In this article, we want to describe which minimum privileges are necessary for the user defined in the AttachmentExtractor Service Online Configuration.
AttachmentExtractor Service with Server2Server connection:
Server2Server connections are named user connections, where only the privileges of the user, that have been defined for the service are evaluated by security.
While creating the AttachmentExtractor Service this Server2Server user must have
- SystemCustomizer privileges and
- mscrm-addons.com security roles(LINK)
After the installation, you could remove the SystemCustomizer role from the user, but it is not recommended because sometimes we need to update the AttachmentExtractor solutions.
AttachmentExtractor Service with AppAccess connection
AppAccess connections are based on the “act on behalf of another user” privilege management. The AppAccess connection requires as many privileges as any user requires for the use of the product. Security for “act on behalf of” is determined by matching privileges present on BOTH the impersonated user and the “act on behalf of user”. Privileges only present on one user are ignored by Dynamics.
While creating the AttachmentExtracotr Service this AppAccess user must have
- SystemCustomizer privileges and
- mscrm-addons.com security roles(LINK)
After the installation, you could remove the SystemCustomizer role from the user, but it is not recommended because sometimes we need to update the AttachmentExtractor solutions.
AttachmentExtractor Service SharePoint Integration
If you want to extract to a SharePoint location you need to use a user for the configuration with the following privileges.
The SharePoint user must always be able to log in to the root site of SharePoint. (Not see any data, but be able to logon without any error)
The user must have modify rights to the target folder. If the product is configured to create SharePoint folder information, the same rights are required for any existing libraries and folders in all possible target paths.
The SharePoint user must be able to call the SharePoint REST API with a POST to /_api/contextInfo
If the AttachmentExtractor service has the setting “Create SharePoint attributes” set to true, then the SharePoint user must be able to read the attribute metadata on the library level and write attribute values.