How to create a CRM 2011 user with ability to only create users and manage security roles?

Question

I want to create a security role and assign it to a admin-like support user who will ONLY be able to create users, asssign security role/team. He should not be able to see any data or sales/marketing/support modules.

First I tried creating a role from scratch but continuously got "insufficient privileges". Then I tried using the administrative CAL for the admin-like user and gave him the System Administrator role but still while adding some security roles, the system throws an insufficient priveleges error. The error details show that the admin-like user does not have some Privileges for a number of custom entities like e.g. Append to "test_geocode" as shown below:

Message>RoleService::VerifyCallerPrivileges failed. User: d781f6f3-ce50-e111-a96c-005056903a3e, PrivilegeName: prvAppendTotest_geocode, PrivilegeId: 5e16fa4f-c586-48a2-8e10-0243304cc6fa, Depth: Global, BusinessUnitId: b700abd8-4731-e111-8a9a-005056903a3e</Message>

Can anyone please help?

Answer 1

Still struggling with this...does anyone have a solution?

Answer 2

In CRM 4.0 there were a number of "hidden" permissions that you never saw through the UI but were assigned to some of the builtin roles.  Since you want users with this new role to be able to create users and add security roles to them I would start by using the "Copy Role" item from More Action to copy the System Administrator role to a new role.  Once you have done this edit this new role and remove all of the capabilites that this user should not have. 

---

If this post was helpful please mark it as helpful, if it solved your problem please mark it as answered.
Visit my Blog: http://matthewchurilla.blogspot.com/

Answer 3

I have tried the same and done this:

Copy the system admin role and leave all the permissions the same. Assign this role to the "user admin" user and set the license type to administrative. Try to assign security roles to a user.

This is working, however, I would like to strip down the role so the user can't do customizations etc. But as soon as I set one permission to no access, it is not working anymore.

I'm wondering if there is anyone who has got this working in the way we want.

Answer 4

A user cannot assign any security privilege to other users which he himself does not have. Imagine a user who can  make any other user sales manager, but himself is restricted to have this permission. Please note that the role assignment is very high security role and needs to be admin only.

Answer 5

Hello ,

This question is about security hierarchy , if you current user have access to create user ,then he can also provide access to form for those user. then how it is possible for that user to not see the data.

The solution is create a copy role, write jscript on the form which states if the user is copy role then hide this fields. then that user will not be able to see all that data. 

Regards

Abhishek