Dynamics security profile prevent the triggering of a flow

(0) Share

Report

Posted on by Mavver

Good afternoon all,

I am so close to solving my notification flow mini project, but I am stumbling a little bit.

We created a flow to run when an Activity record is created in D365 and it would send out a push notification.

However this flow errored, with this error message

{
"status": 403,
"message": "SecLib::CheckPrivilege failed. User: 66b56c96-xxxx-xxxx-xxxx-xxxxxxxxbbb, PrivilegeName: prvReadActivity, PrivilegeId: 650c14fe-xxxx-xxxx-xxxx-xxxxxxxxe45d, Required Depth: Global, BusinessUnitId: 6a0b1d3e-xxxx-xxxx-xxxx-xxxxxxxx1441, MetadataCache Privileges Count: 1639, User Privileges Count: 347",
"source": "xxxxxxxx.crm4.dynamics.com",
"errors": [],
"debugInfo": "clientRequestId: ba98aadc-xxxx-xxxx-xxxx-xxxxxxxx2773"
}

After some trial and error, We worked out that if the permission to read the D365 record was set to Organization then the flow would work, but if the permissions were set lower permission level the flow would fail.

We cant have every user reading every activity but I cant seem to the flow to work with giving full access.

Any guidence on how to get around this would be gratefully recieved.

Categories:

Using connectors

I have the same question (0)

All responses (4)

Answers (0)

LeeHarris 1,026 on at

Like (0)

Report

Hi @Mr_Mather

Which user are you using to connect to Dynamics 365 within Flow? It may just be this user that needs the elevated permissions. In the past I have created connections to D365 using a user set up specifically for Flow, and then given this user full admin privileges within Dynamics 365.

Was this reply helpful? Yes No
Mavver 46 on at

Like (0)

Report

Hi Lee,

I am using a standard user, this flow is going to have to be rolled out to all 30+ users, so that when a record is created in D365 then the push notification gets sent out.

I cant give elevated permissions as the permission under pin the security model.

ta

L.

Was this reply helpful? Yes No
LeeHarris 1,026 on at

Like (0)

Report

Hi @Mr_Mather

Apologies I missed the part about the push notification. I can see the issue you are having now as in order to get the push notification to work, the flow needs to be running as the specific user.

Depending on your experience with JSON, you can work around this by making use of the HTTP actions within Flow. Create a new Flow with a HTTP trigger that accepts a JSON object containing an Id. Run this flow with connections defined as a user with admin rights to the data in Dynamics 365. Use a Parse JSON action to convert the incoming body to usable Dynamic content and then use the Get Dynamics 365 Record action to retrieve the record from Dynamics using the GUID passed in. Format a JSON response object containing the fields you need from the Activity record and use the response action to send this back to the caller.

Within your Flow that the users will be running, add a HTTP action and call the endpoint created by your other Flow, passing in the JSON body with the Id (which you will have from the trigger step). You should then get a response back from the other Flow containing the details requested which you can parse and use in the notification action. This should be achievable with no changes to the security within D365.

Hope that makes sense.

Was this reply helpful? Yes No
Mavver 46 on at

Like (0)

Report

@LeeHarris

Am I correct in my thinking that for flow to correctly run, it must be able to read all records, else it will fail. To give a more specific example.

I have two business units, Business Unit A and Business Unit B. The permissions to read records is restricted by Business Unit, so people in Business Unit A cannot read Account information in Business Unit B. Flow however runs on creation of any account record. So that means that it will error if flow is unable to read ALL records?

Thanks

L.

Was this reply helpful? Yes No