Security Roles. In the Business Unit list, click Root Unit.</li> On the Actions menu bar, click New Role.</li> In the Role Name box, type C1_Region1 .</li> On the Core Records tab, click Account three times to change the privileges to Parent: Child Business Unit. Then, click the Save and Close button.</li></ol> </li> Create a new user. Name the user User_Region1. Then, assign the C1_Region1 custom Microsoft CRM security role to this user in the Region 1 business unit. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> On the GoTo menu, point to Home, and then click Settings.</li> On the Settings page, click Business Unit Settings.</li> On the Business Unit Settings page, click Users.</li> On the Actions menu bar, click New User.</li> In the First Name box and in the Last Name box, type User_Region1 .</li> In the Domain Logon Name box, type adventure-works\User_Region1 .</li> Click the lookup button next to the Business Unit box.</li> In the Look Up Records dialog box, click Go.</li> Select Region 1, click OK, and then click Save.</li> On the Actions menu bar, select Manage Roles.</li> In the Role Name column, click to select the C1_Region1 check box.</li></ol> </li> Create another custom Microsoft CRM security role at the level of the root business unit. Name the security role C1_Region2, and then give &quot;Parent: Child Business Unit&quot; privileges to the security role. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> <li>Repeat step 1a through step 1e.</li> <li>In the Role Name box, type C1_Region2 .</li> <li>On the Core Records tab, click Account three times to change the privileges to Parent: Child Business Unit. Then, click the Save and Close button.</li></ol> </li> <li>Create a new user. Name the user User_Region2. Then, assign the C1_Region2 custom Microsoft CRM security role to this user in the Region 2 business unit. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> <li>Repeat step 2a through step 2d.</li> <li>In the First Name box and in the Last Name box, type User_Region2 .</li> <li>In the Domain Logon Name box, type adventure-works\User_Region2 .</li> <li>Click the lookup button next to Business Unit.</li> <li>In the Look Up Records dialog box, click Go.</li> <li>Select Region 2, click OK, and then click Save.</li> <li>On the Actions menu bar, click Manage Roles.</li> <li>In the Role Name column, click to select the C1_Region2 check box.</li></ol> </li> <li>Log on to the Microsoft CRM Web client as User_Region1 to verify that you can read and update account records in all the child business units and the subunits of the child business units in Region 1.</li> <li>Log on to the Microsoft CRM Web client as User_Region2 to verify that you can read and update account records in all the child business units and the subunits of the child business units in Region 2.</li> <li>Log on to the Active Directory server as a user who can view the Microsoft CRM organizational units (OU) and the child organizational units.</li> <li>Start the Active Directory Users and Computers snap-in. To do this, click Start, click Run, type dsa.msc, and then click OK.

Notes <ul> <li>The Region 1 organizational unit has the MSCRM ROLE (C1_Region1) security group and the MSCRM DEEP (C1_Region1) security group for the C1_REGION1 custom Microsoft CRM security role. All the child organizational units under Region 1 have the MSCRM ROLE (C1_Region1) security group and the MSCRM DEEP (C1_Region1) security group for this custom Microsoft CRM security role.</li> <li>The Region 2 organizational unit has the MSCRM ROLE (C1_Region2) security group and the MSCRM DEEP (C1_Region2) security group for the C1_Region2 custom Microsoft CRM security role. All the child organizational units under Region 2 have the MSCRM ROLE (C1_Region2) security group and the MSCRM DEEP (C1_Region2) security group for this custom Microsoft CRM security role.</li></ul> </li> <li>Reassign the Area 2B business unit to the Region 1 business unit. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> <li>Log on to the Microsoft CRM Web client as a user who has administrative privileges.</li> <li>On the GoTo menu, point to Home, and then click Settings.</li> <li>On the Settings page, click Business Unit Settings.</li> <li>On the Business Unit Settings page, click Business Units.</li> <li>Double-click Area 2B.</li> <li>On the Actions menu bar, click Change Parent Business.</li> <li>In the New Parent Business box, type Region 1, and then click OK.

Note After you reassign the business unit, the business unit structure contains a root business unit. The root business unit has two child business units. The child business units of the root business unit are Region 1 and Region 2. Region 1 has three child business units, and Region 2 has one child business unit. The child business units of Region 1 are Area 1A, Area 1B, and Area 2B. The child business unit of Region 2 is Area 2A.

Each Area business unit also has two child business units. The child business units of Area 1A are Biz 1A_1 and Biz 1A_2. The child business units of Area 1B are Biz 1B_1 and Biz1B_2. The child business units of Area 2A are Biz 2A_1 and Biz 2A_2. The child business units of Area 2B are Biz 2B_1 and Biz 2B_2. Table 2 shows the organization of these business units.

Table 2 </li></ol> </li> <li>Wait until the Microsoft CRM security descriptors are updated.

Note To determine when the security descriptors are updated, open the C:\Program Files\Microsoft CRM\Server\Bin directory, where  is the letter of your drive. Wait for the SSPCQC.bin file to disappear. Your settings for the \Program Files\Microsoft CRM\Server\Bin directory must be set to show hidden files for this file to appear. The SSPCQC.bin file is present after you perform an action that updates Microsoft CRM security roles. This file is also present after you create a new Microsoft CRM role. The file disappears after all security descriptors are updated.</li> <li>Log on to the Microsoft CRM Web client as User_Region1. Verify that you can see and write to accounts that belong to the Area 2B business unit users. This behavior is expected.

Note You cannot see or write to accounts that belong to any child business unit of Area 2B. This behavior is not expected.</li> <li>Log on to the Active Directory server as a user who can view the Microsoft CRM organizational units and the child organizational units.</li> <li>Start the Active Directory Users and Computers snap-in. To do this, click Start, click Run, type dsa.msc, and then click OK.

Note View the Biz 2B_1 organizational unit and the Biz 2B_2 organizational units. No roles exist for the MSCRM ROLE (C1_Region1) security group or for the MSCRM DEEP (C1_Region1) security group. However, this organizational unit still has the MSCRM ROLE (C1_Region2) security group and the MSCRM DEEP (C1_Region2) security group.</li></ol>

<div class="references_section">