Activities

Activity

Area

Description

Add entry points of module menu to security scenario

Security management

You can use a security scenario to indicate all securable objects and related access levels that are required for a user to perform one or more tasks.

This topic explains how to add entry points of a module menu as securable objects to a security scenario. Each entry point in the menu of the module results in a securable object in the scenario.
You can add entry points from several modules to a security scenario.

Add existing task recording to security scenario

Security management

You can use a security scenario to indicate all securable objects and related access levels that are required for a user to perform one or more tasks.

This topic explains how to add an existing task recording to a security scenario.

You can add a task recording:

From a folder.
That is already available in the Security and compliance file share workspace.

You can add several existing task recordings to a security scenario. When you add an existing task recording to a security scenario:

It is added to the Files section of the Scenario details page. In the File details pane, all recorded steps of the selected task recording are shown.
All securable objects that are touched in the task recording, are added to the scenario. In the Access required section of the Scenario details page, only the task recording steps that are related to a securable object are shown with the related access level.
From a folder, it is saved to the Security and compliance file share workspace.

You can use the task recording steps to optimize the license cost when you create a security role. If an entry point (securable object and access level) increases the license cost, the related step can help you to decide if this access level is required or not.

Add table read permissions to role or privilege

Security management

To any role or privilege, you can add read permissions for all tables or a selection of tables.

You can add table read permissions to a role or a privilege. In this task guide, the permissions are added to a role.

Analyze security configuration history

Security auditing

In the Security and compliance studio, you can audit the security configuration in several ways:

Global security history - Shows all security configuration change events on all users, all security roles, duties, privileges, segregation of duties, stand-ins, and across all legal entities.
User security history - Shows all security configuration change events on the selected user across all legal entities.
Role security history - Shows all security configuration change events on the selected role across all legal entities.

Events done on the security configuration are logged in the security history. So, you can analyze the changes to the security configuration.

These events are logged:

AAD group created
AAD group deleted
Audit log initialized
Duty access to sensitive data given
Duty access to sensitive data undone
Duty created
Duty deleted
Duty modified
Entry point access to sensitive data given
Entry point access to sensitive data undone
Entry point created
Entry point deleted
Entry point modified
Objects published
Privilege access to sensitive data given
Privilege access to sensitive data undone
Privilege created
Privilege deleted
Privilege modified
Role access to sensitive data given
Role access to sensitive data undone
Role activated
Role assigned
Role assigned dynamically
Role created
Role deleted
Role inactivated
Role locked
Role merged
Role modified
Role removed
Role removed dynamically
Role unlocked
Security configuration exported
Security configuration imported
SoD conflict allowed
SoD conflict denied
SoD rule created
SoD rule deleted
SoD rule modified
SoD rules validated
Stand-in role assigned
Stand-in role removed
Stand-in rule conflict
Stand-in rule created
Stand-in rule deleted
Stand-in rules applied
User access to sensitive data given
User access to sensitive data undone
User created
User deleted
User disabled
User enabled
User modified

Analyze security scenario and define required access levels

Security management

You can use a security scenario to indicate all securable objects and related access levels that are required for a user to perform one or more tasks.

This topic explains how to analyze the created security scenario and how to define the required access level for each securable object in the scenario.

Analyze segregation of duties

Security auditing

You can analyze the setup of rules to separate tasks that must be performed by different users. This concept is named segregation of duties. For example, you might not want the same person both to acknowledge the receipt of goods and to process payment to the vendor. Segregation of duties helps you reduce the risk of fraud, and it also helps you detect errors or irregularities. You can also use segregation of duties to enforce internal control policies.

This procedure explains how you can analyze the segregation of duties setup.

Analyze stand-ins

Security auditing

As a security auditor, you can review the past, current, and future stand-in assignments.

Appoint stand-ins

Security management

You can appoint a user as a stand-in for another user for a specified period. For example, if a user has a vacation, you can appoint a stand-in during this vacation.

For auditing purposes, you cannot delete stand-in records with periods in the past.

Approve security request

Security management

Usually, a security manager must approve the security request before it is implemented.

How the approval process is done, depends on the setup:

An approval workflow is active: Approve the security request using the approval workflow.
No approval workflow is active: Manually approve the security request.

When you review the security request, on the Security requests page, on the Action Pane, on the Requests tab, you can:

View the related record, if defined.
Change the priority.

Once approved, the security request is implemented automatically.

If dynamic snapshots are enabled, the implemented security configuration changes are updated automatically in the latest snapshot.

Assign roles to user

Security management

The match roles process often results in new security roles. To access Microsoft Dynamics 365 for Finance and Operations, Enterprise edition, users must be assigned to security roles. This procedure guides you to the pages where you can:

Assign users to roles in several ways.
Assign roles to users.

The role assignment is validated automatically to verify if it complies with the segregation of duties rules. If enhanced segregation of duties rules are enabled, the role assignment is validated against the enhanced segregation of duties rules.

If dynamic snapshots are enabled, the role assignments are automatically updated in the latest snapshot.

Assign stand-in roles

Security management

If you have set up stand-ins, the actual assignment of the required security setup is only done for the defined period. Use the Assign stand-in roles batch job to do the actual assignment. This batch job activates and deactivates the required security setup for the stand-ins:

If the current date is the From date, the security setup is activated for the stand-in. As a result, the security setup of the user who is substituted is merged with the security setup of the stand-in.
If the current date is past the To date, the security setup is deactivated for the stand-in. As a result, the security setup merge is undone.

Notes:

The security setup of the substituted user stays unchanged.
If the stand-in has already (partially) the same security setup as the substituted user, this security setup isn't changed on activation or deactivation.

You are advised to run this batch job daily. Preferably, before working hours. For example, run the batch job at 00:01.

Change table security recording

Security management

You can make changes to a table security recording.

