How to assign the minimum permissions to a deployment administrator in Microsoft Dynamics CRM 4.0

Article translations Article translations
Article ID: 946686 - View products that this article applies to.
Expand all | Collapse all

On This Page

INTRODUCTION

This article describes how to assign the minimum permissions to a deployment administrator in Microsoft Dynamics CRM 4.0.

MORE INFORMATION

In your organization, there may be a need for a user who creates new organizations by using Deployment Manager. This user is the deployment administrator. Typically, different Microsoft Dynamics CRM administrators are not the same user. In this case, you must grant the user who runs Deployment Manager the permissions that are required to create a new organization.

The deployment administrator manages the Microsoft Dynamics CRM deployment. The deployment administrator has the following capabilities:
  • Create organizations
  • Import organizations
  • Enable organizations
  • Disable organizations
  • Edit organizations
Notes
  • The user who is the deployment administrator is not automatically added to the existing organization. However, the user can be added to an existing organization as a user in Microsoft Dynamics CRM.
  • The deployment administrator is the system administrator of any organization that the deployment administrator creates or imports. Additionally, the deployment administrator has access to the organization in Microsoft Dynamics CRM.
The deployment administrator must have the following roles and permissions:
  • On the computer that is running Microsoft SQL Server, the user must be a member of the following groups:
    • The local administrators group
    • The Microsoft SQL Server administrator group
    Note The user does not have to be a member of the following groups:
    • PrivReportingGroup
    • PrivUserGroup
  • On the computer that is running SQL Server Reporting Services, the user must have the following minimum privileges:
    • Content Manager Role privileges at the root folder level
    • System Administrator privileges at the site-wide setting level

SQL Server

The user must be added to the local administrator group. Additionally, the user must be added to the SysAdmin role. To do this, follow these steps:
  1. Add the user to the local administrators group. To do this, follow these steps:
    1. Log on to the Microsoft Dynamics CRM server as a user who has local administrator permissions.
    2. Click Start, click Administrative Tools, and then click Computer Management.
    3. Expand System Tools.
    4. Expand Local Users and Groups.
    5. Expand Groups.
    6. Right-click Administrators, and then click Properties.
    7. To add the account of the user who is installing Microsoft Dynamics CRM, click Add.
  2. Add the user to the SysAdmin role. To do this, follow these steps:
    1. Start SQL Server Management Studio.
    2. Expand Security, and then click Logins.
    3. Use one of the following steps:
      • If the user does not exist, right-click Logins, and then click New Login. Type the logon name of the user in the following format:
        domainname\useraccount
      • If the user exists, right-click the user's name, and then click Properties. Next, click Server Roles under Select a Page, and then click to select the following check boxes:
        • SysAdmin
        • Public

Microsoft Dynamics CRM server

To log on to the Microsoft Dynamics CRM server, and to start Deployment Manager, the user must be a local administrator. To add the user as a local administrator, follow these steps:
  1. Add the user to the local administrators group. To do this, follow these steps:
    1. Log on to the Microsoft Dynamics CRM server as a user who has local administrator permissions.
    2. Click Start, click Administrative Tools, and then click Computer Management.
    3. Expand System Tools.
    4. Expand Local Users and Groups.
    5. Expand Groups.
    6. Right-click Administrators, and then click Properties.
    7. To add the account of the user who is installing Microsoft Dynamics CRM, click Add.
  2. Add the user as a deployment administrator. To do this, follow these steps:
    1. Log on to the Microsoft Dynamics CRM server as a user who has installed Microsoft Dynamics CRM or as a user who is already a deployment administrator.
    2. Click Start, click All Programs, click Microsoft Dynamics CRM, and then click Deployment Manager.
    3. Right-click Deployment Administrators, and then click New Deployment Administrator.
    4. Add the user who you want to be a deployment administrator, and then click OK.

Active Directory directory service

The user who creates, modifies, edits, and imports organizations in Microsoft Dynamics CRM must have permissions in the following Microsoft Dynamics CRM security groups in Active Directory:
  • ReportingGroup
  • PrivUserGroup
  • UserGroup
Note There are five Microsoft Dynamics CRM security groups. But, the deployment administrator needs access to only three of the five groups.

The deployment administrator must have the following permissions in the security groups:
    Permissions
    • Read
    • Write
    • Add/Remove self as member

    Advanced permissions
    • List Contents
    • Read All Properties
    • Write All Properties
    • Read Permissions
    • Modify Permissions
    • All Validated Writes
    • Add/Remove self as member

To add these permissions for the user in the three Microsoft Dynamics CRM security groups, follow these steps:
  1. Log on to the domain controller server as a user who has domain administrator permissions.
  2. Click Start, click Administrative Tools, and then click Active Directory Users and Computers.
  3. On the View menu, click Advanced Features.
  4. In the navigation pane, expand the tree to one of the following security groups:
    • ReportingGroup
    • PrivUserGroup
    • UserGroup
  5. Right-click the security group, click Properties, and then click the Security tab.
  6. In the Group or user names list, click the user account. If the account is not listed, click Add to add the user account of the user who is installing Microsoft Dynamics CRM.
  7. Click to select the Allow check box for the Write permission. This action causes the system to automatically select the Add/Remove self as member check box.

    Note By default, the Allow check box is selected for the Read permission.
  8. Click Advanced.
  9. In the Permission list, click the user account of the user who is installing Microsoft Dynamics CRM, and then click Edit.
  10. Click to select the Allow check box for Modify Permissions.

    Note By default, the Allow check box is selected for the following permissions:
    • List Contents
    • Read All Properties
    • Write All Properties
    • Read Permissions
    • All Validated Writes
    • Add/Remove self as member
  11. Click OK three times.
  12. Repeat steps 4 through 10 earlier in this section for the other two security groups.

SQL Server Reporting Services server

Add the Content Manager role at the root level for the user who is installing Microsoft Dynamics CRM. Additionally, add the System Administrator role at site-wide level for the user who is installing Microsoft Dynamics CRM. To do this, follow these steps on the computer that is running Reporting Services:
  1. Start Windows Internet Explorer, and then locate the following site:
    http://srsserver/reports
  2. Click the Properties tab, and then click New Role Assignment.
  3. In the Group or user name box, type the name of the installing user, click to select the Content Manager check box, and then click OK.

    Note Use the following format when you type the user name:
    domainname\username
  4. Click Site Settings.
  5. Under Security, click Configure site-wide security, and then click New Role Assignment.
  6. In the Group or user name box, type the name of the installing user, click to select the System Administrator check box, and then click OK.

    Notes
    • Use the following format when you type the name of the installing user:
      domainname\username
    • If you change the server on which Reporting Services is located, the deployment administrator must have the following permissions on the Reporting Services server:
      • Content Manager Role privileges at the root folder level
      • System Administrator privileges at the site-wide setting level
      The deployment administrator must have these permissions to edit the Microsoft Dynamics CRM organization to point to the new Reporting Services server.

Properties

Article ID: 946686 - Last Review: December 17, 2010 - Revision: 3.0
APPLIES TO
  • Microsoft Dynamics CRM 4.0
Keywords: 
kbtshoot kbmbsinstallation kbmbsmigrate kbhowto kbexpertiseinter KB946686

Give Feedback