locked
right to assign security profile to users like admin RRS feed

  • Question

  • Hi all, 

    i use the standard securityrole for ceo (i think ... in german "Vorstandsvorsitzender").

    I activated the fieldsecurity for some fields.

    What do i have to activate in the security role of ceo, that the ceo can assign fieldsecurity profiles for himself and to other users ... like the admin can.

    Thx, Greets Pit

    Tuesday, July 24, 2012 7:44 AM

Answers

  • Field Level Security profiles are 100% independent from security roles. If you want to give access to a secured field to another user, then you (the nuser granting the access) must have access to the security profile he is granting. In CRM, you can never give someone else higher privileges than what you have (otherwise you could give yourself higher privileges!).

    So I think you have a number of questions I will try to answer:

    1. What do i have to activate in the security role of ceo, that the ceo can assign fieldsecurity profiles for himself and to other users ... like the admin can.

    You must assign the field level security (FLS) profile directly to the user (or to a team). you cannot associate an FLS profile with a security role, these 2 are independent. You don't need to be the System Administrator to assign FLS profiles to other users, but you must have enough privileges to do so. For example, you need as a minimum to have the FLS profile (or a higher privileged FLS profile) yourself before you can assign it to someone else.

    2. That means that we as devs have to give every customer (user) who shall assign fieldsecurity roles the admin rights?

    Yes, you must assign it individually to every user (just like you need to assign security roles individually to every user). You could also use teams so everyone in the team will inherit the FLS profile wihtout having to assign it to every user in the team.

    3. But normally we give no adminrights to our customers. I think that this is that what everyone does.

    You could have a "power user" who has the privileges to assign FLS profiles without making that user a System Administrator. Again, just ensure that you assign all the FLS profiles to that user, otherwise he/she will not be able to assign it further to other users.

    4. When i give a user the securityroles for admin and adjustment (dont know if adjustment is the right translation (german: Systemanpasser)), then this user automatically becomes the fieldsecurityprofile for systemadministrator, which is the standard fieldsecurityprofle and has all rights.

    There is a special FLS profile that has ALL privileges. However, it is reserved for the System Administrator, and you cannot assign to other users, they will automatically get it when they become administrators. However, you do not need this profile in order to assign other FLS profiles to other users

    I hope that answers your questions!


    Gonzalo | gonzaloruizcrm.blogspot.com

    Sunday, July 29, 2012 9:53 PM
    Moderator
  • Hi Pit,

    OK, I'll admit I was a little flippant in stating only system administrators may assign field level security profiles, probably because there's no explicit documentation for privilege requirements to assign field security profiles in the crm help file or on msdn. So, I tested it. Here are my findings;

    1. A (non-system administrator) user can only give another user a field level security profile that they themselves are already linked to.

    2. The privileges your user needs on their security role in order to be able to add a Field Level Security profile to another user are: 'Create' and 'Append' against the 'Field Security Profile' entity and 'Append' + 'Append To' on the User entity. Both can be found on the Business Management tab of the securty role. 

    I'm not sure if that solves your problem completely (i.e. a CEO granting himslef extra field level security profiles) but at least this should enable the CEO users to distibute Field Level Security profiles to other users that the CEO is already linked to.

    Rob


    Microsoft Certified Technology Specialist (CRM) GAP Consulting Ltd Microsoft Community Contributor Award 2011

    Monday, July 30, 2012 10:37 PM
    Answerer

All replies

  • anyone who can help?
    Tuesday, July 24, 2012 9:15 PM
  • Hi,

    Just like the ability to assign security roles, only users with the system administrator profile may assign field level security profiles to a user.

    Rob


    Microsoft Certified Technology Specialist (CRM) GAP Consulting Ltd Microsoft Community Contributor Award 2011

    Tuesday, July 24, 2012 9:16 PM
    Answerer
  • Hi Rob,

    are you really sure?

    That means that we as devs have to give every customer (user) who shall assign fieldsecurity roles the admin rights?
    But normally we give no adminrights to our customers. I think that this is that what everyone does.

