Goal: Read the metadata without experiencing errors due to hidden missing privileges.
Expected Results: The Privilege metadata for the 'RelationshipRoleMap' table should list the required privileges, rather than having an empty set.
Actual Results: The Privilege metadata for the 'RelationshipRoleMap' table is empty. Accessing this table without the hidden privileges results in an error.
Details:
Access to the 'RelationshipRoleMap' table requires the 'RelationshipRole' set of privileges. As of CRM 2011, these privileges are removed from all security roles other than System Administrator (from msdn.microsoft.com/en-us/library/gg309359.aspx)
However, the EntityMetadata info for 'RelationshipRoleMap' does not indicate that these privileges are still required; it instead has an empty Privileges element, like so:
<c:Privileges />
This results in an incorrect privilege calculation: a user without 'RelationshipRole' privileges would think that they have access to the 'RelationshipRoleMap' table, from parsing the metadata.
If this user attempts to access the table, an error of the following form is returned:
Principal user (Id=<user guid>, type=8) is missing prvReadRelationshipRole privilege (Id=3c223cbd-7309-4a1a-901e-9ba78bc41ec8) in statement [select * from RELATIONSHIPROLEMAP]
To fix: modify the metadata for the 'RelationshipRoleMap' table to correct the Privilege entries. The other Customer Relationship entities (CustomerRelationship, RelationshipRole) correctly list their required Privileges, so they avoid this problem.