August 16, 2016

Fix the "Role Error" message when updating security roles

TL;DR: This solution has been posted on Dynamics Community Forums by Nithink.K quoting a Microsoft support answer (link). This post provides an easy solution to fix the issue.

If you have a CRM Online instance and recently you tried to update a security role probably you got the following error:

Role Error - Users cannot add privileges to or change access levels for roles to which they are assigned. For help with changing a role, contact your Microsoft Dynamics CRM administrator.

The error is misleading, because in my case the user had only the "System Administrator" role and I was trying to update the "Sales Manager" role, also the log file didn't provide additional information, it just contained the message "Invalid privilege depth".

A solution has been posted on Dynamics Community Forums (you can find the whole thread here) and it's about a wrong privilege that has been assigned to the "Data Performance Dashboard" entity under the core records. This OOB entity is "Organization" type (meaning the privilege can be only "Organization" or "None") but in the CRM Online instances affected with this problem, the privilege is set to "User":

The solution is to set the privileges to "None", after this change the security role can be edited or copied again. I started a new CRM online trial and the correct configuration is "None" for all the security roles except System Administrator (that can't be customized) and System Customizer that has these privileges set to "Organization".

Because it's a tedious process to edit all the security roles one by one, you can use the "Role Updater" tool included inside the XrmToolBox, with this tool you can bulk update the security roles removing or adding privileges in few clicks.

After you started the tool, click on "Load Roles and Privileges" button and select all the users except "System Administrator" and "System Customizer"

After you click "Next", search for "data" and select the privileges related to "Data Performance Dashboard" entity and click the "None" button

When you are ready click the "Next" button and the privileges will be updated. Regarding the System Customizer role, you can edit it manually or use again this tool, select only the role and click on "Organization" instead of "None".

After this procedure you will be able to edit again your security roles, hope it helps!