One of the requests we have seen in the field is for a custom admin security role in CRM 2011 where a group of users have permissions restricted to only certain administrative functions. One such example is to create custom admin role and restricting this role to creating users and assigning roles to users and other administrative functions but not to be able to work with Sales, Marketing, and Customer Service. So let’s take this scenario and see how we can achieve this custom admin role.
In CRM 2011 (On-Premise) create custom admin role and restrict this role to creating users and assigning roles to users and admin functions but not to be able to work with Sales, Marketing, and Customer Service
Steps to Resolution:
Details of Steps:
Using our CRM On Premise organization Contoso we created a role TestCustomAdminRole by making a copy from System Administrator role. To do this we went to Settings->Administration->Security Roles->System Administrator -> Actions->Copy Role:
When the new copied role opens we leave everything as is and Save and Close the role.
Now that we have created a copy of System Administrator role. Let’s assign this TestCustomAdminRole to a user. So we create a new user test user1 in Active Directory. Then we create this user in CRM organization Contoso. We assign administrative access mode to this user (and administrative license type).
As our custom admin role is ready and user is ready we assign our TestCustomAdminRole to the user test user1.
Test user1 is ready to create users and assign roles to them. We logon as test user1 and see that we don’t see Sales and Marketing areas in navigation:
We do see Service but when we click on service we only see Knowledge Base Articles
We are done! We have created a custom admin security role by creating a copy of System Administrator role and assigning it to a user with Administrative access mode (Administrative License). This user can do administrative functions and assign all roles (except System Administrator Role) to other users but cannot work with Sales, Marketing and Service (except view knowledge base).
NOTE: Currently in CRM 2011 if the roles being assigned have permissions for custom entities then the new custom admin role (copy of System Administrator) will not be able to assign those roles to users. To be able to assign roles with custom entities permissions we need to assign System Administrator Role to the custom admin user and set Access Mode to Administrative (so that custom admin does not have access to Sales, Marketing and Service Modules as is our goal here). In addition to this we must also have CRM 2011 Update Rollup 10 applied on the server. Please note that there is NO registry entry (AllowRoleAssignInAdminMode) needed. Update Rollup 10 has the fix built into the CRM code.
CRM 2011 UR10 is released which includes the below fix in the code for the issue mentioned about CRM 2011 and System admin role in administrative mode not able to assign roles with custom entities:
"The AllowRoleAssignInAdminMode option is requested to be enabled for users in the administrative mode."
Please refer to http://support.microsoft.com/kb/2710577