创建安全角色,使其仅能创建角色和用户,而无需系统管理员角色
[英]Creating a security role to be able to only create roles and users without having system admin role
问题描述
CRM 2015: I want to be able to create a role for local IT to be able to add user accounts and assign roles. 
CRM 2015:我希望能够为本地IT创建角色,以便能够添加用户帐户和分配角色。
Regarding the 'adding roles' portion, is it simple enough just to create a role for local IT to 'write' to 'security' roles in the'business management' tab of 'security roles' at the user level? 关于“添加角色”部分,是否足够简单,只是为本地IT创建一个角色,以便在用户级别在“安全角色”的“业务管理”选项卡中“写入”“安全”角色?
2 个解决方案
解决方案1
2 已采纳 2017-03-19 21:51:38
No, this is not that simple. 不,这不是那么简单。 User cannot give another user privilege higher than he has (it would be a serious security hole). 用户不能给其他用户更高的特权(这将是一个严重的安全漏洞)。 So for example you have role to edit Security roles and you have Read access for Accounts in your Business Units. 因此,例如,您具有编辑安全角色的角色,并且对业务单位中的帐户具有读取权限。 If somebody in your Business unit has no Read access and only User access, you can add him Read access for Business Unit (the same you have), but you will not be able to give him Organizational access (so higher than yours). 如果您的业务部门中的某人没有“读取”访问权限,而只有“用户”访问权限,则可以为其添加“业务部门”的“读取”访问权限(与您相同),但是您将无法授予他“组织”访问权限(比您的组织访问权限高)。 You could imagine that if this would be possible, you will be able to basically give yourself Admin privilege and do whatever you want in CRM. 您可以想象,如果可能的话,您将基本上可以为自己赋予Admin特权,并可以在CRM中做任何您想做的事情。 Knowing that, it should be possible for you to create a role that for example have full access to Accounts, Contacts, Custom entities etc. and Security Roles. 知道这一点,您应该可以创建一个角色,例如,该角色具有对客户,联系人,自定义实体等和安全角色的完全访问权限。 This role would be able to modify other users access levels to Accounts, Contacts etc. but no other entities that they don't have privilege to. 该角色将能够修改其他用户对“帐户”,“联系人”等的访问级别,但不能修改他们没有权限的其他实体。
Exactly the same logic applies to assigning the Security Roles. 完全相同的逻辑适用于分配安全角色。 So user A cannot assign a Security Role to user B, if it gives user B privileges higher than has User A. 因此,如果用户A授予用户B的特权高于用户A的特权,则用户A无法为其分配安全角色。
In the end, it is very hard to properly implement the scenario that you described, because there are so many privileges and user needs to have a lot of them to even use the CRM. 最后,正确实施您描述的方案非常困难,因为存在如此众多的特权,并且用户甚至需要使用CRM才能拥有许多特权。 I've tried this once but could not satisfy the business requirement - it always ended up with using System Admin role, because there was always some scenario that could have not been handled by a user only with this "specific" security modification role. 我已经尝试过一次,但是不能满足业务需求-它总是以使用系统管理员角色结束,因为总是存在某些情况,只有使用此“特定”安全修改角色的用户才能处理。
解决方案2
1 2017-11-06 05:00:19
Assigning 'System Administrator' security role and changing Access Mode in user record to 'Administrative' helped me to achieve this. 分配“系统管理员”安全角色并将用户记录中的“访问模式”更改为“管理”有助于实现这一目标。 User still cannot access any transaction data. 用户仍然无法访问任何交易数据。 So, I think you can go for this approach. 因此,我认为您可以采用这种方法。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.