Security Role Issue with OfficeGraphDocument entity

Today I went through an issue where I had a custom security role (Business Admin) having almost the same privilege as system admin user expect the update permission on custom master entities.

Issue: When user having Business Admin role was trying to assign security roles to other users then suddenly a message popped up on screen as permission issue.

RoleService::VerifyCallerPrivileges failed. User: a52a0940-6fde-e811-a96a-000d3af05828, PrivilegeName: prvReadOfficeGraphDocument, PrivilegeId: 39016011-ae1a-41d1-9a22-a2611ad16702, Depth: Global, BusinessUnitId: be4a982d-8cd0-e811-a964-000d3af05df5 If you contact support, please provide the technical details.

Reading the above message it is clearly state that read privilege needs to be provided on OfficeGraphDocument entity. But The entity is not visible on the security role form therefore the system admin user cannot go ahead and provide the permission

While investigating on the issue I found that Office Graph integration for Dynamics 365 for Customer Engagement apps was deprecated on August 31, 2017, at the same time that Office ends GQL query support. Customers can continue to use Office Graph integration through August 31, 2017. After August 31 that date, the Office Graph trending documents component will cease to function, and you’ll see the following error message:

We can’t get to the trending documents. Try again later.

Refer Microsoft site for more details: Click Here

Assuming you people are aware about XRMToolBox and establishing connection with Dynamic CRM Organization.

Resolution: Use XRMToolBox, connect the tool with the organization. Search for Role Updater plugin as shown below:

Figure 1: XRM ToolBox – Plugin Role Updater

Click on Role Updater and hit Load Roles and Privileges button. This will load all the entities and the privilege which are assigned on that entity.

Figure 2:Click Load Roles and Privileges button

Enter OfficeGraphDocument entity under Search box.

Figure 3: Enter OfficeGraphDocument

The below screen appeared with the privilege which OfficeGraphDocument entity had.

Figure 4: OfficeGraphDocument entity privilege visible (Read privilege can be set to access level as Organization or None.)

Select Read and

Step 1: Hit the organization button

Step 2: You will see that entity OfficeGraphDocument has beenprovidedOrganization level access on PrivilegeName: prvReadOfficeGraphDocument.

Step 3: Hit Next button to take effect in the connect organization.

Figure 5: Read privilege has been provided Organization level access.

Performing these steps resolved the issue.

Now, user having Business Admin security role was able to provide other users their desired security role excluding System Admin role.

Hope this blog helps anyone!!!