Create a security role that can assign roles to other users

(0) Share

Report

Posted on by Community Member Microsoft Employee

Due to some policy, we cannot grant system admin to some people who need to manage users in CRM. So I created a new security role, called "user admin", and assigned access privileges and access levels (=organization) to related entities (business unit, security role, user, user settings). Below is my testing results:

1) User ABC in business unit XYZ was assigned with security role User Admin and other proper roles.

2) ABC could add a new user EFG, set EFG's business unit to XYZ, and assign some security roles to EFT.

3) However, if the user EFG changes business unit to UVW (a child business unit of XYZ), user ABC (in Business unit XYZ) can no longer assign/change security roles to EFT. It got error message "You do not have permission to access these records".

4) It seems ABC with User Admin role can ONLY assign security roles to the users within the same business unit, not in child business unit.

Any suggestions how to make ABC to manage the users in all child business units as well?

Thanks in advance!

*This post is locked for comments

All responses (10)

Answers (1)

Suggested answer

Danny Michaeli 10 on at

Like (0)

Report

RE: Create a security role that can assign roles to other users

Our customer needs the same thing, for me the suggested answer by @Chitrarasan Duraisamy was not enough...

The problem was that the user that need to assign new security roles to new users was not in the same BusinessUnits (because he changed to other Business unit for new user).

The solution was:

1. Create a new security role by coping it from System administrator role and removing privileges all under except Business Mangement Tab. Once you have new role assign this new role to user who is going to manage all users. (Suggested Answer by @Chitrarasan Duraisamy)

2. Assign to the manage user all the Security roles that the manage user will assign to other users ( taken from community.dynamics.com/.../202906 Answered by @Adam Vero)

3. Create Team for every BusinessUnit that the manage user will change (for other users), then give all this teams the same security roles as the manage user (from section 1 and section 2).

4. Add the manage user to all the teams you created (from section 3).

Done! now the manage user can Create new user, change hes BusinessUnit and assign Security Roles :-)
Verified answer

Royal King 27,686 on at

Like (1)

Report

RE: Create a security role that can assign roles to other users

Create a new security role by coping it from System administrator role and removing privileges all under except Business Mangement Tab. Once you have new role assign this new role to user who is going to manage all users.
Community Member Microsoft Employee on at

Like (0)

Report

RE: Create a security role that can assign roles to other users

Hi Chitra,

If I understand you correctly, you suggested to assign user ABC to the root business unit (it is the way it is now), and assign system administrator to user ABC (this is what we are trying to avoid).

User ABC (a customer support, but not a member of system admin team) needs access to the CRM to conduct his daily job plus adding new users and assigning non-system admin roles to the new users.

So we are trying to create a new non-system-admin security role for ABC.

Thanks,

Hao
Royal King 27,686 on at

Like (0)

Report

RE: Create a security role that can assign roles to other users

Assign root business unit to the Administrator User as well assign system administrator role with Access mode set to Administrative. This will allow user to create and assign role on any business unit.Users configured with this license type can administer the Microsoft Dynamics CRM Server but will not have access to the Sales, Marketing, or Service areas.Moreover this user does not consume any license .
Community Member Microsoft Employee on at

Like (0)

Report

RE: Create a security role that can assign roles to other users

Hi Karth,

I have tested it, and it didn't solve the problem.

Thanks,

Hao
Community Member Microsoft Employee on at

Like (0)

Report

RE: Create a security role that can assign roles to other users

Thanks Mamatha, I will check it out.

Hao
Suggested answer

Karth on at

Like (0)

Report

RE: Create a security role that can assign roles to other users

If you set the user's access type to 'Administrative' on the user record, this user will be able to perform the administrative functions such as creating users and assigning security roles globally. Someone with administrative access will not be able to view transnational data such as accounts and contacts. Have you evaluated this?

Otherwise, you would end up having to create a 'System Admin' like security role and assign this to the user.
Suggested answer

Mamatha Swamy 5,422 on at

Like (0)

Report

RE: Create a security role that can assign roles to other users

Hao,

Enable Trace in CRM and check for the details of missing privilege

support.microsoft.com/.../en-us
Community Member Microsoft Employee on at

Like (0)

Report

RE: Create a security role that can assign roles to other users

Thanks Mamatha,

If I understand correctly, "User Admin" role has Org level (full green circle) on User entity and all other related privileges. ABC has this role, so ABC should have Org level permissions on User entity.

Thanks again,

Hao
Suggested answer

Mamatha Swamy 5,422 on at

Like (0)

Report

RE: Create a security role that can assign roles to other users

Check if ABC user has BU level permissions on User entities; Try giving Org level permissions to him.

Refer Access levels in msdn.microsoft.com/.../gg334717.aspx