The System Administrator role is a benefit and a curse to CRM developers

The System Administrator role reminds me of this quote from Blade Runner

“Replicants are like any other machine. They’re either a benefit or a hazard. If they’re a benefit, it’s not my problem”

I would change it to

“CRM Developers are like any other person.  They are either a benefit or a hazard.  If they’re a benefit, it’s not my problem”


“The System Administrator security role is not like any other security role.  It’s a benefit and a hazard.  When it’s a benefit it’s not the CRM Developers problem”

The System Administrator role gives CRM developer super human powers in the CRM world.

Sometimes a CRM developer will need more than the System Administrator role, if they want to deploy plugins not in a sandboxed CRM where they also need the Deployment Administrator role, which is a tricky customer, find out why in this blog Understanding and adding deployment Administrator role

Why is the System Administrator role great

The System Administrator role is different from other CRM security roles because it’s dynamic.

The System Administrator role automatically has access to all records and all system and custom entities.

One frustrating aspect of adding a new entity in CRM is automatically no security roles have access to it, until you set the privileges in the security.  One security role has access to it, the System Administrator role who automatically has access to it.

What’s better is CRM does this for you automatically.  If you want to read more about System Administrator role check my study notes on Business units and security roles.

The System Administrator role also has privileges on any Field level security profiles setup.

You can copy the System Administrator role by the copy will not automatically have the super powers of the System Administrator role and is a snapshot.  So any new field level security profiles or entities added won’t be included in the copy.

So the System Administrator role is great for CRM developers because it means they have the rights to deploy plugins (Assuming they are deployment administrators) they can view all entities and there are not restrictions.

The dark side of the System Administrator role

Here is a list

  • You can accidentally delete data
  • It’s terrible for testing
  • You can accidentally deploy/remove solutions the wrong environment
  • You can forget to setup security roles for new entities/field level security

You can accidentally delete data

The System Administrator role is dangerous, you can delete data you aren’t meant to delete

It’s terrible for testing

The System Admin role is terrible for testing and is the cause of millions of CRM Developers saying

“I can’t recreate that problem in my system”


“It works ok for me?”

The first bad point is CRM Developers will usually do some integration testing using System Admin role, so if there are any security role/permission errors they completely miss them.

CRM developer will often follow up this bad practise by trying to reproduce the bug by testing with a System Administrator role and not be able to reproduce it.

How to guard against it

We can see System Administrator role can be a problem but how can you avoid those problems.

Don’t give System Admin roles automatically

In non Developer environments like Test, Pre prod, etc don’t give CRM developer System Administrator role.  Make the CRM Developer login as another user

Test code without System Admin role

Make sure CRM developers test their code with another user role.  If you have a Test environment make sure the default security roles for a users windows login is not a System Admin role.

Make sure testing code using a different role is an expected part of the development process.  It will be a good habit for the developers to form.


6 thoughts on “The System Administrator role is a benefit and a curse to CRM developers

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s