it should still fix some issue Your approach of add an administrator to your app is not very functional, what if you need to add more roles? My suggestion is to use a gem for your roles like Rolify, with Rolify you can create any role, and use a gem for allow and deny perms like Cancancan
user = User.find(1)
user ||= User.new # guest user (not logged in)
if user.has_role? :admin
can :manage, :all
can :read, :all
#In your application_controller.rb
rescue_from CanCan::AccessDenied do |exception|
if exception.message.match(/are not/i)
redirect_to root_path, :alert => "Oouch... no estás autorizado para acceder a esta página"
redirect_to root_path, :alert => exception.message
seems to work fine No, this is not that simple. User cannot give another user privilege higher than he has (it would be a serious security hole). So for example you have role to edit Security roles and you have Read access for Accounts in your Business Units. If somebody in your Business unit has no Read access and only User access, you can add him Read access for Business Unit (the same you have), but you will not be able to give him Organizational access (so higher than yours). You could imagine that if this would be possible, you will be able to basically give yourself Admin privilege and do whatever you want in CRM. Knowing that, it should be possible for you to create a role that for example have full access to Accounts, Contacts, Custom entities etc. and Security Roles. This role would be able to modify other users access levels to Accounts, Contacts etc. but no other entities that they don't have privilege to. Exactly the same logic applies to assigning the Security Roles. So user A cannot assign a Security Role to user B, if it gives user B privileges higher than has User A.
Admin role global filter with Role and AllowAnonymous overrides?