Security Role Privilege Example – Append To

Consider the situation where an email needs to be sent from one business unit within an organisation to another business unit within the same organisation. In this example, Contoso Marketing and Contoso Sales represent the two business units. Also, for simplicity, each business unit is represented by a queue with an associated email alias.

When the email is generated, the two queues need to be appended to the ‘From’ and ‘To’ of the email.

Figure 1

Scenario 1

John Smith (who is within the ‘Contoso Marketing’ Business Unit) owns both queues. (In reality, he wouldn’t own the Contoso Sales queue but it’s been setup like this for the example)

Figure 2
Figure 3

John Smith is assigned the security role ‘Sales Manager’. For this role, the ‘read’ and the ‘append to’ privileges are set to the User access level. (He also has the ‘Append’ privilege set to the User access level on the Activity (Email) entity.)

Figure 4

Based on this configuration, when John logs into Dynamics 365 and triggers the workflow (that contains a ‘Send email’ step), both queues are successfully appended to the email.

Scenario 2

Now consider the situation where the owner of the Contoso Sales queue is changed to Jane Doe who is within the Contoso Sales business unit. When the workflow tries (and fails) to generate the email, the following dialog box is displayed to the logged in user (i.e. John Smith).

Figure 5

Within the workflow (that calls the ‘Send email’ action), the following error is generated.

Figure 6

The details of the error message are as follows:

  • Error Code = -2147187962
  • Object Id => the Contoso sales queue
  • Owner Id => Jane Doe
  • Calling User => John Smith
  • Calling Business Id => Contoso Marketing
  • Object Type Code: 2020 => Queue
  • Object Business Unit Id => Contoso Sales

What this means is since the queue is now owned by another person in another business unit, the security role access levels need to be increased to the Organization level. This will then allow John to again be able to associate the Contoso Sales queue to the email

Figure 7

Btw I just thought to include the following screenshot as this is the error generated when the destination queue doesn’t have an email alias listed.

Figure 8