One of the requests we have seen in the field is for a custom admin security role in CRM 2011 where a group of users have permissions restricted to only certain administrative functions. One such example is to create custom admin role and restricting this role to creating users and assigning roles to users and other administrative functions but not to be able to work with Sales, Marketing, and Customer Service. So let’s take this scenario and see how we can achieve this custom admin role.
In CRM 2011 (On-Premise) create custom admin role and restrict this role to creating users and assigning roles to users and admin functions but not to be able to work with Sales, Marketing, and Customer Service
Steps to Resolution:
Details of Steps:
Using our CRM On Premise organization Contoso we created a role TestCustomAdminRole by making a copy from System Administrator role. To do this we went to Settings->Administration->Security Roles->System Administrator -> Actions->Copy Role:
When the new copied role opens we leave everything as is and Save and Close the role.
Now that we have created a copy of System Administrator role. Let’s assign this TestCustomAdminRole to a user. So we create a new user test user1 in Active Directory. Then we create this user in CRM organization Contoso. We assign administrative access mode to this user (and administrative license type).
As our custom admin role is ready and user is ready we assign our TestCustomAdminRole to the user test user1.
Test user1 is ready to create users and assign roles to them. We logon as test user1 and see that we don’t see Sales and Marketing areas in navigation:
We do see Service but when we click on service we only see Knowledge Base Articles
We are done! We have created a custom admin security role by creating a copy of System Administrator role and assigning it to a user with Administrative access mode (Administrative License). This user can do administrative functions and assign all roles (except System Administrator Role) to other users but cannot work with Sales, Marketing and Service (except view knowledge base).
NOTE: Currently in CRM 2011 if the roles being assigned have permissions for custom entities then the new custom admin role (copy of System Administrator) will not be able to assign those roles to users. To be able to assign roles with custom entities permissions we need to assign System Administrator Role to the custom admin user and set Access Mode to Administrative (so that custom admin does not have access to Sales, Marketing and Service Modules as is our goal here). In addition to this we must also have CRM 2011 Update Rollup 10 applied on the server. Please note that there is NO registry entry (AllowRoleAssignInAdminMode) needed. Update Rollup 10 has the fix built into the CRM code.
CRM 2011 UR10 is released which includes the below fix in the code for the issue mentioned about CRM 2011 and System admin role in administrative mode not able to assign roles with custom entities:
"The AllowRoleAssignInAdminMode option is requested to be enabled for users in the administrative mode."
Please refer to http://support.microsoft.com/kb/2710577
We have tried this but there seems to be a bug when you try to assign a userrole with permissions on a custom entity. In that case, administrative mode isnt working when assigning roles to users. Could you give this a try and let me know if you experience the same behaviour.
Thanks for bringing up this issue. Yes we are aware of this issue and it is being investigated. I will add your comment to the list of impacted customers by this issue. Can you please email me using Email Blog Author link on this post page :blogs.msdn.com/.../contact.aspx
"One such example is to create custom admin role and restricting this role to creating users and assigning roles to users and other administrative functions but not to be able to work with Sales, Marketing, and Customer Service."
What was the point of writing this article if you already know that there's a bug that prohibits assigning roles to others??
In CRM 4.0 a certain registry edit would do the trick. But in 2011 that doesnt help either. Can we have an expected resolution date for this bug fix?
I got the same issue.
Fauzia: Is this bug fixed or a is a workaround exists? It's very problematic on a CRM 2011 on premise project
Same issue here. Any update?
There are no workarounds currently unfortunately. Fix for the issue will be in CRM 2011 upcoming update rollup. As soon as the update rollup is released I will post the resolution here in this blog.
CRM 2011 UR10 is released which includes the below fix for the issue mentioned about CRM 2011 and custom admin role (even for assigning roles with custom entities)
Please refer to support.microsoft.com/.../2710577
Thanks for the update Fauzia! Will test this now..
Thanks for the fix in the rollup. With the custom administrator role, I still get this error when trying to change access mode for the user:
You need to have system administrator role and access mode Full to change access mode of a user.
Is there any way around this, or am I missing something?
I am sorry for the long delay in answering as I was on maternity leave till now. Are you not able to assign roles to users with an administrative access mode admin? The error did not come through. Were you able to resolve this or need further help.
Once again apologies for the delay