Compare snapshots

Security auditing

You can compare snapshots to review the changes made between two snapshot versions.
A snapshot is an image of the security configuration at a specific date and time. A snapshot consists of:

All securable objects: roles, duties, privileges, and entry points, with the related license type and access level.
The associations between the securable objects: user-role, role-duty, role-privilege, duty-privilege, and privilege-entry point.

On creation of a snapshot, a full compare is done with the previous snapshot version. So, if you compare two subsequent snapshots, the Compared field is already set to Yes.

You can also compare non-subsequent snapshot versions. If you do so for the first time, you can manually do a full compare or only compare selected records.

Copy security setup to another user

Security management

You can copy the security setup of a selected user to another user. All security roles, as assigned to the selected user, are copied to the other user.

You can also copy the organization access, as defined for the copied roles, to the other user. If a copied security role is already assigned to the other user, this role is updated with the organization access rights from the copied role.

On copy, the security setup of the other user is validated for segregation of duties violations. Note: If enhanced segregation of duties rules are enabled, the security setup is validated against the enhanced segregation of duties rules.

Create role from scenario based on selected role and selected duties and/or privileges

Security management

If a partially matched security role is found, you can create a new security role based on the selected role and selected duties and/or privileges.

Create security audit report

Security auditing

You can use the security audit report to analyze permissions and permission changes that are made to recorded elements during a specific period.

You can create the report based on:

Scenario - The report shows any permission changes to the securable objects as made in the selected scenario.
Data security record - The report shows any permission changes to the tables and table fields as made in the selected data security record.

You can only create this report if Security and compliance IT audit is initialized.

Create security log report

Security auditing

You can generate a security history log report for audit or other compliance requirements. These compliance requirements can be internal or external.
You can generate the report with:

Selected logged events.
Events logged for selected users.
Events logged for selected roles.

Create security request from any page

Security management

Use security requests to register any required changes in the security setup. As a user, you can create a security request from any page. You can only do so, if the 'Security request user' role is assigned to your user setup.

Security request type

For each security request type, a different type-specific section is added to the Security request page. In this section, fill in or add the required type-specific information.

This table shows the available security request types, for each type the related section, and a description of what to do in this section (see step 10):

Type	Type-specific section	Description
General	-	Request a security configuration change that is not related to any of the types.
Create user	Create users	Request the creation of a user. You can add the desired roles for the user.
Assign role to user	Assign roles to user	Request to add one or more roles to an existing user.
Remove role from user	Remove roles from user	Request to remove one or more roles from an existing user.
Disable user	Disable users	Request to disable one or more existing users.
Enable user	Enable users	Request to enable one or more existing users.
Delete user	Delete users	Request to delete one or more existing users.
Create role	Create role	Request to create a role. Use a security scenario to indicate all securable objects and related access levels that are required for the role to perform one or more tasks. You can select an existing scenario or upload a task recording that defines the scenario.
Modify role	Modify role	Request to modify one or more roles. For each role, you can use a security scenario to indicate all securable objects and related access levels that are required for the role to perform one or more tasks. You can select an existing scenario or upload a task recording that defines the scenario.
Lock role	Lock roles	Request to lock one or more roles.
Unlock role	Unlock roles	Request to unlock one or more roles.
Delete role	Delete role	Request to delete one or more roles.
Create rule	Enhanced SoD rules	Request to create one or more enhanced segregation of duties rules.
Resolve conflict	Enhanced SoD conflicts	Request to solve one or more enhanced segregation of duties conflicts.
Delete rule	Delete enhanced SoD rule	Request to delete one or more enhanced segregation of duties rules.
Add stand-in	Create stand-in	Request to appoint a stand-in for one or more users for a specified period.
Cancel stand-in	Remove stand-in	Request to remove a stand-in appointment for one or more users for a specified period.
Create business risk	Create business risk	Request to add an operational risk for your company. You can link the risk to enhanced segregation of duties rules.

Create security request in Security and compliance studio

Security management

As a security administrator, use security requests to register any required changes in the security setup. In Security and compliance studio, you can create security requests from the Security management workspace.

Security request type

For each security request type, a different type-specific section is added to the Security request page. In this section, fill in or add the required type-specific information.

This table shows the available security request types, for each type the related section, and a description of what to do in this section (see step 9):

Type	Type-specific section	Description
General	-	Request a security configuration change that is not related to any of the types.
Create user	Create users	Request the creation of a user. You can add the desired roles for the user.
Assign role to user	Assign roles to user	Request to add one or more roles to an existing user.
Remove role from user	Remove roles from user	Request to remove one or more roles from an existing user.
Disable user	Disable users	Request to disable one or more existing users.
Enable user	Enable users	Request to enable one or more existing users.
Delete user	Delete users	Request to delete one or more existing users.
Create role	Create role	Request to create a role. Use a security scenario to indicate all securable objects and related access levels that are required for the role to perform one or more tasks. You can select an existing scenario or upload a task recording that defines the scenario.
Modify role	Modify role	Request to modify one or more roles. For each role, you can use a security scenario to indicate all securable objects and related access levels that are required for the role to perform one or more tasks. You can select an existing scenario or upload a task recording that defines the scenario.
Lock role	Lock roles	Request to lock one or more roles.
Unlock role	Unlock roles	Request to unlock one or more roles.
Delete role	Delete role	Request to delete one or more roles.
Create rule	Enhanced SoD rules	Request to create one or more enhanced segregation of duties rules.
Resolve conflict	Enhanced SoD conflicts	Request to solve one or more enhanced segregation of duties conflicts.
Delete rule	Delete enhanced SoD rule	Request to delete one or more enhanced segregation of duties rules.
Add stand-in	Create stand-in	Request to appoint a stand-in for one or more users for a specified period.
Cancel stand-in	Remove stand-in	Request to remove a stand-in appointment for one or more users for a specified period.
Create business risk	Create business risk	Request to add an operational risk for your company. You can link the risk to enhanced segregation of duties rules.

