Create Security In D365

Developers often forget to add security in D365. After developing a new form, report, or batch job in Microsoft Dynamics 365 for Finance and Operations, you need to create Menu Items so a user can see and run the new functionality. And those Menu Items need to be added to new or existing Security objects, in order for those Menu Items to be visible.

Review

Previously, I wrote the article Security in D365, which explains how security works. In it, I explain how Menu Items are grouped into a hierarchy of Privileges, Duties, and Roles. Afterwards, Users are assigned Roles. Roles provide users access to the Menu Items contained within those groupings.

In the next article, Customize Security In D365, I explained how to use the Security Configuration form. The Security Configuration form allows functional users to modify the existing security structure. Users can add existing Menu Items to different security nodes that they do not normally belong to.

However, using the Security Configuration has some limitations. Changes are stored in data. Therefore, it is not always clear who made the security changes and why. Additionally, in order to keep the security consistent across environments, the data must be exported and reimported to other environments.

Definitely, the Security Configuration form is very useful for non-technical users. However, the best place to make security changes is in the Application Explorer itself. These changes are made in code. And therefore, can be tracked using source control. And comments can be added as to why each change was made. Additionally, code can be promoted to different environments. And deployed along with all other customizations. Consequently, this helps ensure security is consistent across the environments.

In the third article, Change Security In D365, I explained how to extend security in D365 using the Application Explorer.

But often times you want to create entirely new security objects. In this article I will explain how to create security in D365 using the application Explorer.

An Example

To demonstrate how to use create security in D365, I have come up with an example.

I will create a new Role, Duty, and Privilege. These security objects will allow a user to access one or more new Menu Items that display new forms.

In the last article, we extended an existing role, and added additional access to the Role. Another option is you could have also duplicated the role, and then made changes. This is a quick approach.

Using the below example, another approach is to create an entirely new Role, with the additional permissions to the Menu Items your user needs. Then assign this new role to the users.

Create A Project

Before we go further, we need a project that is set to the Model we wish this change to be made to. There are multiple ways to create a new project, and then create an extension. I will share my preferred way.

First, in Visual Studio, go to File>New>Project. I am using Visual Studio 2019. Your next screens may looks somewhat different.

Secondly, select the Finance Operations project template. Then click Next.

Thirdly, enter a value under ‘Project name’. Then click the Create button.

Fourthly, right click on the Project node in the Solution Explorer window, and select ‘Properties‘.

A dialog will open up. Finally, set the Model property to the name of the model you wish your changes to exist in. If you are not sure what this means, or need more help, see this article on how to create a model in D365. Click ‘Ok‘ to close the dialog.

Also, I recommend you set the ‘Synchronize Database on Build’ property to ‘True’. This is needed for security changes.

Multiple Approaches

Now that we have a Project that is set to use our Model, we can create security in D365. There are a couple approaches we can take.

1. You can create a Menu Item. Then create a Privilege. And add the Menu Item as an Entry Point to that Privilege. Then create a Duty and add the Privilege. And finally create a Security Role, and add the Duty.
2. Conversely, you can take the opposite approach. You can create a security Role. Then, a Duty. Next, a Privilege. And add Menu Items to that Privilege. Then, add that Privilege to the Duty you created. Finally add the Duty to the Security Role you created.

Which approach you take will depend on your personal preference and the way you think about the hierarchy you need created. To help beginners, I will demonstrate the second approach because it may be easier to follow. But in practice, I think I usually prefer to take the first approach.

Create A Security Role

A Security Role essentially works as a hierarchy or grouping of other nodes that ultimately contain access levels to Menu Items. See the Microsoft documentation here. Developers can add Duties, Privileges, and even other Roles using the designer window. Roles are then assigned to Users, giving them access to Menu Items within D365.

To start, right click on the project in the Solution Explorer, and select Add>New Item.

Next, locate and select ‘Security Role’ from the list.

Enter in a name. In my case, I will name the role ‘tutorialVehicleMaintenanceRole’.

Finally, click the ‘Add’ button.

The new role is created.

The system may open the role in the designer window. If not, double click on the role in the Solution Explorer to open the designer window.

The designer window will show the various nodes included in a Role. Privileges, sub roles, and Duties can be created and/or added to a security Role.

Select the top node, right click and select ‘Properties’.

In the Properties window, enter in a value for ‘Label’ and ‘Description’. In my example I entered ‘Vehicle maintenance’. This is the text that users will see when assigning a role on the Users form.

In this example, we will now create a new Duty, and add the Duty to this Role. We could skip this step and go straight to creating a Privilege. However, creating a Duty is the best practice and provides a better structure. And makes it easier for developers to maintain the security objects in the future.

Create A Duty

The next step in learning how to create security in D365, is to create a Duty. Wile Security Roles provide a larger grouping of permissions such as ‘Auditor’ or ‘Accounts receivable clerk’, Duties are a smaller group. Duties should contain access needed to complete a particular business process. Such as ‘Customer invoicing’. Or ‘Process customer rebates’. See the Microsoft documentation here.

Duties can be assigned to more than one security role. This makes sense, and different people with different jobs or roles, may need to perform the same process within the system.

To create a Duty, right click on the Visual Studio project. Select Add>New Item.

Select ‘Security Duty’ from the list. Enter a name. Then click ‘Add’.

In my example, I gave it the name tutorialVehicleServicingDuty.

Double click on the Duty within the Solution Explorer to open the designer window.

Duties are pretty simple. Or ore more Privileges can be added to a Duty.

Again, right click on the top node and select ‘Properties’.

Enter in a value for the ‘Label’ and ‘Description’ property. In my example, I entered ‘Vehicle servicing’.

At this point we could add existing Privileges or create a Privilege to add. I will create one.

Create A Privilege

Similar to before, Privileges contain access to one or more Menu Items that are used to accomplish an even smaller task or job. See the Microsoft documentation here.

To create a Privilege, right click on the Visual Studio project. Select Add>New Item.

Select ‘Security Privilege’ from the list. Enter a name. Then click ‘Add’.

In my example, I entered the name ‘tutorialVehicleServiceMaintain’.

Double click on the node within the Solution Explorer. This opens the designer for the Privilege.

Right click on the main node in the designer and select ‘Properties’. Set the Label property for the Privilege. In my example, I named mine ‘Vehicle service maintenance’.

Add Entry Points to Privilege

A Privilege is the lowest level of the security nodes. In here, is where we add Entry Points, which are the Menu Items that open our forms, reports, and batch jobs.

Go the Application Explorer, and find Menu Items you wish to add to this Privilege. In my case, I have several Menu Items that I created previously that make sense to add to this Privilege. I will add the Menu Items named rsmVehicle, rsmVehicleServiceWorkbench.

Drag the Menu Items from the Application Explorer (or the Solution Explorer) to the Entry Points node of the Privilege.

Alternately, you can right click on the Entry Points node and select ‘New Entry Point‘. Then, set the Name, Object Name, and Object Type properties. Therefore, dragging a Menu Item is more efficient.

Set Privilege Access Level

When learning how to create security in D365, there is still one more important thing needed. We need to set the Access Level that this Privilege provides to a user accessing these Menu Items.

When creating Privileges, it is common to create two Privileges. One that ends in the word ‘Maintain‘, that provides full access to Users who are assigned Roles with this Privilege. And then a second Privilege, that ends in the word ‘View‘. This Privilege will provide only Read only access.

I will show you how to set these up next.

Maintain

In the designer of the tutorailVehicleServiceMaintain Privilege, select a node under Entry Points, right click on the node, and select Properties. In the Properties window, you see will a Property named Access Level. The value of this property determine what the user can do on the form that this Menu Item opens.

The Access Level is initially set to ‘Unset‘.

In this example, set the Access Level to ‘Delete‘.

This means that Roles with this Privilege will provide users with the ability to Delete records on the form that is opened by this Menu Item. In addition users will be able to create, update, and read data.

To understand further, any value set, will include the permissions of any value higher in the list. So for example, the Create Access Level, will include permissions to Update, and Read. But users will not be able to ‘Delete‘ records.

As a best practice, privileges that end in the word ‘Maintain‘, often have an Access Level of ‘Delete‘. However, this is not a rule and should always be reviewed.

Set the Access Level property for all nodes under the Entry Points node.

View

After creating the Maintain Privilege, we can now create a read-only Privilege that ends in the word ‘View’.

There are two approaches you can take. First, you can follow the steps above, starting with creating a Privilege named ‘tutorialVehicleServiceView‘. And set the Access Level on the entry points to ‘Read‘. Or, you can duplicate the existing tutorialVehicleServiceMaintain Privilege, rename it, and then set the Access Levels to ‘Read‘.

I will show you the second way.

First, make sure you have clicked Save to save your first Privilege. Secondly, select the tutorialBehicleServiceMaintain node in the Solution Explorer. Next, in the Menu, go to Edit>Copy. Then, in the Menu, go to Edit>Paste. A new copy of the node will show in the Solution Explorer.

Right click on the tutorialVehicleServiceMaintainCopy node, and then select ‘rename’. Change the name to be ‘tutorialVehicleServiceMaintainView‘.

Double click on the node to open it in the Designer window.

For each node under Entry Points, select the node, and set the Access Level in the Properties window to be ‘Read‘.

Add Privilege To Duty

Now that we have created Privileges, a Duty, and a Role, we need to link them all together.

First, double click on your Duty. In my example, the Duty is named tutorialVehicleServicingDuty. This will open up the designer.

Secondly, select and drag the Privilege named tutorialVehicleServiceMaintain to the Privileges node. Note: We only need to add one Privilege to this Duty because this Privilege has full access. The second Privilege should be used on a different Role or Duty, as it only provides Read access.

Add Duty To Role

Moving up the hierarchy, we can now add the Duty to the Role we created.

First, double click on your Role. In my example, the Role is named tutorialVehicleMaintainanceRole. This will open up the designer.

Secondly, select and drag the Duty named tutorialVehicleServicingDuty to the Duty node.

If you are curious, you can also view all the Security objects in the Application Explorer under the Security node.

Synchronize The Database

Next, there is a very important step. You must synchronize the database. If you do not do this, the security role will not show up in your list of roles to add to a user.

To do this, right click on the project in Visual Studio, and select ‘Properties’.

Set the ‘Synchronize database on build‘ property to ‘True’. Then, build you solution by going to Build>Build solution.

Add Role To User

We have finished the steps to create security in D365. However, until we assign the newly created Role to one or more Users, they will not have access to the objects within those security object.

First, makes sure you save all of your object in Visual Studio. Then, in the Menu, go to Build>Build Solution.

Next, open a browser and navigate to D365. In the top search, search for ‘Users’ and push enter, to go to the Users form.

Select the blue text under User ID for one record on the grid. This will open the details of this user.

On this form, click the ‘Assign roles’ button.

In the Dialog that pops up, search for the Role you just created. Select the record, and then click ‘Ok’. This will add the Role to the user. And allow this user to access the Menu Items contained within this Role.

Summary

In this article, you learned how to create security in D365. You learned how to create a new Role, Duty, Privilege. Then, you learned how set the Access Level on the Entry Points. And finally, you learned how to link the nodes together, and assign a Role to a user.

In these four articles, you have learned all about security. What it is. And how you can change and customize security using the Security Configuration form, as well as Visual Studio. And when you should use each. I hope you learned a lot. And I look forward to what else I can teach you. Thanks!