Sign in
Microsoft.com
 
Microsoft
 
 
 

locked
Assigning roles RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi all,

    I have group of users who would like to change other user's business unit and assign different roles but not be able to see our company data ie leads, contacts and oppportunities.

    The issue is that if they try to assign a role that is higher in permission level than the current users doing the assigning then they will not be able to assign the role. This is normally the case as the assignee will have lower permission than the user being assigned with a different role since they are not able to view contacts and accounts.

    What is the best way around this?

    Thursday, June 5, 2014 7:35 AM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Stanzarctah,

    The reason CRM does this is because if you allow for users to assign security roles of higher privileges than they themselves have, they could assign themselves a role which would give them access to data they did not previously have access to.

    If you are absolutely certain that these users are not under any circumstances allowed to see particular entities, you could give them the security permissions needed to be able to assign the appropriate security roles to other users, but have plugins running on Retrieve and RetrieveMultiple of the appropriate records which would block those particular users from seeing the data.

    This is a bit of a messy solution and certainly wouldn't be what I would advise.

    If you just don't want the data to be obviously available to the users, you could hide the entities on the sitemap for those users. However they would still be able to go through advanced find to view the data.


    ~ Atomic Coder

    Thursday, June 5, 2014 7:47 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Thanks Atomic Coder,

    Hiding the sub area for the sitemap will not work since this involves assigning permissions to a security role. The person doing the admin will always have LESS permissions than the people having their business roel and role changed.

    So the only way to do this is to elevate the admin user to have a copy of the System Adminstrator role (let's call it User Admin Sys Admin) and then hide all the areas (sales/marketing/service) using javascript  based on the user's role (User Admin Sys Admin) and modiying the system files.

    What is is the best way to do this?


    Tuesday, June 10, 2014 6:07 AM