Create security role

Security management

All users must be assigned to at least one security role to have access to Dynamics 365 for Finance and Operations. The security roles that are assigned to a user determine the duties that the user can perform and the parts of the user interface that the user can view.

You can use the Security role wizard to create or edit a security role. You can select the desired duties, privileges, and entry points.

Snapshot

The Security role wizard uses the latest snapshot as a basis. So, for the Security role wizard to have the best performance, make sure the latest snapshot is up-to-date.

In the Security and compliance studio parameters, the Enable dynamic snapshot parameter exists. If set to:

Yes, the roles that you create with the Security role wizard are saved automatically in the latest snapshot.
No, no automatic updates are done to the latest snapshot. If you want a new role to be available for Security and compliance studio functions, create a new snapshot.

Create security role from scenario with selected duties

Security management

If you match roles to the securable objects from a security scenario, you can choose to create a new role from a selection of matched duties. So, you can create a specific security role, which is still based on the security scenario.

The matched duties have at least one of the securable objects from the scenario. In determining the match, the access level for the securable objects, as defined on the security scenario, are not considered.

Note that:

A duty can be shown several times, for a different securable object.
A securable object can be shown several times as it can be linked to several duties.
For each entry, the related license types are shown.

This information offers the opportunity to reduce license costs. You can search for and select the duties with the lowest license type.

Create security role from scenario with selected privileges

Security management

If you match roles to the securable objects from a security scenario, you can choose to create a new role from a selection of matched privileges. So, you can create a specific security role, which is still based on the security scenario.
The matched privileges have at least one of the securable objects from the scenario. In determining the match, the access level for the securable objects, as defined in the security scenario, are not considered.
Note that:

A privilege can be shown several times, for a different securable object.
A securable object can be shown several times as it can be linked to several privileges.
For each entry, the related license types are shown.

This information offers the opportunity to reduce license costs. You can search for and select the privileges with the lowest license type.

Create security scenario

Security management

You can use a security scenario to indicate all securable objects and related access levels that are required for a user to perform one or more tasks.

This topic explains how to create a security scenario.

Create security scenario based on RapidValue task guide

Security management

You can use task guides, which are exported from RapidValue, to create security scenarios in the Security and compliance studio.

Note: The task guides are exported from RapidValue as XML files and added to a ZIP file. When downloaded, extract the ZIP file. So, the task guide XML files can be read by the Security and compliance studio.

Create segregation of duty from Match roles

Security management

You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. For example, you might not want the same person both to acknowledge the receipt of goods and to process payment to the vendor. Segregation of duties helps you reduce the risk of fraud, and it also helps you detect errors or irregularities. You can also use segregation of duties to enforce internal control policies. Complete the following procedure to create a rule from the Match roles page.

Create snapshot

Security auditing

You create snapshots to be able to use Security and compliance studio functions, for example:

Security explorer
Match roles
Compare snapshots
Security role wizard

Snapshot

A snapshot is an image of the security configuration at a specific date and time. A snapshot consists of:

All securable objects: roles, duties, privileges, and entry points, with the related license type and access level.
The associations between the securable objects: user-role, role-duty, role-privilege, duty-privilege, and privilege-entry point.

Snapshot creation

You create a snapshot in these cases:

The first time you want to explore the security configuration or match roles.
Changes are made to the security configuration. So, these changes become available for the security explorer or match roles function.
You want to compare the current security configuration with a previous security configuration.

You are advised to create snapshots:

In batch, if you frequently make changes to the security configuration.
In the background, because the creation of a snapshot can take quite some time.

Dynamic snapshot

In the Security and compliance studio parameters, you can use the 'Enable dynamic snapshots' field to enable automatic updates of security configuration changes to the latest snapshot. So, no new snapshot is required each time you change the security configuration.

Automatic updates of security configuration changes to the latest snapshot are done when you, for example:

Publish changes.
Approve security requests.
Update or create a role with the wizard.
Import security configurations.
Assign users to roles.

Note: If yo use dynamic snapshots, you are advised to create a snapshot regularly. You do so to ensure that no security inconsistencies occur and to create a safety net,

Create task recording for security scenario

Security management

You can use a security scenario to indicate all securable objects and related access levels that are required for a user to perform one or more tasks.

This topic explains how to create a task recording for a security scenario and how to add the task recording to the scenario. You can create several task recordings for a security scenario.

When you save a task recording to a security scenario:

It is added to the Files section of the Scenario details page. In the File details pane, all recorded steps of the selected task recording are shown.
All securable objects that are touched in the task recording, are added to the scenario. In the Access required section of the Scenario details page, only the task recording steps that are related to a securable object are shown with the related access level.
It is saved to the Security and compliance file share workspace.

Create user

Security management

Users are internal employees of your organization, or external customers and vendors, who require access to the system to perform their jobs.

You can manually create users in the system.

Define users who can view sensitive data change log

Security management

On the sensitive data change tracking setup, you can define the users who can view the changes that are logged for the sensitive data setup.

If you:

Do not define users, all users with access to the Sensitive data log page, can view all logged changes.
Define users, only these users can view the logged changes for the sensitive data change tracking setup.

Delegate work items for users

Security management

If a user is planned to be out of the office or otherwise unavailable to act on work items for a period, you (as security or system administrator) can automatically delegate new work items to other users.

To configure automatic delegation of user work items to other users, you must create delegation rules. these rules define when certain types of work items are delegated.

Users can also delegate own work items themselves. For more information on how to do so, refer to Delegate work items in a workflow.

Delete snapshots

Security auditing

As a snapshot can consist of a lot of data, keeping many snapshots can slow performance. Therefore, you are advised to have a maximum of five snapshots.

