Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The copy security role method is a quick and easy way to create a new security role based on an existing set of privileges. However, security role privileges can change with product updates, which could make the new security role outdated and might cause it to not function as expected. This issue is especially important when you want to allow a certain group of administrative users to assign security roles to your users. Don't copy the System Administrator security role and assign it to users, since this approach allows the users to elevate the assigned user to System Administrators. In addition, newer privileges from product updates aren't automatically added to the copied System Administrator security role, so the role has insufficient privileges to continue to assign security roles.
The following steps describe a method to create a new custom security role with privileges that change dynamically with updates and therefore can continue to be used for security role assignments.
Create a new custom security role that only has access to Security Role table
Make sure that you have the System Administrator permissions.
Check your security role
Follow the steps in View your user profile.
Don’t have the correct permissions? Contact your system administrator.
Sign in to the Power Platform admin center.
In the navigation pane, select Manage.
In the Manage pane, select Environments.
Select an environment.
Select Settings > Users + permissions > Security roles, then select New.
Enter a role name, then select the Business Management tab.
Scroll down to the Table list and set the Security Role table privileges as follows:
Privilege Setting Create Business Unit Read Organization Write Business Unit Delete Business Unit Append Business Unit Append To Business Unit Assign Business Unit 
Select Save and Close.
Assign the new security role to an administrative user
- Sign in to the Power Platform admin center.
- In the navigation pane, select Manage.
- In the Manage pane, select Environments.
- Select an environment.
- Select Settings > Users + permissions > Users.
- Select an administrative user and then choose Manage Roles.
- Select the new security role.
- Select all the security roles that the administrative user can assign to other users.
- Choose OK.
Note
The customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer Service, Dynamics 365 Field Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation) prevent any elevation of security role privileges. Therefore, the administrative user can't assign System Administrator, System Customizer, or any security roles that have a higher privilege.
The steps in this article are for assigning roles to users who belong to the same Business Unit (BU) as the administrative user. To assign roles to child BU users, the administrative user's privileges need to have Deep (Parent:Child Business Units) privilege level for all the privileges of the child BU user.
See also
Global and Service administrators can administer without a license