locked
Deleting role inheritance from parent business unit to child business unit RRS feed

  • Question

  • We have two business units ...1 parent and 1 child. We dont want parent business unit roles to be appeared in child business unit.

    Is there any SQL query that can stop security roles being inherited to the child business units?

    Thanks
    Satish 
    Sunday, February 14, 2010 3:41 AM

Answers

  • Hi For each role, you can defne at what level a particul permission on some entity is applied.
    i.e. you can configure the access level for each entity operation(create,update,delete,etc).
    If you don't wnat the child business unit to inherit from parent business unit, then assign the "business unit" access level to all the entities in (customization==>security roles tab)
    check this for access level.
    http://technet.microsoft.com/en-us/library/aa679988.aspx

    e.g, you can create two security role A & B for business Unit A & B( where A is parent of B). On security Role A, you configure all the access level to be "bussiness unit" only and assign the users of bussiness unit A to this security role.
    for more details, check this link.
    http://technet.microsoft.com/en-us/library/bb955133.aspx

     

    • Marked as answer by Satish Reddy Sunday, February 14, 2010 4:53 AM
    Sunday, February 14, 2010 4:05 AM

All replies

  • Hi For each role, you can defne at what level a particul permission on some entity is applied.
    i.e. you can configure the access level for each entity operation(create,update,delete,etc).
    If you don't wnat the child business unit to inherit from parent business unit, then assign the "business unit" access level to all the entities in (customization==>security roles tab)
    check this for access level.
    http://technet.microsoft.com/en-us/library/aa679988.aspx

    e.g, you can create two security role A & B for business Unit A & B( where A is parent of B). On security Role A, you configure all the access level to be "bussiness unit" only and assign the users of bussiness unit A to this security role.
    for more details, check this link.
    http://technet.microsoft.com/en-us/library/bb955133.aspx

     

    • Marked as answer by Satish Reddy Sunday, February 14, 2010 4:53 AM
    Sunday, February 14, 2010 4:05 AM
  • Thanks for reply.

    Your solution looks good for custom roles.But how can we restrict the administrator to be present only in parent BU( here literally I dont want admin role to be displayed in child BU roles ) since we cant alter Admin role?

    Thanks
    Satish 
    Sunday, February 14, 2010 4:17 AM
  • Just a word of caution--security roles created just in a child business unit cannot be exported.  I know that there is a tool on MSDN to do it, but I have heard of some issues with it.  For that reason, it is best practices to always create security roles in the root bu.

    As for restricting system roles, you really don't want to do that, especially with the system customizer and system admin roles.  If these roles aren't present, it breaks functionality.  Just preventing users in the child BU from assigning roles should be sufficient to restrict this.
    Sunday, February 14, 2010 4:40 AM
    Moderator
  • Hi Satish,
    I think, You can chagne the existing roles and its access level as well (how,ever i will not recommend you to do that, better create your own cusotm roles)
    I think administrator should have rights on both parent & child business unit.
    As said above by Joel
    "As for restricting system roles, you really don't want to do that, especially with the system customizer and system admin roles.  If these roles aren't present, it breaks functionality.  Just preventing users in the child BU from assigning roles should be sufficient to restrict this."

    if you don't want admin role to be theire in child BU, then for the parent BU you  have to set all  the roles access level to "business unit" only, this will make sure the users from parent business unit doesn't have access to the child business unit. and then create a separate role for the child business unit and this will contains the users from the child BU.

    Sunday, February 14, 2010 5:50 AM