This error never fails to confuse those who are configuring security in CRM 2011, especially when you have only started defining your security matrix. Getting the base privileges right just so that users can simply login to CRM can be a time-consuming task and you will most likely get errors along the way. One of the most common errors you will encounter is the dreaded Insufficient Privileges message with no indication as to which privileges are actually missing!
Thankfully with CRM 2011 on-premise, there is always the helpful Event Viewer. To find out which privileges are missing for the user and role in question, simply login to the CRM server and fire up the Event Viewer. Privilege related errors will show up as warnings and give you relevant information about what is wrong with your configuration. Here is an example of what the Event Log entry looks like.
Exception information: Exception type: CrmException Exception message: Principal user (Id=860c5b18-15b9-e211-8d4b-00155d04dc01, type=8) is missing prvReadWebResource privilege (Id=4156db68-93e2-4a83-8cbb-5bb344ebaf47) at Microsoft.Crm.Application.Platform.ServiceCommands.PlatformCommand.XrmExecuteInternal() at Microsoft.Crm.Application.Platform.ServiceCommands.RetrieveMultipleCommand.Execute() at Microsoft.Crm.Application.Components.Handlers.WebResource.RetrieveWebResource(String webResourceName, String preview) at Microsoft.Crm.Application.Components.Handlers.WebResource.ProcessRequestInternal(HttpContext context) at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
We can see here that the user is missing the read privilege for the Web Resource component. I can now update check all Security Roles assigned to the user and include this missing privilege where necessary. Sometimes it takes multiple attempts to get rid of the error, so you need to be patient with this process.
One of the main privileges that is missed when defining security roles is the ability to read user settings (prvReadUserSettings). This is required when rendering views for example, as CRM needs to look into your personal options to figure out how many records per page you wish to see at a time.
I hope this post will help you when you start to map out your security matrix for Dynamics CRM 2011.