User privilege requirements for the AttachmentExtractor

In this article, learn what the minimum user privilege requirements are for the AttachmentExtractor Online Service.

AttachmentExtractor Service with Server2Server connection

Server2Server connections are named user connections, where only the privileges of the user that have been defined for the service are evaluated by security.

While creating the AttachmentExtractor Service, this Server2Server user must have

• SystemCustomizer privileges and
• mscrm-addons.com security roles

After the installation, you could remove the SystemCustomizer role from the user, but it is not recommended because sometimes we need to update the AttachmentExtractor solutions.

AttachmentExtractor Service with AppAccess connection

AppAccess connections are based on the “act on behalf of another user” privilege management. The AppAccess connection requires as many privileges as any user requires for the use of the product. Security for “act on behalf of” is determined by matching privileges present on BOTH the impersonated user and the “act on behalf of user”. Privileges only present on one user are ignored by Dynamics.

While creating the AttachmentExtractor Service, this AppAccess user must also have

• SystemCustomizer privileges and
• mscrm-addons.com security roles

After the installation, you can remove the SystemCustomizer role from the user, but it is not recommended, as you need to re-add it whenever an update of the DocumentsCorePack solution is required.

AttachmentExtractor Service SharePoint Integration

If you want to extract to a SharePoint location, you need to be a user with the following privileges.

• The SharePoint user must always be able to log into SharePoint.
• The user must have modify rights to the target folder. If the product is configured to create SharePoint folder information, the same rights are required for any existing libraries and folders in all possible target paths.
• The SharePoint user must be able to call the SharePoint REST API with a POST to /_api/contextInfo.
• If the AttachmentExtractor service has the setting “Create SharePoint attributes” set to true, then the SharePoint user must be able to read the attribute metadata on the library level and write attribute values.

Now you know the user privilege requirements for the AttachmentExtractor Online Service.

That’s it! We appreciate your feedback! Please share your thoughts by sending an email to support@mscrm-addons.com.