718 Washington Ave. N. Suite #101
Minneapolis, MN 55401
View map and all Locations

Send us a message

As a Microsoft Dynamics CRM administrator, you may run into issues where end-users do a certain action and receive an error message regarding permissions like the one below:


Access Is Denied: How to Identify and Fix a Security Role Issue

Access Is Denied

You do not have enough privileges to access the Microsoft Dynamics CRM object or preform the requested operation. For more information, contact your Microsoft Dynamics CRM administrator.

It tells them to contact you, so it’s your lucky day. This message means that whatever action was being performed, the security role assigned to the user performing the action does not have adequate privileges. Now YOU need to determine what exactly the user does not have access to do.

Now you have three options:

1. Give the user the System Administrator role. This is not recommended, but it will give you a very quick fix.

2. Use your best judgment to determine what right are missing. Sometimes this is the best way. For example, if a user attempts to save a contact they don’t own, and they have user-only write access to contacts, you may know right away what rights are missing without doing further trouble-shooting.

BUT if they are saving a type of record that has multiple relationships and lookups, this method would become increasingly inefficient. After a couple tries you might want to move to option 3.

3. Download the log file and determine the missing privilege.

When option #2 doesn’t work and you just don’t feel like playing whack-a-mole with security role privileges, your best option will be to read the log file and find out exactly what is missing. Don’t worry – you don’t have to be a coder or overly techy to read a log file! CRM does a very nice job of laying out what privilege is missing, by listing two key items: the entity type, and the rights type.

Let’s start with a simple example. Imagine a user with the following security role:

Access Is Denied: How to Identify and Fix a Security Role Issue

As you can see, this user does not have the permissions to delete orders. If they try to do so, they will receive an “Access is Denied” message. If they click download log file, you will see the following:

Yikes! What is all that junk? Fortunately, it becomes easy to recognize and understand this with just a little additional info on what it all means. You only need to pay attention to two things from this entire message: the ObjectTypeCode, and the AccessRights. Let’s take a closer look at that log file, and look at those two items again:

The access rights should be self-evident: this message from CRM is saying the missing rights is Delete Access. But what about ObjectTypeCode? What does that even mean? How is 1088 going to help me?

Simply put, ObjectTypeCode is the numerical representation of a CRM entity or item. Fortunately, Microsoft has a listing of all ObjectTypeCodes that come with CRM. If you do a search in this page for “1088”, you will see that it refers to “SalesOrder,” which is the Order entity.

Therefore, the log file that we downloaded contains the information that the user is missing Delete rights (AccessRights: DeleteAccess) for the Order entity (ObjectTypeCode 1088).

So now let’s try a more complicated example, using custom entities.

I have a user that reported an error creating this record:

Access Is Denied: How to Identify and Fix a Security Role Issue

I then asked him for the log file, and he sent me this:

While it contains a lot of information, again, keep in mind we are only concerned with the AccessRights and ObjectTypeCode. Looking at the above log file, we gather the following:

ObjectTypeCode: 10085
AccessRights: AppendToAccess

Therefore, we are missing Append to rights for the entity that corresponds to ObjectTypeCode 10085. Unfortunately, we can’t use the link above from Microsoft that provides default entity type codes. Fortunately, there is an extremely easy way to find the ObjectTypeCode for any entity including custom ones without the need to access the database directly or write code. Simply navigate to the following URL:


Where etc=10085 is taken from the error log. So if your error message gave ObjectTypeCode = 10120, then the URL you would go to would be /main.aspx?etc=10120&pagetype=entityrecord

But let’s go back to the example above. If I were to go to that URL as shown above, I would see the following page:

This means that ObjectTypeCode of 10085 is the Olives entity! And since the message also mentioned we are missing Append to rights, we can conclude that the missing privilege is Append To rights for Olives.

Access Is Denied: How to Identify and Fix a Security Role Issue


Additional items to keep in mind:

  • Don’t always assign rights at will. If a user tries to delete something and they complain they are receiving an “error,” it may be easy to determine what rights they are missing to delete it. But do you really want them to?
  • When dealing with security role issues, there may be multiple missing privileges that you will troubleshoot. The log file that you download may not contain all of them at once. That means if you determine that a security role is missing append to rights for new_olive, and you grant that right, you will still receive an error if there are additional privileges missing. However, the log file you download will be updated and will contain the additional missing privilege.
  • Avoid the “try now” approach when dealing with users and create your own test user, as it can be frustrating to an end user if you tell them that it is fixed when it is not. By using your own test user and adding the same security role as the one you are trying to test, you can avoid this scenario.

We hope this helps all you Dynamics CRM admins out there! For more on topics related to this blog, we have compiled a list of similar blogs:

Happy CRM’ing!

Avatar for JoeCRM


Joe CRM is a CRM superhero who runs on pure Microsoft Dynamics CRM adrenaline. As the face of PowerObjects, Joe CRM’s mission is to reveal innovative ways to use Dynamics CRM and bring the application to more businesses and organizations around the world.