I have an issue related to security role. Below the details.
User A belongs to Security group SG1 and User B belongs to Security group SG2: Both the roles have below privileges(same) on a custom entity, but the Business Unit is different for both Security Group.
create: user level, Read: Business Unit , Write: user level, Append:Business Unit, Append To:Business Unit, Assign:User level , Share:Business Unit
When user A in SG1 trying to assign his record to a user B in SG2, I am getting Access Denied error. When the owner changes user A will loose access and get the error. But here, even if I am getting the Access Denied error the owner is not changing in entity, when I am reloading the record the owner is still User A(I think the save is not happening).
Error Log:
Exception Message: Principal with id ef346db1-c98f-ec11-b400-000d3ac25c59 does not have ReadAccess right(s) for record with id ef346db1-c98f-ec11-b400-000d3ac25c59 of entity my_product. Details: {"CallerPrincipal":{"PrincipalId":"038cfa23-c74e-ec11-8c62-6045bd8f574d","Type":8,"IsUserPrincipal":true},"OwnerPrincipal":{"PrincipalId":"87242295-6ef2-ea11-a815-000d3a23ca40","Type":8,"IsUserPrincipal":true},"ObjectId":"ef348db1-c98f-ec11-b400-000d3ac25c59","ObjectTypeCode":10501,"EntityName":"my_product","ObjectBusinessUnitId":"a4854691-c946-ec11-8c62-000d3a472098","RightsToCheck":"ReadAccess","RoleAccessRights":"None","PoaAccessRights":"None","HsmAccessRights":"None","GrantedAccessRights":"None","Messages":["PrincipalHasOwnerPrincipalWithAtLeastBasicPrivilegeDepth = False","EntityUserGroupRights = None","MinimumPrivilegeDepthRequired = Local","SecLib::AccessCheckEx2 failed. Owner Data: roleCount=1, privilegeCount=822, accessMode=0; Principal Data: roleCount=1, privilegeCount=822, accessMode=0"],"EntityOwnershipTypeMask":1,"CallerInfo":{"IsSystemUser":false,"IsSupportUser":false,"IsAdministrator":false,"IsCustomizer":false,"IsDisabled":false,"IsIntegrationUser":false,"Teams":null,"Roles":null},"ReadOnlyState":"UserAndOrgFullAccess","IsHsmEnabled":false,"HsmInfo":null,"AccessOrigin":null}
ErrorCode: -2147187962 HexErrorCode: 0x80048306
ErrorDetails: 0: my_product 1: ef346db1-c98f-ec11-b400-000d3ac25c59 2: 10501 3: ReadAccess 4: ef346db1-c98f-ec11-b400-000d3ac25c59 5: 8 ApiExceptionSourceKey: Step/Microsoft.Crm.Extensibility.ImageRetrievalStep ApiStepKey: 84b9d1cb-3e30-11db-b951-000cf1fe02ff ApiDepthKey: 1 ApiActivityIdKey: c6338644-38d6-422f-9ccc-2d1284ef241d ApiPluginSolutionNameKey: System ApiStepSolutionNameKey: System ApiExceptionCategory: ClientError ApiExceptionMessageName: unManagedIdsAccessDenied ApiExceptionHttpStatusCode: 403
This is expected behavior.
Issue 1 - Assign:User level
This limits the assign privilege to another BU user, Change it to BU level and it should work.
Issue 2 (eventually you will face) - Read: Business Unit
As the users (SG) belongs to different BUs and Role has only BU level read, the moment a record is assigned to another cross BU user - the original owner lose access and read privilege for that particular record. Like you mentioned the error will popup.