locked
Dynamics CRM 2011 - Security Role Permissions Issue Regarding User Creation and Management - Specific Settings Required RRS feed

  • Question

  • A current objective of our organization is to add a new supplemental security role giving select users privileges to perform administrative support tasks, things such as user creation, activity deletion, queue / team management, etc. I have been pulling my hair out lately trying to figure out the extent that certain tasks need permissions for. I've consulted MSDN documentation and don't find it extremely helpful for 'categorical tasks' - ie a combination of related functions that need to have privileges given for users to have the appropriate permissions.

    For example, I would like a user to be able to add new users, assign them any security role, assign them to any team, edit the users, etc and perform any other related user management tasks. I've been testing different permissions and just when I think I get something figured out it behaves in a very unexpected way (in this case, the permissions I have set up now allows a user to manage some security roles of other users but not all [can assign Roles A + B, but not C, to any user], and I have no idea why...).

    For this particular issue, can anyone identify the exact but minimal permissions necessary to do the above tasks related to user creation and management?

    Friday, June 10, 2011 8:07 PM

Answers

  • kspicer -

    I hope you were able to get past this before now.  But if not here is something I have seen in a few different envrionments.

    A person can only assign/remove a role to someone else that gives rights that they themselves have.

    Meaning if I have a custom security role that allows me to assign roles to user, but my role does not allow me to do any system customization I will not be able to assign/remove the system customizer  or system administrator role. 

    You can either have your custom role have all rights that any of the roles they need to assign will have or you can assign the user every role that they need to be able to assign to other users plus the custom role that gives them the right to assign roles to users.

    Hope that helps.

    Later
      Hoss Hostetler
      "If it ain't broke, Modify It! If it is broke, Time to upgrade!"


    "If it ain't broke, Modify It! If it is broke, Time to upgrade!"
    • Marked as answer by kspicer Monday, September 19, 2011 2:08 PM
    Wednesday, July 27, 2011 8:26 PM

All replies

  • Hi kpsicer,

                    I will try to tell what I know regarding security roles in CRM. We have two types of security models one is Object based security model and the other one is role based security model. Our current scenario comes under role based security model where in we provide privileges to users in assigning specific entities based on the access levels assigned for that specific role. We have different types of privileges like create, read, write, delete, append, append to, assign, share, reparent, enable/disable. This will be used to give access to users whether to read, write or append data into CRM. In addition to this we can give scope for the user which are called Access Levels in CRM. These access levels include Global, Deep, Local, Basic, None. For global we have the access level to organization, for deep we have the access level to Parent Child Business Unit, for Local we have the access level to Business Unit, for Basic we have the access level to User. This means if we set the access level as Global everyone in the organization have access to that entity. I am not sure if this answered your question please let me know if there is anything more which I need to say

     

    Regards,
    Vishnu.
    http://www.osmosys.asia
    http://osmosee.wordpress.com

     


    Regards, Vishnu. http://www.osmosys.asia http://osmosee.wordpress.com
    Saturday, June 11, 2011 7:39 PM
  • I am pretty familiar with the security model that you've described. I have been able to identify specific privileges needed to perform certain tasks in the past.

    I was hoping more for the specific privilege options needed to do all tasks related to creating and managing users, including things like adding to teams, managing security roles, assigning cases, etc.

    Tuesday, June 14, 2011 2:45 PM
  • kspicer -

    I hope you were able to get past this before now.  But if not here is something I have seen in a few different envrionments.

    A person can only assign/remove a role to someone else that gives rights that they themselves have.

    Meaning if I have a custom security role that allows me to assign roles to user, but my role does not allow me to do any system customization I will not be able to assign/remove the system customizer  or system administrator role. 

    You can either have your custom role have all rights that any of the roles they need to assign will have or you can assign the user every role that they need to be able to assign to other users plus the custom role that gives them the right to assign roles to users.

    Hope that helps.

    Later
      Hoss Hostetler
      "If it ain't broke, Modify It! If it is broke, Time to upgrade!"


    "If it ain't broke, Modify It! If it is broke, Time to upgrade!"
    • Marked as answer by kspicer Monday, September 19, 2011 2:08 PM
    Wednesday, July 27, 2011 8:26 PM