CRM 2015: I want to be able to create a role for local IT to be able to add user accounts and assign roles.
Regarding the 'adding roles' portion, is it simple enough just to create a role for local IT to 'write' to 'security' roles in the'business management' tab of 'security roles' at the user level?
No, this is not that simple. User cannot give another user privilege higher than he has (it would be a serious security hole). So for example you have role to edit Security roles and you have Read access for Accounts in your Business Units. If somebody in your Business unit has no Read access and only User access, you can add him Read access for Business Unit (the same you have), but you will not be able to give him Organizational access (so higher than yours). You could imagine that if this would be possible, you will be able to basically give yourself Admin privilege and do whatever you want in CRM. Knowing that, it should be possible for you to create a role that for example have full access to Accounts, Contacts, Custom entities etc. and Security Roles. This role would be able to modify other users access levels to Accounts, Contacts etc. but no other entities that they don't have privilege to.
Exactly the same logic applies to assigning the Security Roles. So user A cannot assign a Security Role to user B, if it gives user B privileges higher than has User A.
In the end, it is very hard to properly implement the scenario that you described, because there are so many privileges and user needs to have a lot of them to even use the CRM. I've tried this once but could not satisfy the business requirement - it always ended up with using System Admin role, because there was always some scenario that could have not been handled by a user only with this "specific" security modification role.
Assigning 'System Administrator' security role and changing Access Mode in user record to 'Administrative' helped me to achieve this. User still cannot access any transaction data. So, I think you can go for this approach.
来源:https://stackoverflow.com/questions/42887720/creating-a-security-role-to-be-able-to-only-create-roles-and-users-without-havin