Edit

Share via

Assign custom security role to an administrative user to prevent privilege elevation

  • Article

Note

If you have enabled Unified Interface only mode, before using the procedures in this article do the following:

  1. Select Settings (Gear icon.) on the navigation bar.
  2. Select Advanced Settings.

    Advanced Settings.

The copy security role method is a quick and easy way to create a new security role based on an existing set of privileges. However, security role privileges can change with product updates which could render the new security role out-of-date and might not function as expected. This is especially true in the case where you want to allow a certain group of administrative users to assign security roles to your users. We recommend you not copy the System Administrator security role and assign it to users, since this would allow the users to elevate the assigned user to System Administrators. In addition, newer privileges from product updates will not be automatically added to the copied System Administrator security role resulting in the role having insufficient privileges to continue to assign security roles.

The following steps describe a method to create a new custom security role with privileges that will change dynamically with updates and therefore can continue to be used for security role assignments.

Create a new custom security role that only has access to "Security Role"

  1. Make sure that you have the System Administrator permissions.

    Check your security role

    • Follow the steps in View your user profile.

    • Don’t have the correct permissions? Contact your system administrator.

  2. Go to Settings > Security > Security Roles, and then choose New.

  3. Enter a role name, and then select the Business Management tab.

  4. Scroll down to the Entity list and set the Security Role entity privileges as follows:

    Privilege Setting
    Create Business Unit
    Read Organization
    Write Business Unit
    Delete Business Unit
    Append Business Unit
    Append To Business Unit
    Assign Business Unit

    Security Role.

  5. Choose Save and Close.

Assign the new security role to an administrative user

  1. Go to Settings > Security > Users.
  2. Select an administrative user and then choose Manage Roles.
  3. Select the new security role.
  4. Select all the security roles that the administrative user can assign to other users.
  5. Choose OK.

Note

Dynamics 365 Customer Engagement (on-premises) is designed to prevent any elevation of security role privileges. Therefore, the administrative user cannot assign System Administrator, System Customizer, or any security roles that have a higher privilege.

See also