1. To-Increase Dynamics 365 for Finance & Operations
  2. Security and compliance studio
  3. Manage security
  4. Manage security scenarios and match roles

Compose security scenarios

You can use a security scenario to indicate all securable objects and related access levels that are required for a user to perform one or more tasks.


Security administrator Security administrator Create security scenario Create security scenario You can use a security scenario to indicate all securable objects and related access levels that are required for a user to perform one or more tasks. This topic explains how to create a security scenario. Procedure 1. Click Security management. 2. Click the Scenarios tab. 3. Click New. 4. In the Scenario field, type a value. 5. Expand the Description section. Note: Enter a description to explain what the security scenario is about. You can extend this to each required level of detail. 6. Close the page. Create security scenario based on RapidValue task guide Create security scenario based on RapidValue task guide You can use task guides, which are exported from RapidValue, to create security scenarios in the Security and compliance studio.Note: The task guides are exported from RapidValue as XML files and added to a ZIP file. When downloaded, extract the ZIP file. So, the task guide XML files can be read by the Security and compliance studio. Procedure 1. Click Security management. 2. Click the Scenarios tab. 3. Sub-task: Create scenario based on RapidValue task guide. 4. Click Upload RV scenario. 5. Browse for and select the task guide XML file based on which the security scenario must be created. 6. Click OK. Note: The task guide XML file that is used to create a security scenario is added to the scenario files. 7. Sub-task: Add scenario steps based on RapidValue task guide. 8. In the list, click the link of the desired security scenario. 9. Click Upload RV scenario. 10. Browse for and select the task guide XML file based on which the steps must be added to the current security scenario. 11. Click OK. Note: The task guide XML file that is used to add steps to a security scenario is added to the scenario files. 12. Close the page. Create task recording for security scenario Create task recording for security scenario You can use a security scenario to indicate all securable objects and related access levels that are required for a user to perform one or more tasks.This topic explains how to create a task recording for a security scenario and how to add the task recording to the scenario. You can create several task recordings for a security scenario. When you save a task recording to a security scenario:It is added to the Files section of the Scenario details page. In the File details pane, all recorded steps of the selected task recording are shown.All securable objects that are touched in the task recording, are added to the scenario. In the Access required section of the Scenario details page, only the task recording steps that are related to a securable object are shown with the related access level. It is saved to the Security and compliance file share workspace.You can use the task recording steps to optimize the license cost when you create a security role. If an entry point (securable object an access level) increases the license cost, the related step can help you to decide if this access level is required or not. Procedure 1. Click Security management. 2. Click the Scenarios tab. 3. In the list, find and select the desired record. 4. Click Edit. 5. Click New from task recording. 6. Sub-task: Record steps. 7. On the Task recorder, enter the name and description for the recording. 8. Click Start and record the required steps. 9. When you are finished recording, click Stop. 10. Click Save as security scenario. Add existing task recording to security scenario Add existing task recording to security scenario You can use a security scenario to indicate all securable objects and related access levels that are required for a user to perform one or more tasks. This topic explains how to add an existing task recording to a security scenario.  You can add a task recording: From a folder. That is already available in the Security and compliance file share workspace. You can add several existing task recordings to a security scenario. When you add an existing task recording to a security scenario:It is added to the Files section of the Scenario details page. In the File details pane, all recorded steps of the selected task recording are shown.All securable objects that are touched in the task recording, are added to the scenario. In the Access required section of the Scenario details page, only the task recording steps that are related to a securable object are shown with the related access level.From a folder, it is saved to the Security and compliance file share workspace.You can use the task recording steps to optimize the license cost when you create a security role. If an entry point (securable object an access level) increases the license cost, the related step can help you to decide if this access level is required or not. Procedure 1. Click Security management. 2. Click the Scenarios tab. 3. In the list, find and select the desired record. 4. Click Edit. 5. Sub-task: Add task recording from another system. 6. Click Upload recording and, on the dialog, browse for the task recording. Note: If required, you can change the name and description of the task recording. 7. Click OK. 8. Sub-task: Add task recording file from Security management. 9. On the Files tab, click Add files to scenario. 10. In the list, find and select the desired records. 11. Click OK. Add entry points of module menu to security scenario Add entry points of module menu to security scenario You can use a security scenario to indicate all securable objects and related access levels that are required for a user to perform one or more tasks. This topic explains how to add entry points of a module menu as securable objects to a security scenario. Each entry point in the menu of the module results in a securable object in the scenario. You can add entry points from several modules to a security scenario. Procedure 1. Click Security management. 2. Click the Scenarios tab. 3. In the list, find and select the desired record. 