If you have developed applications targeting Microsoft Dynamics CRM 3.0 and you have used the metadata service to make your software really dynamic, then you may face some serious problems when running against a CRM 4.0 installation. Your application runs fine when executed by an administrator or developer; that is a user having the CRM System Administrator or System Customizer security role applied to his user record. But other people will complain that the application no longer works.

The reason for this behavior are the security privileges controlling access to the metadata. Yes, there are privileges for it!

CRM 3.0

CRM 4.0

So where's the difference? Well, there is no difference in configuration, but there is a *big* difference in CRM. CRM 3.0 simply ignores the metadata privileges and all users can access the metadata, which I think is the correct approach, as there are no secrets in it. CRM 4.0, however, *does* evaluate the privileges and as access to the metadata by default is granted to the System Administrator and System Customizer roles only, all other users receive an error when trying to access the metadata.

I personally don't like that change as most of my applications rely on the metadata. At least read access should be on by default. Anyway, if your application breaks when accessing the metadata, make sure to enable read privileges for the entity, attribute and relationship privileges:

The easiest way to specify such global settings is creating a new security role and assigning it to all users. You then only need to change the privileges in a single security role. This also simplifies the process to give everyone read access to new custom entities, but in the end it's your decision how to administer security.