CRM 2016 Can't set regarding - SecLib::AccessCheckEx failed

Recently when a user was trying to use set regarding for a tracked email they were receiving the following error.

'You do not have enough privileges to acces the Micrsoft Dynamics CRM object or perform the requested opeartion.'

When running the CRM trace we found this error 'SecLib::AccessCheckEx failed. Returned hr = -2147187962, ObjectID: b043cc71-a644-e611-80d7-005056a076e4, OwnerId: 9d589563-f988-dd11-8b66-0013211ccf00,  OwnerIdType: 8 and CallingUser: e2619700-963c-e111-9119-005056932219. ObjectTypeCode: 4200, objectBusinessUnitId: c7ec9cc6-9e67-db11-97e6-0013211cbfff, AccessRights: WriteAccess'

It turns out CRM 2016 sets the owner automatically based off who sent the email rather than who created the tracked record.  We had a disabled user in MSCRM in a different business unit that when ever another user tried to track an email from them it would set the disabled user as the owner!  Reassigning the email fixed the issue and I found a few more that were problematic using advanced find.

CRM 2016 Can't track an email - missing prvReadConvertRule privilege

Recently we found an intermittant new issue with tracking email messages for some users.  When tracing with outlook we found the error 'missing prvReadConvertRule privilege'.  This didn't seem to directly translate to any role found configurable in CRM.

Using a bit of SQL I managed to find the roles that had that privilege set and then started to compare with the role I was hoping to use and found out that I needed to set organisational read for Record Creation and Update Rule under the Service Management tab.

If you are interested here is the query I used to find the roles with the correct privileges set.

SELECT r.Name FROM Role r WHERE EXISTS(SELECT 1 FROM RolePrivileges rp JOIN Privilege p ON p.PrivilegeId = rp.PrivilegeId WHERE r.RoleId = rp.RoleId AND p.Name = 'prvReadConvertRule')