4. Click Edit. 5. On the Access required tab, click Add module access. 6. On the dialog, in the Which module? pane, select the desired modules. 7. In the Desired access level? field, select an option. 8. Select the Create request check box. 9. Click OK. Notes You can also open the Flow design page from the:Business process designer pageFlow page Start Start Manually add securable objects to security scenario Manually add securable objects to security scenario You can use a security scenario to indicate all securable objects and related access levels that are required for a user to perform one or more tasks. This topic explains how to manually add securable objects to a security scenario. Procedure 1. Click Security management. 2. Click the Scenarios tab. 3. In the list, find and select the desired record. 4. Click Edit. 5. On the Access required tab, click Add. 6. In the Securable object field, enter or select a value. 7. In the Access level field, select an option. 8. Close the page. How to create a  security scenario? How to create a  security scenario? Analyze security scenario and define required access levels Analyze security scenario and define required access levels You can use a security scenario to indicate all securable objects and related access levels that are required for a user to perform one or more tasks. This topic explains how to analyze the created security scenario and how to define the required access level for each securable object in the scenario. Procedure 1. Click Security management. 2. Click the Scenarios tab. 3. In the list, find and select the desired record. 4. Click Edit. 5. Sub-task: Analyze security scenario. 6. On the Description tab, review the scenario description. 7. On the Access required tab, review the securable objects that are added to the security scenario. 8. On the Files tab, review the files that are added to the security scenario. 9. Sub-task: Define required access level for each securable object. 10. On the Access required tab, in the list, find and select the desired record. 11. In the Access level field, select an option. How to add  secruable objects  to a scenario? How to add  secruable objects  to a scenario? Merge security scenarios Merge security scenarios A user can have access to several business processes. To maintain this in one security scenario can be cumbersome. If so, you can maintain business process access in a separate security scenario for each business process. Before you match roles, you can merge these business process security scenarios into one security scenario. So, in match roles, all the relevant entry points are considered. Procedure 1. Click Security management. 2. Click the Scenarios tab. 3. In the list, find and select the desired record. 4. In the list, find and select the desired record. 5. Click Merge scenarios. 6. In the Name field, type a value. 7. In the Description field, type a value. 8. Click Create. 9. Close the page. Merge of security  scenarios required? Merge of security  scenarios required? Do you want to override  permissions on existing  roles based on a  security scenario? Do you want to override  permissions on existing  roles based on a  security scenario? Override permissions on roles based on security scenario Override permissions on roles based on security scenario You can override the permissions of a security role based on a security scenario. You typically do this to delimit access to specific data.In a security scenario, you can indicate all securable objects and related access levels that are required for a user to perform one or more tasks. You can use this setup to override the permissions on one or more security roles.If you override permissions of a security role:For the first time, for each entry point type in the security scenario steps, a new duty and privilege are created. The name of the new duty and privilege is [Role name] ([entry point type]). Example: The role is Accountant and permissions are overridden for entry points type Display and Output. As a result, the new duty and privilege names 'Accountant (display)' and 'Accountant (output)'.The new privilege is added to the new duty with the same entry point type. All entry points and permissions, as defined for the security scenario, are added to the privilege for the entry point type.And a duty and privilege are already available for an entry point type, the entry points and permissions are added to the existing privilege. If an entry point already exists for the privilege, its permission is overwritten.If on the security scenario the access level of a securable object is:No access, all permissions are denied.View, only the Read permission is granted.Edit, the Read and Update permissions are granted.Create, the Read, Update, and Create permissions are granted.Full control, all permissions are granted. Procedure 1. Click Security management. 2. Click the Scenarios tab. 3. In the list, find and select the desired record. 4. Click Edit. 5. Click Override permissions on roles. 6. On the dialog, in the list, find and select the roles which permissions you want to override. 7. Sub-task: Override with custom permissions. 8. Select Yes in the Set custom permissions field. 9. In the Read field, select an option. 10. In the Update field, select an option. 11. In the Create field, select an option. 12. In the Delete field, select an option. 13. Click OK. 14. Click Yes. 15. Close the page. Notes You can also override permissions on security roles when you match roles. You can override permissions for a selected role on the Match roles page (Override permissions on selected role) or choose any role (Override permissions on roles).Each override of permissions on security roles is logged in the data security history. You can view this history in these places on the Security management workspace or the Security audit workspace, on the Data security tab, on the History tab. End End From  new task  recording From existing  task recording From menu Manually Yes No Yes No Manually Use RapidValue  task guide

Activities

Name Responsible Description

Create security scenario

Security administrator
You can use a security scenario to indicate all securable objects and related access levels that are required for a user to perform one or more tasks.
This topic explains how to create a security scenario.

