Agent to Application Mapping in Dynamics CRM

Sep 6, 2010 at 1:58 PM
Hi all, Upto CCF 2009 we have the Mapping option available in Admin console through which we can maps the required application to desired agent. I want to achieve the same functionality in CCA through dynamics CRM 4.0. I have tried the sharing option in CRM,but not able to achieve. Any help on this would be appreciated.
Sep 7, 2010 at 7:01 AM

Can you walk us through the steps you followed? Is the problem that you are seeing the application and expecting to not see it, or vice versa? Did you follow the steps under "Mapping a Hosted Application to a User/Team" in the UII Deployment Guide? Also, are you logging into the Agent Desktop as an administrator?

Sep 7, 2010 at 2:03 PM
Thanks for prompt reply. Yes I follows the steps mentioned in the guide. Let me rephrase and elaborate my query. I have created one user in dynamics CRM with Full Access mode in CRM and role as UII Administrator.CCA works perfectly fine. All applications load successfully without any specific mapping(sharing),as the user is UII Administrator. I have created another user in dynamics CRM with Read only Access mode in CRM and role as UII Agent. I mapped the hosted application as per steps mentioned in the guide and assign read permissions for that particular hosted application. On launch of CCA I get following error: 25/08/2010 14:08:06: CCA: DESKTOP_ERR_FATAL_ERROR:A possibly fatal error has occurred. The application may now exit. <error> 0x80040220 <description>SecLib::CrmCheckPrivilege failed. Returned hr = -2147220960 on UserId: 7f7af8c4-deaa-df11-a3b0-005056b4531f and PrivilegeId: 56b37cee-2f98-429d-949a-c953d5390322</description> <type>Platform</type> </error> System.Web.Services.Protocols.SoapException: Server was unable to process request. at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall) The error will remove if I assign UII Administrator role to the same user. Thanks.
Sep 7, 2010 at 4:32 PM

Do you happen to have Audit Logging Turned on?
In General Settings => any of the Audit Flags set to anything but 0.



Sep 7, 2010 at 5:19 PM
No,I confirmed all flags are set to 0 only and AuditNoCache =false. To update more on this,I checked in CRM database for PrivilegeId: 56b37cee-2f98-429d-949a-c953d5390322(Error trace).The details for that ID is as folllows: Priviledge ID Name CanBeLocal CanBeDeep CanBeGlobal CanBeBasic AccessRight 56B37CEE-2F98-429D-949A-C953D5390322 prvWriteUII_sessiontransfer 1 1 1 1 2
Sep 7, 2010 at 6:21 PM

Can you test this for me… I think what your hitting is a known issue in UII \ CRM, something that has been resolved from the Accounting side

For the “Agent” user,
Assign only the Customer Service Rep Role and the UII agent Role. Set the Agent User to be a Read Only Cal User. This should fail with permissions errors.

Then Set the Agent User to “Full Cal”, and retry.

The desktop should open normally.


Sep 8, 2010 at 9:50 AM

@Matt: What you have suggested is correct. The reason is even if I dont put the user in CSR role and place him in UIIAgent and give full rights, the agent desktop still runs, but the sceatrio what Neeraj is trying to explain is like this

Imagine you have two APPs APP1 and APP2. Now I want a specific group of users  (CRM) to access APP1 and another group of users to use APP2.  The scenario we face is that the moment we give FULL rights to a particular user, all applications by default come under this user's preview whether we share it with this user or not

I am sure the solution would not be to provide FULL access to the user because it takes away the basic federation of user rights (as it was previously in CCF versions)

Waiting for your comments

Sep 8, 2010 at 10:09 AM

@Neeraj : I have solved this issue..Ill just define the steps over here

@Matt :Please confirm . The only issue we were facing was we were not able to assign applications to indovidual users so for this this is what I have done

Step 1: I provided "FULL" CAL to the indivudla user

Step 2: I removed UII agent role from this user and only provided CSR role to this user

Step 3: In the management of CSR entity -> custom entities I only gave use rlevle permission for all UII activities

Step 4: I removed a share of an application from this user

The net result, the application did not come within CCF , so I was able to attain the desired result where in I gave limited rights base to a user and also take away rights for a particular application. I ams ure you probably meant the same thing in your post, however I needed to confirm this since there is no explicit mapping entity between users/groups and applications and it is only at the sharing level that we can control this

One more point to note was that the user necessarily should not be a UII agane tbut needs to be a CSR with FULL CAL ability 




Sep 8, 2010 at 3:54 PM
Edited Sep 8, 2010 at 3:57 PM

Ok I think I get what your trying to do … which is create 1+ roles with different hosted controls.
I do this quite often when I’m doing demos to keep customizations straight.

