Right now, thanks to GDAP, partner could ask customer to have Dynamics 365 Admin role in the tenant, to be able to access the BC and support customers.
But for many customers (mostly corporate customers having centralized tenant administration) this brings a problem. In these environments, the administration is done in-house. In this case there is not possibility to assign permissions to partner to be able to connect BC environment as delegated user to support end-users, but disallow him to manage the environments. Another problem is, that in these cases there are multiple BC partners doing support for different environments (e.g. UK, US, CZ environments in one tenant, each "supported" by local partner in the country) and in this case, there is no standard way how to limit each partner to connect only to selected Environment (could be workadounded by removing default permissions for Delegated admin license and let someone assign the permissions when some Partner's user need access). But still, Partner from CZ could easilly delete environemnt of partner from UK (for example).
Possible solutions:
- Split Delegated Admin rights (to access admin portal as delegated admin) from Delegated User rights (access BC environment as delegated user) - it means partner could ask to be admin (D365 Admin role) or user (some new role?)
- Add possibility for customer to assign environments to GDAP Partner relation - it means if environment is created by partner A, it will be maintained by partner A, not B,C etc. and other partners will not have access into it. Customer must be able to assign the Partner relation to the environment (in case of change of the partner etc.)
Possibility 2 is better because the Partner will have access to admin tools like Active Session list, App list etc. and can work with these for environments, which are under his relation.
Comments
I would go further and say it is also desirable as a larger ISV to be able to not have to give everyone admin on customer side to do support inside BC. Currently there is only 1 GDAP role which is admin having the option as partner to restrict based on roles in the partner company is very desirable ideally I don't want people that don't to environment administration on a daily basis any kind of access there. So having a separate admin and user role would be very desirable for this.
Category: Tenant Administration
We would love to have these features implemented.Always an issue with large enterprise customers.Would also be great with an admin role which only gives access to Business Central and not also F&O, CE and so on.
Category: Tenant Administration
Of course, to have both solution will be best, because we can cover multiple cases with these...
Category: Tenant Administration
Business Central Team (administrator)