Create security scenario based on RapidValue task guide

Security administrator

 		You can use task guides, which are exported from RapidValue, to create security scenarios in the Security and compliance studio.
Note: The task guides are exported from RapidValue as XML files and added to a ZIP file. When downloaded, extract the ZIP file. So, the task guide XML files can be read by the Security and compliance studio.

Create task recording for security scenario

Security administrator
You can use a security scenario to indicate all securable objects and related access levels that are required for a user to perform one or more tasks.
This topic explains how to create a task recording for a security scenario and how to add the task recording to the scenario. You can create several task recordings for a security scenario. 
When you save a task recording to a security scenario:
  • It is added to the Files section of the Scenario details page. In the File details pane, all recorded steps of the selected task recording are shown.
  • All securable objects that are touched in the task recording, are added to the scenario. In the Access required section of the Scenario details page, only the task recording steps that are related to a securable object are shown with the related access level. 
  • It is saved to the Security and compliance file share workspace.
You can use the task recording steps to optimize the license cost when you create a security role. If an entry point (securable object an access level) increases the license cost, the related step can help you to decide if this access level is required or not.

Add existing task recording to security scenario

Security administrator
You can use a security scenario to indicate all securable objects and related access levels that are required for a user to perform one or more tasks.
This topic explains how to add an existing task recording to a security scenario. 
You can add a task recording:
  • From a folder.
  • That is already available in the Security and compliance file share workspace.
You can add several existing task recordings to a security scenario. When you add an existing task recording to a security scenario:
  • It is added to the Files section of the Scenario details page. In the File details pane, all recorded steps of the selected task recording are shown.
  • All securable objects that are touched in the task recording, are added to the scenario. In the Access required section of the Scenario details page, only the task recording steps that are related to a securable object are shown with the related access level.
  • From a folder, it is saved to the Security and compliance file share workspace.
You can use the task recording steps to optimize the license cost when you create a security role. If an entry point (securable object an access level) increases the license cost, the related step can help you to decide if this access level is required or not.

Add entry points of module menu to security scenario

Security administrator
You can use a security scenario to indicate all securable objects and related access levels that are required for a user to perform one or more tasks.
This topic explains how to add entry points of a module menu as securable objects to a security scenario. Each entry point in the menu of the module results in a securable object in the scenario.
You can add entry points from several modules to a security scenario.

Manually add securable objects to security scenario

Security administrator

 		You can use a security scenario to indicate all securable objects and related access levels that are required for a user to perform one or more tasks.
This topic explains how to manually add securable objects to a security scenario.

Analyze security scenario and define required access levels

Security administrator
You can use a security scenario to indicate all securable objects and related access levels that are required for a user to perform one or more tasks.
This topic explains how to analyze the created security scenario and how to define the required access level for each securable object in the scenario.

Merge security scenarios

Security administrator
A user can have access to several business processes. To maintain this in one security scenario can be cumbersome. If so, you can maintain business process access in a separate security scenario for each business process. Before you match roles, you can merge these business process security scenarios into one security scenario. So, in match roles, all the relevant entry points are considered.

Override permissions on roles based on security scenario

Security administrator

 		You can override the permissions of a security role based on a security scenario. You typically do this to delimit access to specific data.
In a security scenario, you can indicate all securable objects and related access levels that are required for a user to perform one or more tasks. You can use this setup to override the permissions on one or more security roles.
If you override permissions of a security role:
  • For the first time, for each entry point type in the security scenario steps, a new duty and privilege are created. The name of the new duty and privilege is [Role name] ([entry point type]). Example: The role is Accountant and permissions are overridden for entry points type Display and Output. As a result, the new duty and privilege names 'Accountant (display)' and 'Accountant (output)'.
    The new privilege is added to the new duty with the same entry point type. All entry points and permissions, as defined for the security scenario, are added to the privilege for the entry point type.
  • And a duty and privilege are already available for an entry point type, the entry points and permissions are added to the existing privilege. If an entry point already exists for the privilege, its permission is overwritten.
If on the security scenario the access level of a securable object is:
  • No access, all permissions are denied.
  • View, only the Read permission is granted.
  • Edit, the Read and Update permissions are granted.
  • Create, the Read, Update, and Create permissions are granted.
  • Full control, all permissions are granted.

Provide feedback