You can set up automatic clean-up of snapshots. As a result, older snapshots are deleted according to these rules:

The value of the Limit number of snapshots field on the Security and compliance studio parameters.
The number, as defined in this field, is the number of snapshots that is kept if you delete snapshots.
The Protected check box for snapshots.
The snapshots that are marked as protected are kept.

On deletion, counting of snapshots to be kept starts with the latest snapshot, while protected snapshots are skipped in the count. The remaining older snapshots are deleted.
No snapshots are deleted if the value of the Limit number of snapshots field is 0, or less than or equal to the number of snapshots.

Example:
In September 2018, eight snapshots are created, of which two are marked as protected. At the end of the month, you do your monthly snapshot clean-up.
Limit number of snapshots = 3
This table shows which snapshots are kept and which ones are deleted:

Disable users that do not exist in Microsoft Entra ID

Security management

You can run the Microsoft Entra ID user status batch job to disable users in D365 FO if these users no longer exist in the Microsoft Entra ID.

Make sure, this batch job is run about 30 minutes before the Analyze license usage (Named user license count reports processing) batch job is run. So, the license usage count is based on actual users.

Download image

Security management

In the Security and compliance file share workspace, you can download image files that are used in security requests.

Download task recording

Security management

In the Security and compliance file share workspace, you can download task recording files that are used in security scenarios.

Download XML file with exported security role

Security management

If you have exported a security role configuration or customization, you can download the XML file from the Security and compliance file share workspace.

Duplicate role from Match roles

Security management

It is advisable to create a subset of security roles that are actually used in your company. This way, the security administrator has a better overview of the security roles that are used in your company.

So, if a standard security role matches a scenario, you can create an exact copy of this standard security role and assign this copy to the applicable users.

Duplicate security role

Security management

Consider creating a subset of security roles that are actually used in your company. This way, the security administrator has a better overview of the security roles that are used in your company.

This topic explains how you can create an exact copy of a security role.

Edit query for sensitive data change tracking

Security management

On the sensitive data change tracking setup, you define the table fields for which sensitive data changes must tracked.

For each table that is defined in the General section of the Sensitive data setup page, a query is created automatically. If the the defined table is a:

Common table, when the record is saved, the query is created. If the query already exists for the sensitive data setup, the query is automatically added to the record.
Date-effective table or an inheritance structure table, the query is created when the table is mapped to a related staging table.

A query is applied on record level to the related table.

You can edit an automatically created query. Usually, you edit a query only in specific cases. For example, if a table record has a type field, you can make the query type-specific. For the LogisticsElectronicAddress table, you can, for example, track sensitive data changes only for addresses that are marked as Private. To do so, add a range to the related query with the Private field, and Criteria set to Yes.

Explore security configuration for any Dynamics 365 for Finance and Operations page

Security management

You can explore the security configuration for any page in Dynamics 365 for Finance and Operations. You can use this, for example, to see if you can lower the license type for a user to reduce license cost.

Each page can have several securable objects. For a selected securable object of a page, you can explore the related references. For example, if the selected object is of type Duty, you can explore:

The related roles.
The users that are assigned to these roles.
The related privileges.
The entry points of these privileges.

For the pinned level, the references with the highest user license type are highlighted. You can set the highlight color in the Security and compliance studio parameters.

The license type of each reference is indicated with a colored dot:

Red dot - Operations
Orange dot - Activity users
Gray dot - None
No dot - Team members

You can open the security explorer for any page. In this procedure, it is opened from the Sales order processing and inquiry workspace.

Explore security configuration in Security and compliance studio

License management

You can, for each level in the security configuration, explore the related references. You can use this, for example, to see if you can lower the license type for a user to reduce license cost.

For example, for a pinned duty, you can explore:

The related roles.
The users that are assigned to these roles.
The related privileges.
The entry points of these privileges.

For the pinned level, the references with the highest user license type are highlighted. You can set the highlight color in the Security and compliance studio parameters.

The license type of each reference is indicated with a colored dot:

Red dot - Operations
Orange dot - Activity users
Gray dot - None
No dot - Team members

You can open the Security explorer from several places in the Security and compliance studio:

License optimization workspace: Security explorer tile, All users tab, Full users tab, Activity users tab, and Team members tab
Security management workspace: Security explorer tile, Roles tab, and Users tab.
Security audit workspace: Security explorer tile, Role history tab, and User history tab

In this procedure, it is opened from the License optimization workspace, Security explorer tile.

Export security explorer data to Microsoft Excel

Security management

You can export security explorer data to a Microsoft Excel file for further analysis.

You can choose to export:

All data of the security explorer.
Only the related references of a pinned securable object in the security configuration.

For example, for a pinned duty, you can export:

The related roles.
The users that are assigned to these roles.
The related privileges.
The entry points of these privileges.

Export security role configuration

Security management

You can export a security role with all its related security configuration.
As a result, an XML file is created with the security role configuration. The XML file is stored in the Security and compliance file share workspace.
You can use the XML file to import and use the security role configuration in another environment.

Export security role customization

Security management

You can export a customized security role. Only the security role customizations are exported.

As a result, an XML file is created with the security role customizations. The XML file is stored in the Security and compliance file share workspace.

You can use the XML file to import and use the security role customizations in another environment.

Export sensitive data access setup to Microsoft Excel

Security auditing

You can export sensitive data access setup to a Microsoft Excel file for further analysis.
You can choose to export:

All data of the sensitive data access setup.
Only the sensitive data access setup that is related to a pinned security object in the security configuration.

For example, for a pinned duty, you can export sensitive data setup for:

The related roles.
The users that are assigned to these roles.
The related privileges.
The entry points of these privileges.

Extend table security recording

Security management

You can extend an existing table security recording with additionally recorded table fields.

