Create an administrative user and prevent elevation of security role privilege
The copy security role method is a quick and easy way to create a new security role based on an existing set of privileges. However, security role privileges can change with product updates which could render the new security role out-of-date and might not function as expected. This is especially true in the case where you want to allow a certain group of administrative users to assign security roles to your users. We recommend you not copy the System Administrator security role and assign it to users, since this would allow the users to elevate the assigned user to System Administrators. In addition, newer privileges from product updates will not be automatically added to the copied System Administrator security role resulting in the role having insufficient privileges to continue to assign security roles.
The following steps describe a method to create a new custom security role with privileges that will change dynamically with updates and therefore can continue to be used for security role assignments.
Create a new custom security role that only has access to "Security Role" entity
Make sure that you have the System Administrator permissions.
Check your security role
Follow the steps in View your user profile.
Don’t have the correct permissions? Contact your system administrator.
In the Power Platform admin center, select an environment.
Select Settings > Users + permissions > Security roles, and then select New.
Enter a role name, and then select the Business Management tab.
Scroll down to the Entity list and set the Security Role entity privileges as follows:
Privilege Setting Create Business Unit Read Organization Write Business Unit Delete Business Unit Append Business Unit Append To Business Unit Assign Business Unit
Select Save and Close.
Assign the new security role to an administrative user
- In the Power Platform admin center, select an environment.
- Select Settings > Users + permissions > Users.
- Select an administrative user and then choose Manage Roles.
- Select the new security role.
- Select all the security roles that the administrative user can assign to other users.
- Choose OK.
Model-driven apps in Dynamics 365, such as Dynamics 365 Sales and Customer Service, are designed to prevent any elevation of security role privileges. Therefore, the administrative user cannot assign System Administrator, System Customizer, or any security roles that have a higher privilege.
The above steps are for assigning roles to users who belong to the same Business Unit (BU) as the administrative user. To assign roles to child BU users, the administrative user's privileges need to have Deep (Parent:Child Business Units) privilege level for all the privileges of the child BU user.