In this article, learn what the minimum user privilege requirements are for the DocumentsCorePack Service Online Configuration.
DocumentsCorePack Service with Server2Server or AppAccess connection
AppAccess connections are based on the “act on behalf of another user” privilege management. The AppAccess connection requires as many privileges as any user requires for the use of the product. Security for “act on behalf of” is determined by matching privileges present on BOTH the impersonated user and the “act on behalf of user”. Privileges only present on one user are ignored by Dynamics.
This means that you have to ensure that the service user has all privileges necessary for the document generation and processing functionality of DocumentsCorePack, like:
- Access to all Dataverse data you have referenced in your templates
- Rights to read, create, and modify records (emails, activities, notes, etc)
While creating the DocumentsCorePack Service this user must:
- Have SystemCustomizer privileges
- mscrm-addons.com security roles and
- Perform a one-time operation during setup that requires global or application administrator role in Entra
After the installation, you can remove the SystemCustomizer role from the user, but it is not recommended, as you need to re-add it whenever an update of the DocumentsCorePack solution is required.
Granting system administrator privileges to the Application user ensures that no user interaction is accidentally limited.
DocumentsCorePack Service SharePoint Integration
If you have enabled the SharePoint Integration for the DocumentsCorePack Service we recommend using Server2Server connection. The SharePoint user must have the following priveleges.
- The SharePoint user must always be able to login to the root site of SharePoint without any error.
- The user must have modify rights to the target folder. If the product is configured to create SharePoint folder information, the same rights are required for every existing library and folder in any possible target path.
- If templates are used that set attribute-values on your SharePoint locations then the SharePoint user must be able to read the attribute metadata on the library level.
That’s it! We appreciate your feedback! Please share your thoughts by sending an email to support@mscrm-addons.com.