The System Administrator role is a benefit and a curse to Dynamics developers

The System Administrator role reminds me of this quote from Blade Runner

“Replicants are like any other machine. They’re either a benefit or a hazard. If they’re a benefit, it’s not my problem”

I would change it to

“CRM Developers are like any other person. They are either a benefit or a hazard. If they’re a benefit, it’s not my problem”

or

“The System Administrator security role is not like any other security role. It’s a benefit and a hazard. When it’s a benefit it’s not the CRM Developers problem”

The System Administrator role gives CRM developer super human powers in the CRM world.

Sometimes a CRM developer will need more than the System Administrator role, if they want to deploy plugins not in a sandboxed CRM where they also need the Deployment Administrator role, which is a tricky customer, find out why in this blog Understanding and adding deployment Administrator role

Why is the System Administrator role great

The System Administrator role is different from other CRM security roles because it’s dynamic.

The System Administrator role automatically has access to all records and all system and custom entities.

One frustrating aspect of adding a new entity in CRM is automatically no security roles have access to it, until you set the privileges in the security. One security role has access to it, the System Administrator role who automatically has access to it.

What’s better is CRM does this for you automatically. If you want to read more about System Administrator role check my study notes on Business units and security roles.

The System Administrator role also has privileges on any Field level security profiles setup.

You can copy the System Administrator role by the copy will not automatically have the super powers of the System Administrator role and is a snapshot. So any new field level security profiles or entities added won’t be included in the copy.

So the System Administrator role is great for CRM developers because it means they have the rights to deploy plugins (Assuming they are deployment administrators) they can view all entities and there are not restrictions.

The dark side of the System Administrator role

Image for post
Image for post

Here is a list

  • You can accidentally delete data
  • It’s terrible for testing
  • You can accidentally deploy/remove solutions the wrong environment
  • You can forget to setup security roles for new entities/field level security

The System Administrator role is dangerous, you can delete data you aren’t meant to delete

The System Admin role is terrible for testing and is the cause of millions of CRM Developers saying

“I can’t recreate that problem in my system”

or

“It works ok for me?”

The first bad point is CRM Developers will usually do some integration testing using System Admin role, so if there are any security role/permission errors they completely miss them.

CRM developer will often follow up this bad practise by trying to reproduce the bug by testing with a System Administrator role and not be able to reproduce it.

How to guard against it

We can see System Administrator role can be a problem but how can you avoid those problems.

In non Developer environments like Test, Pre prod, etc don’t give CRM developer System Administrator role. Make the CRM Developer login as another user

Make sure CRM developers test their code with another user role. If you have a Test environment make sure the default security roles for a users windows login is not a System Admin role.

Make sure testing code using a different role is an expected part of the development process. It will be a good habit for the developers to form.

Written by

Have been working with Dynamics 365 since version 4 and enjoy reading and delivering enterprise projects

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store