One of the requests we have seen in the field is for a custom admin security role in CRM 2011 where a group of users have permissions restricted to only certain administrative functions. One such example is to create custom admin role and restricting this role to creating users and assigning roles to users and other administrative functions but not to be able to work with Sales, Marketing, and Customer Service.   So let’s take this scenario and see how we can achieve this custom admin role.

 

Our Objective:

In CRM 2011 (On-Premise) create custom admin role and restrict this role to creating users and assigning roles to users and admin functions but not to be able to work with Sales, Marketing, and Customer Service

 Steps to Resolution:

  1.  First we will create a copy TestCustomAdminRole of System Administrator role. This is because in CRM 2011 for security reasons a user must have same or higher privileges than the role they are assigning to other user.  So we are keeping the highest privileges so that the user with TestCustomAdminRole will be able to assign any role (except System Administrator) to other users.
  2. We will assign Administrative access mode to the user who will get TestCustomAdminRole assigned to them. Note that License Type is Administrative. Administrative access mode restricts the users privileges to  all administrative functions except Sales, Marketing, and Customer service (except knowledge base articles).

 

Details of Steps:

Using our CRM On Premise organization Contoso  we created a role TestCustomAdminRole by making a copy from System Administrator role. To do this we went to Settings->Administration->Security Roles->System Administrator -> Actions->Copy Role:

 

 

 

 

When the new copied role opens we leave everything as is and Save and Close the role.

Now that we have created a copy of System Administrator role.  Let’s assign this TestCustomAdminRole to a user. So we create a new user  test user1 in Active Directory.  Then we create this user in CRM organization Contoso. We assign administrative access mode to this user (and administrative license type).

 

 

 

As our custom admin role is ready and user is ready we assign our TestCustomAdminRole to the user test user1.

 

 

Test user1  is ready to create users and assign roles to them. We logon as test user1 and see that we don’t see Sales and Marketing  areas in navigation:

 

 

 We do see Service but when we click on service we only see Knowledge Base Articles

 

 

 

We are done! We have created a custom admin  security role by creating a  copy of System Administrator role and assigning it to a user with Administrative access mode (Administrative License). This user can do administrative functions and assign all roles (except System Administrator Role) to other users  but cannot work with Sales, Marketing and Service (except view knowledge base).

NOTE: Currently in CRM 2011 if the roles being assigned have permissions for custom entities then the new custom admin role (copy of System Administrator) will not be able to assign those roles to users. To be able to assign roles with custom entities permissions  we need to assign System Administrator Role to the custom admin user and set Access Mode to Administrative (so that custom admin does not have access to Sales, Marketing and Service Modules as is our goal here). In addition to this we must also have CRM 2011 Update Rollup 10 applied on the server. Please note that there is NO registry entry (AllowRoleAssignInAdminMode) needed. Update Rollup 10 has the fix built into the CRM code.

CRM 2011 UR10 is released which includes the below fix in the code for the issue mentioned about CRM 2011 and System admin role in administrative mode not able to assign roles with custom entities:

"The AllowRoleAssignInAdminMode option is requested to be enabled for users in the administrative mode."

Please refer to http://support.microsoft.com/kb/2710577