In this article, I will explain how to use role based security in D365. This is a complicated topic. Before learning how to customize the security, it is important to know how to provide access to users using the existing functionality.
In the next article, I will teach you how to customize security in D365 using the Security Configuration form. As well as develop security objects in the Application Explorer. And to know when to use each.
Security Overview
First, before going into the details of Security in D365, we will start with a high level overview. This way you understand all of the pieces that are involved.
In order to use Microsoft Dynamics 365 for Finance and Operations, you must have an Azure Active Directory user.
Next, a new User record needs to be created within D365 by a user that already has access.
After the user is created, the user can be assigned roles. These roles use a hierarchical structure to provide access to Menu Items within the system. I will explain this security hierarchy structure in greater detail. For the moment, it is enough to know that there is a structure that defines how the security works.
It is important to understand that security for each menu item is not assigned to each user. Instead, access to Menu Items are grouped into what are called Privileges, Duties, and Security Roles. Ultimately, these Security Roles are assigned to users using the Users form.
Security Structure In D365
Now that you understand the high level components of Security In D365, let us look at the components that make up the Security Hierarchy. Microsoft defines the security architecture using this diagram. You can see their documentation here.
Again, remember that users are not directly assigned permission to specific menu items. Instead, they are assigned one or more Security Roles. Those roles contain Duties. And those Duties contain Privileges. And those Privileges contain one or many menu items, and their associated Access Level.
The Access Level determined whether the user can Read, Update, Create, Correct, or Delete the records in the object that the menu item points to. More on that later.
Security Structure Explained
It would be very tedious if every user had to be assigned what menu items that each user could access. An overly simplified explanation is that these security nodes allow menu items to be grouped together.
Menu items that support the same functionality are usually grouped together in a Privilege. Multiple Privileges into a Duty. And one or more Duties into a Role. A role is usually defined and named based on what a user will functionally do in the system. A user can be assigned one or more Role.
For example, there is a ‘System Administrator’ role. This role contains all Duties and Privileges, so that a user with this role is able to access every menu item in the system. And the Access Level on those Privileges will allow the users to Read, Update, Create, and Delete records on these forms.
In contrast, there is a role named ‘Accounts receivable clerk’. This role contains some Duties and Privileges. This setup allows for access to menu items in the Accounts Receivable module.
A menu item can definitely exist in more than one Privilege. And a Privilege can exist on more than one Duty. And so on.
Ultimately, this structure is a tool to make it easier to define what users can access what menu items.
An Example
Now that you have read about the security in D365, let us look at an example.
In this example we will start by creating a new user.
Next, we will then decide which security role to add to this user based on what form we need them to be able to access.
Create A User
Whenever you go to the URL of a Dynamics 365 F&O environment, you will be asked to login using a username and password. Before that username and password will allow to access D365, you must create a record in the User form. This indicates that the particular credentials are authorized for this system.
First, create a new user by going to the form System Administration>User>Users in Microsoft Dynamics 365 for Finance and Operations. D365 users use Azure Active Directory (AAD).
Push the New button. Then enter in a unique User ID. Additionally specify a User name.
Set the Provider field with the Azure Active Directory tenant. Most of the time this will start with https://sts.windows.net/
Enter in the users full email address. Set the Company field to the default D365 company for the user.
Finally click ‘Save‘.
See the Microsoft documentation for additional details.
Assign Roles
Just having access to the D365 system by itself is not enough. Without any roles, your user will not be able to see or click on any Modules or Menu Items. Assigning Roles provide access to the Menu Items contained within these Roles.
To assign a role to a user, click the ‘Assign roles‘ button under the User’s roles section.
In the dialog form that is shown, use the radio buttons on the left hand side to select one more roles to add. You can use the filter at the top, or filter the grid to help you find a particular role. When ready, click ‘Ok‘.
This will add the roles to the user you are editing. Any menu items associated with those roles will now be accessible to that user.
There is additional functionality to be able to automatically assign users Roles based on rules. See the Microsoft documentation here.
Which Role Do I Need To Add?
When you are trying to decide which Role to add, there are really two approaches you are likely to take.
First, do you already know of a Menu Item, and you are looking for this user to have access to that Menu Item? And you are wondering which Role do you need to add to provide this user access?
Or secondly, do you want to see a list of all of the menu items that a particular role has access to so you can decide if it is appropriate?
Let’s talk through both approaches
I Have a Menu Item I want The User To Access
Let’s pretend you need a user to be able to access the ‘Customer reason codes’ form. The Security diagnostics form can help.
In D365, go to Accounts receivable>Setup>Customer reason codes.
The next step can be done on any form in the system.
In the Ribbon Bar, go to Options>Security diagnostics.
The Security diagnostics dialog will show all of the Roles, Duties and Privileges that have access to this Menu Item.
Click the ‘Show object identifiers‘ blue link to show the Application Object name of the security object.
Adding any one of the Roles listed to a User will give them access to this Menu Item.
Alternatively, if you have a Task Recording, you can use that Task Recording to see what Roles, Duties, and Privileges are used by that Task Record. See further documentation here:
But what is the difference between each role? What if one Role provides too much access? In our example, what is the difference between adding the ‘Accountant’ Role compared to adding the ‘Accounting manager’ role?
That question leads us to our next section.
I Want To See All Menu Items In A Role
You are now looking through a list of the existing Roles within Microsoft Dynamics 365 for Finance and Operations. Additionally, you are wondering what Menu Items you will be providing access to if you add that Role to a User.
To see this information, go to System administration>Inquires>Security>Security role access. And run this report.
Security role access: This report will show a list of what Menu Items and access level each Role provides.
This report can take a few minutes to run. Therefore, another way to see what menu items are available to a particular role is to assign only that one Role to a User. And then, login to D365 using that user.
Afterwards, you can assign a different Role to the user and compare.
Security Reports
There are a number of reports that provide information relating to the security in D365.
These out-of-box security reports allow you to see the following information.
User role assignments: the roles assigned to each user.
Role to user assignments: The users that are assigned to each role.
Security duty assignments: This report shows all of the duties contained within a role. This can be used to help maintain the separation of duties between roles.
You can find the Microsoft documentation here.
Additional Resources
Additionally, Alex Meyer has written some great articles on Security. Please check out his articles.
Summary
In this article, we learned how to manage security in D365. The existing functionality allows users to be created, and assigned Roles. Ultimately, these Roles provide access to Menu Items. One or many Roles can be assigned to each user.
The existing functionality allows for a lot of flexibility. And accomplishes the goal of allowing users access to some forms, reports, and processes, while preventing others. That is why understanding these pieces was so important to cover first.
However, what happens when you business requires more nuanced changes than the existing functionality allows?
What happens when you want to create a new Role that is not already defined?
What happens when you have created new Menu Items that you wish to add to new or existing Roles?
In the next article, I will provide some answers to these questions.