Give access to sensitive data

Security management

You can give a securable object access to sensitive data.

If you give a securable object access to sensitive data, automatically all related securable objects get access to sensitive data as well.

For example, if you give a duty access to sensitive data, the related users, roles, privileges, and entry points also get access to sensitive data.

In the steps, as an example, a duty is given access to sensitive data.

Give user roles access to organizations

Security management

You can give a user access to several organizations by assigning several user roles to these organizations.

Import and publish security role configuration

Security management

You can import a security role with all its related security configuration from an XML file that is exported from another environment.
When the securable objects are imported from the XML file, these objects are published automatically.
If dynamic snapshots are enabled, the published objects are automatically updated in the latest snapshot.

Import security role customization

Security management

You can import a customized security role from an XML file that is exported from another environment. Only the security role customizations are imported.

When the securable objects are imported from the XML file, these objects are published automatically.

If dynamic snapshots are enabled, the published objects are automatically updated in the latest snapshot.

Import user

Security management

Users are internal employees of your organization, or external customers and vendors, who require access to the system to perform their jobs.

You can import users from the Microsoft Entra ID users.

Inactivate or activate security roles

Security management

When changes to a security role are required, you can choose to create a new version of it. In this case, the previous version of the security role must become inactive. So, it can't be assigned to users anymore.

Before you inactivate a security role, make sure it's not assigned to any user. If you inactivate a security role that is still assigned to users, you get an error message listing the users to which it is assigned.

You can also activate an inactive security role.

Initialize Security and compliance IT audit

Security auditing

During implementation, to make security configuration event logging possible, you initialize the Security and compliance studio IT audit. You initialize just once.

You can also use this job to clean up the security log.

As a result:

All already logged events are deleted.
The existing role and user assignments are entered as events.

Insert image in security request description

Security management

You can insert an image in the description of a security request.
You can insert an image as:

Security request user from any page.
Security administrator from the Security administration workspace.

In this topic, as an example, an image is inserted as Security user.

Lock or unlock security role

Security management

You can lock a security role. So, it can't be used as a target role when roles are merged.

If a security role lock is no longer required, you can unlock the security role.

Manually add securable objects to security scenario

Security management

You can use a security scenario to indicate all securable objects and related access levels that are required for a user to perform one or more tasks.

This topic explains how to manually add securable objects to a security scenario.

Match security roles to security scenario

Security management

Use match roles to match all securable objects, as defined in a security scenario, to security roles.

In general, a match means that the securable object exists on the role with a given access level.

Which roles are a match, is defined by:

The required access level for each securable object, as defined in the security scenario (only applicable for exact match).
How you match the security roles.
The entry points as defined for the duties and privileges of each role.

You can match roles in these ways:

Exact match
Only those security roles are a match that have the securable object with the required access level.
Minimum/maximum match
Only those security roles are a match that have the securable object with an access level that is in the range of the defined minimum access level and maximum access level.

Each security role, with a match for at least one of the securable objects from the security scenario, is shown as a matched role. The matching degree of each matched security role indicates to what extent the role has matching entry points.

If you find a matched security role, you can assign users to it.

Merge security roles

Security management

You can merge existing security roles into another existing security role or a new security role.

On merge:

The selected roles remain unchanged.
The selected roles aren't added to the target role as such.
The duties and privileges of the selected roles aren't added to the target role as such.
All lowest entry points of the selected roles are grouped into one privilege or into a privilege for each selected type of entry point. For each selection, by default, a new privilege is created. However, if the target role already exists, you can also select an existing privilege of that role to which the entry points are added.
Entry points with a higher license type than the defined Max user license type are not added to the privileges.
If you do not define duties, the new privileges are added to the target role and, if applicable, entry points are added to the defined existing privileges.
You can add the defined privileges to one duty or to a duty for each selected type of privilege. For each selection, by default, a new duty is created. However, if the target role already exists, you can also select an existing duty of that role to which the privilege is added.
If you define duties, the new duties are added to the target role and, if applicable, privileges are added to the defined existing duties.
If the target role doesn't have any duties and privileges, it will only have the new privileges or duties.
If the target role already has duties and privileges which are not changed during the merge, these duties and privileges stay.
Permissions for the entry points are given as defined in the wizard. This is only applicable if the target role already exists and has the same entry points. You can choose:
- Merge - The highest permission, whether it comes from the source role or the target role entry point, is set as the permission for the merged entry point.
- Unset, Grant, or Deny - Whatever the permission for the entry point is in the source role or target role, it is set to the chosen one.
The target role is validated for segregation of duties violations. Note: If enhanced segregation of duties rules are enabled, the role assignment is validated against the enhanced segregation of duties rules.

Merge security scenarios

Security management

A user can have access to several business processes. To maintain this in one security scenario can be cumbersome. If so, you can maintain business process access in a separate security scenario for each business process. Before you match roles, you can merge these business process security scenarios into one security scenario. So, in match roles, all the relevant entry points are considered.

Monitor asset classification details

Security auditing

D365 FO provides a default set of classifications for the kinds of data that are stored in each table. These classifications are subject to change depending on the need to identify different kinds of data. The actual classification for each field in each table can change at any time, depending on differing needs for identifying data.

In Security and compliance studio, you can monitor all defined field asset classifications in one overview.
The asset classification overview shows:

Each table with asset classifications defined for at least one field.
For the selected table, the fields with an asset classification.

Monitor imported Microsoft Entra ID groups

Security management

You can import Microsoft Entra ID groups to D365 FO. On synchronize Microsoft Entra ID group members, the imported groups are loaded to Security and compliance studio. If a member of an imported Microsoft Entra ID group exists as a user in D365 FO, the user is linked to the group in Security and compliance studio. So, members of Microsoft Entra ID groups who do not exist as a user in D365 FO, are not shown in the Security and compliance studio.

