Global admin and system administrator role

If a user is defined as a global admin he automatically gets the system administrator role assigned in our D365 tenant. Is it possible to prevent this? As we have sensitive HR information in the system we do not want to allow the system admin to see this data automatically. Adjusting the system administrator role itself is not possible. Has anyone solved this or a similar problem?

@Frank_Vukovits know any one who is good with Dynamics security? :thinking:

Aleksandar,

The System Administrator role is not editable, and has full access to all data within the system.

Based on your request, it sounds like you would like to create a ‘limited’ SysAdmin role so users could perform their day to day operations but cannot see sensitive information.

This would comprise of assigning full rights to all objects but removing the access to areas you don’t want the user to see (such as the HR information you brought up).

I don’t think it’s possible to edit this.

Due to the absence of a better solution, a pre-operation plugin on ‘retrieve’ and ‘retrieve multiple’ operations has currently been implemented. If the initiating user is a system administrator, the fetch expression is augmented with an additional filter condition targeting the ‘ownerid’ attribute. This filter ensures that the ownerid matches the initiating user’s ID, allowing system administrators to view only their own records. The likelihood of a global administrator (who possesses the system administrator role) disabling these plugin steps is considered low. :face_with_hand_over_mouth: