Customize Security In D365

Share this:

In this article I will teach you how to customize security in D365 using the Security Configuration form. How to add new Roles, and add Menu Items to them.

In the last article, titled ‘Security in D365‘, I explained how to setup a D365 User, and add Roles to that User. Additionally, you learned how each Role is a collection of one or more Duties and Privileges. Which provide access to the menu items contained within those groupings.

Now that you understand the components of the structure, I will explain how to use that structure. And how to add and make changes to the security structure.

Understanding The Security Hierarchy

Before making any immediate changes, it is very important to understand that Microsoft has already defined the security in D365 for all of the base Microsoft Menu Items. Therefore, before you customize security in D365, you may just need to understand which Role already contains the access to Menu Item you need. And then, add that Role to a User.

In order to find which Roles contain that Menu Item, first, navigate to the Menu Item in D365. Then, in the Ribbon Bar, go to Options>Security diagnostics.

However, there are many times when adding an entire Role to a User would provide the user with too much access. Perhaps you only want the user to be able to access one or two additional menu items that are not already included in their Roles. And not all of the menu items that would be added if you were to add any additional Roles.

If that is the case, you need to customize the Security structure itself. This is the subject of this article.

There are two primary ways this hierarchy can be customized. First, I will describe them at a high level first. Then, I will show you some detailed examples.

Application Explorer

The first way to customize security in D365 is by using Visual Studio to define thee security objects in the Application Explorer. This is the preferred method.

The structure is defined in the code. Therefore, this security will be used by any environment the code is deployed to. Source control is also used to track who and when any changes are made to this structure. I will cover this in the next article.

Security Configuration Form

The second way to customize security in D365 is by using the Security Configuration form within D365. To find this form, go to System Administration>Security Configuration. A user can user this form to make customizations to Roles, Duties, and Privileges. As well as create entirely new groupings.

These changes are saved as data in the database. This means that when a user makes these changes in one environment they will only exist in that environment. In order for the security to be the same in another environment, a user will need to export and re-import the data into the target environment. Or, manually make the same changes in other environments if they want the security to be the same.

When To Use Each

Using the Security Configuration form can be a great tool for a non-technical user. Additionally, it can be very helpful in experimenting and coming up with desired changes to the security hierarchy. However, it is often recommended that after finding the right changes to make using this tool, the same changes be made in the Application Explorer. This ensures these changes can be consistently and correctly applied to all other environments.

Examples

To demonstrate how to use customize security in D365, I have come up with two examples. I will demonstrate the steps for these two examples. First by using first the Security Configuration form. And then secondly, in another article, by making the changes in the Application Explorer in Visual Studio.

  1. Add an existing menu item to a different existing Role. This is useful when you need a user to use a Menu Item that is not part of the Roles you have assigned them. It is also useful when it does not make sense to give the user access to an additional Role.
  2. Add a new Menu Item to to a new or existing Role. As a developer, you regularly will create new forms, reports, jobs, and more. In order to allow a user to use the new functionality you will need a Menu Item. Once you have a Menu Item created, that Menu Item needs to be added to either new or existing Security objects. This will allow users to access the Menu Item.

Add An Existing Menu Item To An Existing Role

Understand What Change Is Needed

In any of the below examples, replace the menu items and roles with your scenario. But the steps to follow should be the same.

For instance, let’s pretend you have a user that needs access to the Menu Item located at Accounts receivable>Setup>customer reason codes. But they do not have access to this form.

First, go to the System administration>Users form, and look at what Roles they have assigned to them. See that they have the ‘Retail operations manager’ role.

Secondly, go to the Accounts receivable>Setup>customer reason codes form and click on Options>Security diagnostics in the Ribbon Bar. Click the ‘Show object identifiers’ blue text. This form is included in the security objects listed.

The first question you need to ask yourself is this: Does it make sense to add one of the Roles listed to the User? Often, this is the case. And using the existing security structure makes the most sense. These Roles are defined based on what functionality users typically need access to as part of their duties. But let’s pretend that is not the case. And a you need to customize security in D365.

Use Security Configuration To Customize A Role

In the above screenshot, we can see that the Customer reason codes Menu Item is part of the Privilege ‘Maintain customer reason codes‘. The Application Object name is ‘CustReasonsMaintain‘. This will be useful later when making changed in the Application Explorer.

For this illustration, we will use the Security Configuration form to add the privilege named ‘Maintain customer reason codes‘ to the Role that the user is already assigned: ‘Retail operations manager‘.

Note: This example is to demonstrate the steps. The specific security objects do not necessarily make business sense to use.

Explaining The Security Configuration Form

First, go to System administration>Security>Security Configuration.

This form shows all of the security groupings in the system. Users can select a Role from the list, then click on a row under ‘References’. A new grid will appear to the right, showing nodes under the selected node. Users can continue to select rows to progress through the security hierarchy.

The buttons at the top of the form will change dynamically based on what row is selected from what grid. These buttons allow users to create and delete nodes. As well as add references to existing and created security nodes.

An example will help to understand.

Using The Security Configuration Form

In the ‘Roles tab, select the role ‘Retail operations manager’ from the grid. Note: You can select the top bar of the grid and use the standard filter functionality.

To the right of the grid, see the description of this Role. As well as the name of node in the Application Explorer. And the ‘References‘ that are within this Role.

Next, select ‘Duties +’ under References.

This time, another grid will appear to the right. This grid shows the list of Duties that are part of this Role.

Select the Duty labeled ‘Maintain retail POS permissions‘. Again, it can be helpful to use the grid filtering functionality by selecting the column title on the grid.

Another grid will appear to the right. Finally, select ‘Privileges +‘ under References.

Add A Reference

As a reminder, we want to add the Privilege ‘Maintain customer reason codes‘ to the Duty ‘Maintain retail POS permissions‘. Since this duty is part of the Role ‘Retail operations manager‘. This will allow any users with this Role to access this Menu Item.

With the ‘Privileges +‘ row selected, click the button ‘Add references’.

A dialog will open, showing all of the Privileges in the system. Locate and select the Privilege named ‘Maintain customer reason codes‘. Again, the grid filter functionality is very helpful. Then, click ‘Ok’.

Afterwards, notice that the Privilege you selected is added to the grid.

Go to the ‘Unpublished objects’ tab. You will see security objects affected by your change.

In this case, because I made changes to a Duty, all Roles that use that Duty, are also affected.

Click ‘Publish all’ the publish the changes. Until this step is completed, the security changes you have made will not be applied.

Add A New Menu Item

Often times, you are not looking to change the existing security structure. Instead, you have created a new Menu Item, and you wish to allow it to be accessible to users.

You can either add the Menu Item to an existing Security object. Or create new security objects and add your Menu Item to your new nodes.

Add a Menu Item To An Existing Security Node

First, go to Security Administration>Security>Security configuration.

Secondly, select the Privileges tab. Note: If you already know the name of the security object you want to modify, it is faster to use the tabs to locate it.

Thirdly, find and select the row labeled ‘Maintain retail POS Permissions‘ from the grid. Click the column header to use standard filtering functionality.

Fourthly, Select ‘Display menu items‘ under References.

After selecting the row, the buttons will change. Select ‘Add references‘.

A dialog will open. Select the Menu Item you wish to add to this Privilege. In my case, I have a new custom Menu Item named rsmVehicle that I wish to add. Additionally, set the access permissions under ‘Select Properties‘.

Next, click ‘Ok‘.

The custom Menu Item is added to the list under Display menu items.

Select ‘Unpublished objects‘. Then click ‘Publish all‘ in order for your changes to take effect.

Add Menu Item To New Security Node

This time, let’s repeat similar steps as the last example. But let’s create an entirely new role to add our Menu Item to.

First, go to Security Administration>Security>Security configuration.

Next, ensure that the Roles tab is selected. This is the default tab.

Click the ‘Create new‘ button.

In the dialog that opens, enter ‘Tutorial vehicles‘ as the name. Then, click ‘OK‘.

Afterwards, notice that the new Role is added to the grid.

At this point, you can select the Privilege or Duties node under References. But clicking the ‘Create new‘ button will still just create a new Role.

Instead, select the ‘Duties‘ or ‘Privileges‘ tab at the top of the form. I clicked on ‘Privileges‘. Then, click the ‘Create new‘ button.

In the dialog that opens, enter in a name for the Privilege. Then, click ‘Ok‘.

Now, go back to the Roles tab. Select the role you wish to customize. In my case, I selected ‘Tutorial vehicles‘.

Then, select the ‘Privileges‘ row under References. Finally, click ‘Add references‘.

From the dialog that opens, locate and select the Privilege you wish to add. In my case I selected ‘privVehicle‘. Then, click ‘Ok‘.

Finally, go to the ‘Unpublished objects‘ tab. Click ‘Publish All‘.

Exporting Security

After making changes using the Security Configuration form, the changes are stored in the database. In order for these changes to be made to any other environment you have two options. You can either manually make the same changes in the second environment using the Security Configuration form. Or you can export and re-import the changes from one environment to another.

To export your changes, go to Security Administration>Security>Security configuration. Then, in the Ribbon Bar, select Data>Export.

An xml file is downloaded in your browser.

In a similar fashion, open the destination D365 environment. Navigate to the Security configuration form. Then select Data>Import from the Ribbon Bar.

In the dialog that opens, click the ‘Browse’ button to select the file you wish to import. This will apply the security changes to the new environment.

You can also use the data migration framework to export and import security data. See the Microsoft documentation on this process here.

Conclusion

In this article you learned how to customize security in D365 using the Security Configuration form. This is a great tool that allows functional users to make security changes. However, these changes are stored in the database. And therefore require moving in order to apply to another environment. In the next article, I will show how to make these same changes in the Application Explorer. Changes made in the Application Explorer are stored in code. And while the code still needs to be promoted to other D365 environments. This is the preferred way of making changes to the Security structure. As it allows for changes to be tracked using source control. As well as providing consistency across all environments.

Peter Ramer
Peter Ramer is a part of the Managed Application Services team at RSM working on Microsoft Dynamics 365. He focuses on the Retail and Commerce industries. When he is not solving problems and finding ways to accelerate his clients' business, he enjoys time with his three kids and amazing wife.

Share this:

Leave a Reply

Your email address will not be published. Required fields are marked *

Proudly powered by WordPress | Theme: Baskerville 2 by Anders Noren.

Up ↑