With Security and compliance studio, you can monitor the groups, as imported Microsoft Entra ID, and the linked D365 FO users.

Monitor latest login of users

System administration

You can monitor the latest login of users. You can use this information to reduce license costs. For example, you can remove users who have never logged in or who's latest login is more than three months back.

Monitor license usage per license type

License management

For each license type, you can monitor the related number of users. You can also, for each user, monitor the related license type.

Note that the licensing model of D365 FO has changed. Previously, for D365 FO, these license types were available:

Operations
Activity user
Team member

Currently, the previous Operations license type is split into these base license types:

Commerce
Finance
Human resources
Project operations
SCM

Each full user must have a base license. And if required, for each user, you can add these attach licenses:

Commerce
Finance
Human resources
Project operations
SCM

To show the latest license usage data, first, refresh the licenses on the Security explorer. The license usage data is refreshed based on the latest snapshot of the security configuration.

On the All users tab and Full users tab, the New license type field is shown next to the User license field. The new license types can be shown in these formats:

One license type: Only the shown base license is required.
Several license types with plusses: All shown licenses are required. Use one of the shown licenses as base license and the other shown licenses as attached license. Example: Finance+SCM.
Several license types with forward slashes: One of the shown base licenses is required. No attached licenses are required. Example: Finance/SCM/Retail.
Any base license: Any of the base licenses is required. It doesn't matter which one.

Monitor risks

Security management

You can identify the operational risks for your company. Several charts can help you monitor the risks.

Monitor security configuration history

Security management

Events done on the security configuration are logged in the security history. So, you can monitor the changes to the security configuration.

These events are logged:

Audit log initialized
Duty created
Duty deleted
Duty modified
Objects published
Privilege created
Privilege deleted
Privilege modified
Role assigned
Role assigned dynamically
Role created
Role deleted
Role locked
Role merged
Role modified
Role removed
Role removed dynamically
Role unlocked
Security configuration exported
Security configuration imported
SoD conflict allowed
SoD conflict denied
SoD rule created
SoD rule deleted
SoD rule modified
SoD rules validated
Stand-in role assigned
Stand-in role removed
Stand-in rule conflict
Stand-in rule created
Stand-in rule deleted
Stand-in rules applied
User created
User deleted
User disabled
User enabled
User modified

Monitor sensitive data change log

Security auditing

When you have set up the tracking of sensitive data changes, changes to sensitive data are logged.

Who can view the sensitive data log is defined on the related sensitive data change tracking users setup.

If on the sensitive data setup:

No users are defined, all users with access to the Sensitive data log page, can view all logged changes.
Users are defined, only these users can view the logged changes for the sensitive data change tracking setup.

On the Sensitive data log page, in the:

Upper grid, view the sensitive data change events. Each time sensitive data is changed, an event is logged by table, user, sensitive data setup, and date/time.
Details grid, for the selected sensitive data change event, view the data changes to one or more fields with sensitive data.

Monitor work item delegation history

Security management

You can monitor the work item delegation history.

All work item delegations are logged in the history. So, delegations added by users themselves and delegations added by security or system administrators are logged.

Move users to another role

Security management

You can move users from one role to another role. You can use this, for example, if you have created a new variant of an existing role. You can then move the users from the old role to the new role.

As a result, the moved users are no longer available on the old role.

You can only move a user if it doesn't:

Already exist on the other role.
Cause segregation of duties violations. Note: If enhanced segregation of duties rules are enabled, the role assignment is validated against the enhanced segregation of duties rules.

Override permissions on roles

Security management

To apply the table field permissions as defined for a table security record, you must override these permissions on the applicable roles.

Override permissions on roles based on security scenario

Security management

You can override the permissions of a security role based on a security scenario. You typically do this to delimit access to specific data.

In a security scenario, you can indicate all securable objects and related access levels that are required for a user to perform one or more tasks. You can use this setup to override the permissions on one or more security roles.

If you override permissions of a security role:

For the first time, for each entry point type in the security scenario steps, a new duty and privilege are created. The name of the new duty and privilege is [Role name] ([entry point type]). Example: The role is Accountant and permissions are overridden for entry points type Display and Output. As a result, the new duty and privilege names 'Accountant (display)' and 'Accountant (output)'.
The new privilege is added to the new duty with the same entry point type. All entry points and permissions, as defined for the security scenario, are added to the privilege for the entry point type.
And a duty and privilege are already available for an entry point type, the entry points and permissions are added to the existing privilege. If an entry point already exists for the privilege, its permission is overwritten.

If on the security scenario the access level of a securable object is:

No access, all permissions are denied.
View, only the Read permission is granted.
Edit, the Read and Update permissions are granted.
Create, the Read, Update, and Create permissions are granted.
Full control, all permissions are granted.

Rebuild asset classification

Security auditing

In Security and compliance studio, you can monitor all specified field asset classifications.

To monitor up-to-date asset classifications, you are advised to rebuild the asset classification data daily.

Record table security

Security management

You can use table security to manage permissions on table field level. Use table security recording to define the tables and table fields for which you want to set or change permissions. After recording the fields, you can define the desired access right for each recorded field.

Refresh licenses

Security management

The licensing model of D365 F&SCM has changed. Previously, for D365 F&SCM, these license types were available:

Operations
Activity user
Team member

Currently, the previous Operations license type is split into these base license types:

Commerce
Finance
Human resources
Project operations
SCM

Each full user must have a base license. And if required, for each user, you can add these attach licenses:

Commerce
Finance
Human resources
Project operations
SCM

To show the latest license usage data, first, refresh the licenses on the Security explorer. The license usage data is refreshed based on the latest snapshot of the security configuration.

