Hey Sofi
Thanks for posting
In order to grant the app user a specific permissions , You've should run the delegation control wizard
on the domain , delegate only the OU users that the CRM guy works on.
for more info about the Delegation Control follow the link below:
http://technet.microsoft.com/en-us/library/cc732524.aspx