So here is the how the updated ICC partner vpc is setup… which I hope will help out ..
The ICC partner VPC has 2 different desktops ( though you don’t need to have different desktops I just happen to set it up that way).

The Environment:

The “ICC Desktop” is a Ribbon Desktop with 28 “hosted applications”, which make up the ribbon and the visual elements of the ICC desktop.

The “CCA Desktop” is the desktop as it exists from the download site, with an additional 2 HAT based web applications which add up for a total of 7 “hosted applications”.

Both use the TAPI simulator code which is made up 2 “hosted applications”

Role and Group Configuration:

There are 2 different agents in this demo that are configured for either the ICC desktop or the CCA Desktop, for demo sake we will call them Agent1 and Agent2.

Both Agent1 and Agent2 are configured as full Cal users; both are members of the UII Agents Role and the CSR role ONLY (there are no modifications to the out of the box roles.)

I then created 3 Teams, ICC Desktop, CCA Desktop, TAPI CTI

In UII Settings, Hosted controls ( the table view ) I selected the 2 TAPI Hosted applications and Assigned them to the TAPI CTI Team

I then selected the 28 hosted applications used for the ICC desktop and assigned them to the ICC Desktop Team.

Then, the 7 hosted applications of the CCA desktop and then assigned them to the CCA Desktop Team

NOTE: up to this point I have *NOT* assigned a user to a hosted application.

User Mappings to Team:

New we assign the Team’s to a user. (or vise-versa if you like).

Agent1 is going to be our ICC agent, so for Agent1 we make them a member of the teams ICC Desktop and TAPI CTI

Agent2 is going to be our CCA agent, so for Agent2 we make them a member of the teams CCA Desktop and TAPI CTI

So this works out as:

Agent1 => ICC Desktop => (28 hosted apps )
                => TAPI CTI => ( 2 hosted apps )

Agent2 => CCA Desktop => (7 hosted apps )
                => TAPI CTI => ( 2 hosted apps )

Now when Agent1 logs and starts the ICC desktop, all the ICC desktop bits will appear and CTI will be connected to the TAPI CTI demo bits.   When Agent2 Starts the CCA desktop; all of the relevant bits will appear in the CCA desktop and CTI will be connected to the TAPI CTI demo bits.

While I’m applying this to 2 different desktops connected to the same CRM env, you can also do exactly the same thing with Hosted controls with the same desktop, say a team for frontline customer support, and a team for billing support, where the team provides access to hosted controls that are specific to the focus areas of the agent.

The important thing to keep in mind is :
Users =>* Teams =>* HostedApps.

Hope that makes sense…
I will do a blog on this with pictures at some point in the future.


Sep 8, 2010 at 4:27 PM
Thanks Alot Matt.Really Appreciate your help. It's working fine with approach mention by Nikhil. I will try User -> Team mapping approach too. But the main key is Agent needs to be a CSR with FULL CAL ability which we were missing before.
Sep 8, 2010 at 5:24 PM

I would discourage you from adding UII objects to roles other than those provided. It will create issues for you when CCA R2 ( for CRM 2011 ) comes out, and your creating a lot more work for yourself and your admin team by doing it.  There are several UII based custom objects that need to be permissioned, which are all defined on the UII agent role. If you miss an entity, or give them higher than necessary access levels (org for example instead of user), it will create issues for you down the road.

The way I outlined should work for what your trying to do, and will upgrade when we release the next rev.

You can do direct Agent mapping to hosted controls in dev.. it works just fine.
It is critical, however, that you use the Agent => Team => Hosted app approach in your test / production deployment.
The reason for this is that CRM’s security design is optimized around the Team => record approach when sharing a record across multiple users.

As you scale up users, you will quickly notice a difference, not to mention it makes user management simpler.


Sep 10, 2010 at 10:29 AM

I got your point.

I will import original roles and do the hosted application mapping with teams.