On the All users tab and Full users tab, the New license type field is shown next to the User license field. The new license types can be shown in these formats:

One license type: Only the shown base license is required.
Several license types with plusses: All shown licenses are required. Use one of the shown licenses as base license and the other shown licenses as attached license. Example: Finance+SCM.
Several license types with forward slashes: One of the shown base licenses is required. No attached licenses are required. Example: Finance/SCM/Retail.
Any base license: Any of the base licenses is required. It doesn't matter which one.

To show the required new license types in Security and compliance studio, refresh the new license type information. The new license types are refreshed based on the latest snapshot of the security configuration.

As a result, the applicable new license types are retrieved and shown in the Security explorer for each of these securable objects:

Users
Roles
Duties
Privileges
Entry points

Also, on other forms, the new license types are filled after refreshing the licenses. The New license type field is shown on each form where the User license field is shown.

The new license types can be shown in these formats:

One license type: Only the shown base license is required.
Several license types with plusses: All shown licenses are required. Use one of the shown licenses as base license and the other shown licenses as attached license. Example: Finance+SCM.
Several license types with forward slashes: One of the shown base licenses is required. No attached licenses are required. Example: Finance/SCM/Retail.
Any base license: Any of the base licenses is required. It doesn't matter which one.

Security management

You can identify the operational risks for your company. These risks can be security-and-compliance related, or any other type of risk for your organization.

You can link a risk to segregation of duties rule to help reduce business risks, human errors, or fraudulent transactions.

Resolve segregation of duties conflicts

Security management

You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. If on verification, the definition of a security role or the role assignments of a user violate the rules, the conflict is logged. All conflicts must be resolved by the security administrator.

For each logged conflict, you can:

Deny the role assignment – Deny the assignment of the user to the additional security role. If you deny an automatic role assignment, the user is marked as excluded from the role. The excluded user is not granted the access that is associated with the role, and the user cannot be assigned to the role until the security administrator removes the exclusion.
Allow the role assignment – Override the conflict and allow the user to be assigned to both security roles. If you override a conflict, you must enter a reason in the Reason for override field.

Complete the following procedure to view and resolve conflicts.

Resolve segregation of duties conflicts (enhanced)

Security management

For each logged conflict, you can:

Deny the role assignment – Deny the assignment of the user to the additional security role. If you deny an automatic role assignment, the user is marked as excluded from the role. The excluded user is not granted the access that is associated with the role, and the user cannot be assigned to the role until the security administrator removes the exclusion.
Allow the role assignment – Override the conflict and allow the user to be assigned to both security roles. If you override a conflict, you must enter a reason in the Reason for override field.

Complete the following procedure to view and resolve conflicts.

Set Security and compliance studio parameters

Security management

Before you start using the Security and compliance studio, set the Security and compliance studio parameters.

Set up areas

System administration

You can use areas to categorize security requests.

Set up segregation of duties rules

Security management

Set up segregation of duties rules (enhanced)

Security management

You can set up rules to separate tasks that must be performed by different roles or users. This concept is named segregation of duties. For example, you might not want the same person both to acknowledge the receipt of goods and to process payment to the vendor. Segregation of duties helps you reduce the risk of fraud, and it also helps you detect errors or irregularities. You can also use segregation of duties to enforce internal control policies.

With the enhanced segregation rules, you can not only define segregation rules on duty level, but also on privilege level, on entry point level, and with segregation security sets.

With a segregation rule on duty level only, the related privileges or entry points can also be linked to another duty to which the segregation rule does not apply. By defining the segregation on a lower level (privilege or entry point), you can enforce segregation more precisely.

Complete the following procedure to create an enhanced segregation rule on one of these levels: duty, privilege, or entry point.

Set up segregation security sets

Security management

With the segregation rules (enhanced) functionality, you can use segregation security sets to generate entry point level segregation rules.

Use a segregation security set to list and group entry points for which segregation rules are desired. You can use these segregation security sets to set up segregation rules.

For each segregation rule with segregation security sets, child segregation rules are generated automatically. A child segregation rule is generated for each combination of entry points from the two segregation security sets of the segregation rule.

Set up sensitive data access reasons

Security management

If you give a securable object access to sensitive data, you must specify the reason you do so. This topic explains how to set up sensitive data access reasons.

Each sensitive data access reason has one of these types:

Common personal - Used to indicate access to common personal data, like name and birth date.
Sensitive personal - Used to indicate access to sensitive personal data, like ethnic origin and trade union membership.

A set of predefined sensitive data access reasons is available. You are advised to upload these predefined sensitive data access reasons before you add new ones.

Set up sensitive data change tracking

Security management

You can set up the tracking of changes to sensitive data. You set up sensitive data change tracking by field.

You can define the fields, for which sensitive data changes must tracked, in these ways:

With the field picker
Manually

Set up staging table mapping to track sensitive data changes

Security management

You can add any field from any table to the sensitive data setup. However, the table can be date-effective or part of an inheritance structure. In this case, the table cannot be used to enable change logging for sensitive data. Instead, the related staging table must be used to enable change logging for sensitive data.

To define which staging table must be used to enable change logging, map the date-effective table or inheritance structure table to the desired staging table. Also, map the applicable fields of the date-effective table or inheritance structure table to the related fields of the staging table.

Examples of date-effective tables or inheritance structure tables and related staging tables are:

DirPartyTable -> DirPartyAttachmentStaging
DirPerson -> DirPersonStaging
LogisticsPostalAddress -> LogisticsPostalAddressElectronicContactStaging

Set up user groups

Security management

To use some features and functionality in D365 FO, user groups can be required. For example, users are outside the organization hierarchy for budget planning but must work with budget plans. You can assign budget plans to user groups. You can also set up restrictions for journal posting that are based on user groups.

This topic describes how to create a user group and add users to it.

Submit security request for approval - Security administrator

Security management

As a security administrator, you can create a security request from the Security management workspace. Usually, a security request is approved by the security manager.

