Permissions Required to ‘Manage Roles’ in Dynamics CRM 2011

Paul Nieuwelaar, 22 April 2013

The ability to assign security roles to other users in Dynamics CRM is usually only given to System Administrators, however occasionally we have the need to give a regular user the ability to assign roles. You may not want to make this user a System Administrator, as this will give them access to everything, which may not be ideal.

In this blog post I will explain what permissions are required for a user to change the security roles of another user, without being System Admin themselves.

 Permissions Required to Manage Roles in Dynamics CRM 2011

First of all, for a user to have the ability to click the 'Manage Roles' button on a user, they must have 'Read' and 'Assign' privileges for the Security Role entity in the Business Management tab. Note that this can be restricted to Business Unit, Parent Child, or Organisation level access, so you can prevent them from changing roles of users in other business units if needed.

 Permissions Required to Manage Roles in Dynamics CRM 2011

I have created a new security role called ‘Manage Roles’ which only gives access to read and assign security roles; so this would be given to a user on top of their existing roles.

Once a user is assigned this role, they will be able to click the ‘Manage Roles’ button from user views and forms. However they can only assign and remove roles that they themselves have. For example, if the user with the Manage Roles permission has the Sales Manager role, they can assign and remove the Sales Manager role from other users, but they cannot for example, assign someone the Marketing Manager security role.

This is not directly dependent on them having the same security role, but rather the access permissions that make up the security role. This is why users with the Manage Roles ability are usually assigned the System Administrator role, so that they have all permissions and can therefore assign any role. Otherwise, if you don't want them to have system admin, you can simply assign them all the security roles they will need to be managing. This will then allow them to add and remove these roles from users, but not other roles such as System Administrator.