    --

    Another thought is: 
    If i can shrink the rights of an admin. Why this is not possible in the other direction (more rights for an f.e. ceo role)?

    --

    We need a securityrole that allows to assign fieldsecurity roles to other users (and to himself) .. but without giving him adminrights
    and without letting our admins assign step by step the fieldsecurity role to every user (customer) who shall assign the fieldsecurity roles to users in his organisation.

    What do you / others think?

    Thx, Greets Pit

    Wednesday, July 25, 2012 6:25 AM
  • Hi all, 

    ok my problem is still there. Now another idea:

    When i give a user the securityroles for admin and adjustment (dont know if adjustment is the right translation (german: Systemanpasser)), then this user automatically becomes the fieldsecurityprofile for systemadministrator, which is the standard fieldsecurityprofle and has all rights.

    Now .. why i cant define that if a user gets the ceo role, that he automatically gets a fieldsecurityprofile ???

    Is this an option?
    Has anyone an idea / approach?

    Thx, Greets Pit

    Friday, July 27, 2012 9:16 AM
  • Field Level Security profiles are 100% independent from security roles. If you want to give access to a secured field to another user, then you (the nuser granting the access) must have access to the security profile he is granting. In CRM, you can never give someone else higher privileges than what you have (otherwise you could give yourself higher privileges!).

    So I think you have a number of questions I will try to answer:

    1. What do i have to activate in the security role of ceo, that the ceo can assign fieldsecurity profiles for himself and to other users ... like the admin can.

    You must assign the field level security (FLS) profile directly to the user (or to a team). you cannot associate an FLS profile with a security role, these 2 are independent. You don't need to be the System Administrator to assign FLS profiles to other users, but you must have enough privileges to do so. For example, you need as a minimum to have the FLS profile (or a higher privileged FLS profile) yourself before you can assign it to someone else.

    2. That means that we as devs have to give every customer (user) who shall assign fieldsecurity roles the admin rights?

    Yes, you must assign it individually to every user (just like you need to assign security roles individually to every user). You could also use teams so everyone in the team will inherit the FLS profile wihtout having to assign it to every user in the team.

    3. But normally we give no adminrights to our customers. I think that this is that what everyone does.

    You could have a "power user" who has the privileges to assign FLS profiles without making that user a System Administrator. Again, just ensure that you assign all the FLS profiles to that user, otherwise he/she will not be able to assign it further to other users.

    4. When i give a user the securityroles for admin and adjustment (dont know if adjustment is the right translation (german: Systemanpasser)), then this user automatically becomes the fieldsecurityprofile for systemadministrator, which is the standard fieldsecurityprofle and has all rights.

    There is a special FLS profile that has ALL privileges. However, it is reserved for the System Administrator, and you cannot assign to other users, they will automatically get it when they become administrators. However, you do not need this profile in order to assign other FLS profiles to other users

    I hope that answers your questions!


    Gonzalo | gonzaloruizcrm.blogspot.com

    Sunday, July 29, 2012 9:53 PM
    Moderator
  • Hi Pit,

    OK, I'll admit I was a little flippant in stating only system administrators may assign field level security profiles, probably because there's no explicit documentation for privilege requirements to assign field security profiles in the crm help file or on msdn. So, I tested it. Here are my findings;

    1. A (non-system administrator) user can only give another user a field level security profile that they themselves are already linked to.

    2. The privileges your user needs on their security role in order to be able to add a Field Level Security profile to another user are: 'Create' and 'Append' against the 'Field Security Profile' entity and 'Append' + 'Append To' on the User entity. Both can be found on the Business Management tab of the securty role. 

    I'm not sure if that solves your problem completely (i.e. a CEO granting himslef extra field level security profiles) but at least this should enable the CEO users to distibute Field Level Security profiles to other users that the CEO is already linked to.

    Rob


    Microsoft Certified Technology Specialist (CRM) GAP Consulting Ltd Microsoft Community Contributor Award 2011

    Monday, July 30, 2012 10:37 PM
    Answerer