Sign in
Microsoft.com
 
Microsoft
 
 
 

locked
Creating a custom security role for our support center. RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Ran into a unique problem, I'm trying to avoid giving support staff System Administrator in the live environment of CRM, but making a custom role to create users and assign roles is difficult. I've been following the advice of Microsoft and the blogs, and running trace and looking up the privilegeid in the privilegebase table, but it is seemingly complaining that I need to turn on privileges for of entities that these users won't need. For instance, it want them to have full access to Data import, which I just don't understand.

    So here is the crux of the question, does CRM require that a user possess the privilege they assign to others, basically, does a user need to have as much access as the roles it assigns? If not, how do I make this role?

    Thursday, December 2, 2010 4:56 PM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Nick,

    permissions can be complicated indeed. The easiest way to grant someone permissions to create users is to assign them sys.admin. role but change their access mode to Administrative - that effectively will remove their access to the data but retain their ability to manage users. Do some good reading on administrative node and user administration in general.

    Notes:

    • Good news - this user won't even consume a license.
    • Bad news - this user probably won't be able to assign roles to other users, i.e. non-elevation principle applies. Basically, the rule of thumb is that a user cannot assign more privileges that they possess themselves (otherwise they'll be able to create a new account and logon as that user, granting themselves access to the data). But this principle applies whether user is in administrative mode or not and that's probably the root of your struggle (e.g. if any of the roles being assigned have data import privilege, this user will have to have it themselves to be able to assign it to other users).
    If you insist on using custom role, the other thing to remember is that there are some hidden privileges. You can view them and the easiest way to retain those is to copy a built-in role, e.g. system administrator and then remove excess.

    Hope this helps
    --

    George Doubinski, MVP http://crm.georged.id.au
    • Proposed as answer by Edwin2win Friday, December 3, 2010 12:08 PM
    • Marked as answer by nickpeterson Tuesday, December 21, 2010 8:49 PM
    Friday, December 3, 2010 12:25 AM
    Moderator