Microsoft Dynamics CRM uses the term access rights to describe object-based security. When you develop custom code for Microsoft Dynamics CRM, you need to carefully consider how the system handles access rights. In particular, it’s important to consider the privileges and access rights of the user that your code will run under. This factor can get a little tricky because most actions require multiple access rights to execute properly. Table 4-3 lists some common actions that require more than one access right that you might use in your custom code, along with the required access rights for each action.

A security dependency exists with certain entities that require a relationship to another entity. For example, an Opportunity is always related to an Account or a Contact. In this case, to create a new instance of an Opportunity, a user needs AppendTo access on Account or Contact and Append access on Opportunity. In these instances, with related entities and required privileges, troubleshooting the exact privileges that the user needs can take some time because the required privileges aren’t always obvious. For example, consider the privileges required to create an appointment with the regardingobjectid attribute set to a Contact record:

Some of these might jump out at you as surprising, such as needing Create Queue Item privileges to create an appointment. If you find yourself stuck trying to figure out the correct security settings, you can reference Appendix A of the SDK, which lists the privileges by Message.