User security is a must in Dynamics 365 for Finance and during FiveForty projects we always have a lot of discussing about it and when to start thinking about it. Below we describe the main IT concepts to know behind this feature. We hope it will help you to handle it from the beginning of your project.
– Without a role, a user will not be able to access or use Dynamics 365. Roles are built upon duties and privileges which determine the business process and access level for a given role, respectively.
– Below is a diagram of the connection between the different elements to role-based security.
There are two new features that make the process easier to understand and configure custom security roles in Dynamics 365 – the security diagnostic and security configuration tools.
2. Defining terms used in Security
2.1 Security roles
– A security role defines how users access different modules.
– All users must be assigned to at least one security role in order to have access to Finance and Operations.
– Only the administrator can apply data security policies to limit the data that the users in a role have access to.
– By default, sample security roles are provided, and each user can have multiple security roles.
– To control access to data, we can modify existing security roles, create new security roles, or change which security roles are assigned to each user.
– Security roles correspond to a responsability in a Company, it contains a set of “duties” necessary to carry out a function in an organization.
– Duties correspond to tasks of a role, parts of a business process. There are composed of different privileges to perform an action.
– The administrator assigns duties to security roles. A duty can be assigned to more than one role. These duties are said to be segregated, because they help users reduce the risk of fraud, and help us detect errors or irregularities.
– By segregating duties, you can better comply with regulatory requirements (SOX, IFRS …)
– Default duties are provided. The administrator can modify the privileges that are associated with a duty, or create new duties.
– A privilege is a unit action set that correspond to functions in the system.
– A privilege specifies the level of access that is required to perform a job, solve a problem, or complete an assignment. It is a set of entry points that are all linked to menu items, web content items, and service operations.
– A privilege contains permissions to individual application objects such as user interface elements and tables.
– By default, privileges are provided. The administrator can modify the permissions that are associated with a privilege, or create new privileges.
– Each function is accessed through an entry point.
– Permissions group access levels that are required to run a function.
– This includes any tables, fields, forms, or server side methods that are accessed through the entry point.
3. Security Configuration Tool
– The Security Configuration Tool is a feature that helps administrator to more easily create and maintain security roles, duties, and privileges. It allow :
1. To display entry point permissions for a given role, duty, or privilege
2. To provide the ability to record business process flows and identify the entry points that are used
3. Testing a newly created or modified security role, duty, or privilege without having to use a test user account
– This toolset is extremely users friendly and intuitive, however, changes are not permanent, and must be published.
– Changes can be saved as a data export file that can be imported into the desired environments.
– Go to System administration > Security > Security Configuration
– Users are able to click through and have full hierarchy view of role, duty, privilege, entry point security assignments.
– Users are then able to explore the associated privileges for the duty, and what roles currently have the duty assigned to it.
– Users are also able to ‘Duplicate’ existing roles, duties and privileges.
– We have different options for performing against the currently selected role/duty/privilege
- Undo/Redo – undo/redo customizations applied to this security role
- Create new – create a new security role
- Show all levels – this option will force D365FO to show a horizontal scroll bar to fit all fly-out levels
- Delete – remove the current security role
- Duplicate – create a clone of the currently selected security role, allows user to give it a new name
- Copy – copies the current security role
- View Permissions – shows hierarchy of security for the currently selected security role
- Audit Trail – shows the history of all changes made to an object either from user interface
3.1 How to create a role
1. With the ‘Roles’ tab selected, click ‘Create new’ this will allow user to create a new role in Dynamics 365.
- Enter the name of the new role. Note: it is recommended to use a different naming convention with new roles so that they are easily identifiable
The role will be created, however, it will have no duties or privileges.
3. To add a duty to the role, ensure that it is highlighted, and select Duties in the second column, then click Add references
4. All duties (and custom if created) will be available in the list.
5. Select one or more duty and they will become available on the role, as well as that duties respective privileges.
6. Similar to adding references, users can remove references if they are not desired/required.
Privileges should never be removed from a standard duty, because it will be removed from all roles that have that duty. It’s necessary to duplicate the standard duty, rename it, add to the new role and then we can removed associated privileges.
7. When we select a duty, we can view all permissions (click button view permission)
8. When we select a privilege, we can see all type of view references associated
9. To change object permissions we will need to navigate to the Privileges area
Dynamics 365 use different record level privileges, that determine the level of access a user has to a specific record or record type :
– Read : Required to open a record to view the contents.
– Update : Required to modify a record .
– Create : Required to make a new record.
– Delete : Required to permanently remove a record.
We have 3 specific access level of the permission defined in a security role :
10. All changes made in the user interface must be published before they go live, this object lists all of the changes that are not currently published yet
4. Security Diagnostic Tool
4.1 On Form
– Now, in Dynamics 365, users with a security administrator or system administrator role are able to run the Security Diagnostic Tool on any form to find out the roles, duties and privileges necessary to complete a task.
– To access the Security Diagnostic Tool a user can select Option tab > Page Options > Security Diagnostics on any form and it will run automatically.
– Once run, the tool will list all the roles, duties and privileges associated with that form.
4.2 For task recordings
– If you would like to run the Security Diagnostic Tool for an end to end process, you can use the Security Diagnostics to Task Recordings Functionality.
– Users can access this through System Administration > Security > Security diagnostics for task recordings. Once selected, you will be prompted to open the task recording from PC or Lifecycle Services.
– Once selected, you will be prompted to open the task recording from PC or Lifecycle Services.
– Once uploaded, all the menu items used in the task recorder file will be populated.
– We can then select a user from the User ID dropdown to see whether or not they currently have permissions to access those menu items.
– Once we have identified the desired duty/privilege, we will go into the Security Configuration tool, to find out which roles currently have them.
– The only drawback of the Security Diagnostic toolset is that we are unable to see which role is associated with the desired duties/privileges.