Dynamics CRM in the Field

Information from the Microsoft Dynamics CRM PFE team working in the field

How to Make a Custom Administrator Security Role in CRM 2011 (On-Premise)

How to Make a Custom Administrator Security Role in CRM 2011 (On-Premise)

  • Comments 11

One of the requests we have seen in the field is for a custom admin security role in CRM 2011 where a group of users have permissions restricted to only certain administrative functions. One such example is to create custom admin role and restricting this role to creating users and assigning roles to users and other administrative functions but not to be able to work with Sales, Marketing, and Customer Service.   So let’s take this scenario and see how we can achieve this custom admin role.

 

Our Objective:

In CRM 2011 (On-Premise) create custom admin role and restrict this role to creating users and assigning roles to users and admin functions but not to be able to work with Sales, Marketing, and Customer Service

 Steps to Resolution:

  1.  First we will create a copy TestCustomAdminRole of System Administrator role. This is because in CRM 2011 for security reasons a user must have same or higher privileges than the role they are assigning to other user.  So we are keeping the highest privileges so that the user with TestCustomAdminRole will be able to assign any role (except System Administrator) to other users.
  2. We will assign Administrative access mode to the user who will get TestCustomAdminRole assigned to them. Note that License Type is Administrative. Administrative access mode restricts the users privileges to  all administrative functions except Sales, Marketing, and Customer service (except knowledge base articles).

 

Details of Steps:

Using our CRM On Premise organization Contoso  we created a role TestCustomAdminRole by making a copy from System Administrator role. To do this we went to Settings->Administration->Security Roles->System Administrator -> Actions->Copy Role:

 

 

 

 

When the new copied role opens we leave everything as is and Save and Close the role.

Now that we have created a copy of System Administrator role.  Let’s assign this TestCustomAdminRole to a user. So we create a new user  test user1 in Active Directory.  Then we create this user in CRM organization Contoso. We assign administrative access mode to this user (and administrative license type).

 

 

 

As our custom admin role is ready and user is ready we assign our TestCustomAdminRole to the user test user1.

 

 

Test user1  is ready to create users and assign roles to them. We logon as test user1 and see that we don’t see Sales and Marketing  areas in navigation:

 


 

 We do see Service but when we click on service we only see Knowledge Base Articles

 

 

 

We are done! We have created a custom admin  security role by creating a  copy of System Administrator role and assigning it to a user with Administrative access mode (Administrative License). This user can do administrative functions and assign all roles (except System Administrator Role) to other users  but cannot work with Sales, Marketing and Service (except view knowledge base).

NOTE: Currently in CRM 2011 if the roles being assigned have permissions for custom entities then the new custom admin role (copy of System Administrator) will not be able to assign those roles to users. To be able to assign roles with custom entities permissions  we need to assign System Administrator Role to the custom admin user and set Access Mode to Administrative (so that custom admin does not have access to Sales, Marketing and Service Modules as is our goal here). In addition to this we must also have CRM 2011 Update Rollup 10 applied on the server. Please note that there is NO registry entry (AllowRoleAssignInAdminMode) needed. Update Rollup 10 has the fix built into the CRM code.

CRM 2011 UR10 is released which includes the below fix in the code for the issue mentioned about CRM 2011 and System admin role in administrative mode not able to assign roles with custom entities:

"The AllowRoleAssignInAdminMode option is requested to be enabled for users in the administrative mode."

Please refer to http://support.microsoft.com/kb/2710577   

 

  • Hi Fauzia,

    We have tried this but there seems to be a bug when you try to assign a userrole with permissions on a custom entity. In that case, administrative mode isnt working when assigning roles to users. Could you give this a try and let me know if you experience the same behaviour.

  • Hi Bas,

    Thanks for bringing up this issue. Yes we are aware of this issue and it is being investigated. I will add your comment to the list of impacted customers by this issue. Can you please email me using Email Blog Author link on this post page :blogs.msdn.com/.../contact.aspx

    Thanks

    Fauzia

  • "One such example is to create custom admin role and restricting this role to creating users and assigning roles to users and other administrative functions but not to be able to work with Sales, Marketing, and Customer Service."

    What was the point of writing this article if you already know that there's a bug that prohibits assigning roles to others??

    In CRM 4.0 a certain registry edit would do the trick. But in 2011 that doesnt help either. Can we have an expected resolution date for this bug fix?

  • I got the same issue.

    Fauzia: Is this bug fixed or a is a workaround exists? It's very problematic on a CRM 2011 on premise project

  • Same issue here. Any update?

  • Hi,

    There are no workarounds currently unfortunately. Fix for the issue will be in CRM 2011 upcoming update rollup. As soon as the update rollup is released I will post the resolution here in this blog.

    Regards

    Fauzia Awan

  • Thanks Fauzia!

  • Hi,

    CRM 2011 UR10 is released which includes the below fix for the issue mentioned about CRM 2011 and custom admin role (even for assigning roles with custom entities)

    "The AllowRoleAssignInAdminMode option is requested to be enabled for users in the administrative mode."

    Please refer to support.microsoft.com/.../2710577

    Fauzia

  • Thanks for the update Fauzia! Will test this now..

  • Hi,

    Thanks for the fix in the rollup. With the custom administrator role, I still get this error when trying to change access mode for the user:

    You need to have system administrator role and access mode Full to change access mode of a user.

    Is there any way around this, or am I missing something?

    Thanks,

    Peter

  • Hi Peter,

    I am sorry for the long delay in answering as I was on maternity leave till now. Are you not able to assign roles to users with an administrative access mode admin? The error did not come through. Were you able to resolve this or need further help.

    Once again apologies for the delay

    Thanks

    Fauzia

Page 1 of 1 (11 items)
Leave a Comment
  • Please add 3 and 3 and type the answer here:
  • Post