Once you have completed the security request creation, submit the security request for approval.

How the approval process is done, depends on the setup:

An approval workflow is active: You submit the security request to the approval workflow.
No approval workflow is active: You manually assign the security request to a security manager for approval.

Submit security request for approval - Security request user

Security management

As a security request user, you can create a security request from any page. Usually, a security request must be approved by the security manager.

Once you have completed the security request creation, submit the security request for approval.

How the approval process is done, depends on the setup:

An approval workflow is active: You submit the security request to the approval workflow.
No approval workflow is active: You manually assign the security request to a security manager for approval.

Synchronize groups with Microsoft Entra ID groups

Security management

You can import Microsoft Entra ID groups to D365 FO. Synchronize Microsoft Entra ID group members, to load the imported groups to Security and compliance studio. If a member of an imported Microsoft Entra ID group exists as a user in D365 FO, the user is linked to the group in Security and compliance studio. So, members of Microsoft Entra ID groups who do not exist as a user in D365 FO, are not shown in the Security and compliance studio.

After you imported a Microsoft Entra ID group, changes can be made to its members on the Azure Portal. Members can be added to or removed from the Microsoft Entra ID group. Usually, it is required that these changes are also applied to the imported groups in D365 FO.

To keep the setup in Security and compliance studio up to date, you are advised to synchronize the Microsoft Entra ID group members daily.

On synchronize of Microsoft Entra ID group members:

Groups that are imported from Microsoft Entra ID are loaded to the Security and compliance studio.
Members who are added to a Microsoft Entra ID group, are also added to the related group in the Security and compliance studio. A Microsoft Entra ID group member is only added to an imported group if it exists as a user in D365 FO.
Members who are removed from a Microsoft Entra ID group, are also removed from the related group in the Security and compliance studio. A Microsoft Entra ID group member is only removed from an imported group if it exists as a user in D365 FO.

If a previously imported Microsoft Entra ID group is deleted in Microsoft Entra ID, the related group is disabled in D365 FO on synchronization of imported groups. On synchronization of Microsoft Entra ID group members, the linked users are disabled for this group in the Security and compliance studio.

Undo access to sensitive data

Security management

You can undo the access to sensitive data for a securable object.

If you, for a securable object, undo the access to sensitive data, automatically also the access to sensitive data is undone for all related securable objects.

For example, if you undo access to sensitive data for a duty, the access to sensitive data is also undone for the related users, roles, privileges, and entry points.

In the steps, as an example, access to sensitive data is undone for a privilege.

Upload image

Security management

In the Security and compliance file share workspace, you can upload image files to be used in security requests.

Upload task recording

Security management

In the Security and compliance file share workspace, you can upload task recording files to be used in security scenarios.

Use predefined segregation of duties rules (enhanced) on demand

Security management

You can set up segregation of duties rules (enhanced) to separate tasks that must be performed by different roles or users. With the enhanced segregation rules, you can not only define segregation rules on duty level, but also on privilege level, on entry point level, and with segregation security sets.

On demand, a predefined set of segregation rules (enhanced) is available.

Predefined segregation rules

The set of segregation rules (enhanced) consists of:

Segregation security sets: The segregation security sets have lists of entry points.
Segregation of duty rules (enhanced): The segregation rules are based on segregation security sets or privileges.

The predefined segregation rules (enhanced) are mainly related to these functional areas:

Purchase
Sales
Production
Warehouse management

Import

You can import the predefined segregation of duties rules (enhanced) with the Data management import function.

To import the set of predefined segregation rules (enhanced):

Create an import project.
Add a file with source data format 'Package'.
Upload the data file. As a result, these entities are added to the import project:
- Segregation security sets
- Segregation security set lines
- Enhanced SoD rules
Run the import project.

On import:

The segregation security sets and lines are imported.
The segregation rules (enhanced) are imported. These rules are set up for segregation security sets or for privileges.
For each imported segregation rule that is set up for segregation security sets, child segregation rules are generated. A child segregation rule is generated for each combination of entry points, as defined in the two segregation security sets of the segregation rule.

Use predefined segregation of duties rules on demand

Security management

You can set up segregation of duties rules to separate tasks that must be performed by different users. On demand, a predefined set of segregation of duties rules is available.

These predefined segregation of duties rules are set up based on this risk identification matrix for several transaction types:

You can upload the predefined segregation of duties rules in Data management.

Validate segregation of duties

Security management

You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. Use Validate segregation of duties to verify whether existing roles comply with new rules for segregation of duties. So, it validates intra-role compliance.

If any existing roles violate the selected rule, a message is displayed that contains the name of the role and the names of the conflicting duties. The security administrator must either indicate the mitigation for the security risk or modify the role so that it does not violate the rules for segregation of duties. If no roles violate the selected rule, a message indicates that all roles comply.

Validate segregation of duties (enhanced)

Security management

You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. Use Validate segregation of duties to verify whether existing roles comply with new rules for enhanced segregation of duties. So, it validates intra-role compliance.

If any existing roles violate the selected rule, a message is shown that contains the name of the role and the names of the conflicting securable objects. You must either indicate the mitigation for the security risk or modify the role so that it does not violate the rules for enhanced segregation of duties. If no roles violate the selected rule, a message indicates that all roles comply.

Validate segregation of duties for stand-in

Security management

You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties.

If you use segregation of duties rules, you can validate if the assignment of the user roles to the stand-in user complies with the segregation of duties rules.

If assigning the user roles to the stand-in violates the segregation of duties rules, a message is displayed with the name of the role and the names of the conflicting duties. The security administrator must either indicate the mitigation for the security risk or modify the conflicts so that segregation of duties rules are not violated. If no rules are violated, a message indicates that the stand-in role complies with the segregation of duties rules.

Note: If enhanced segregation of duties rules are enabled, the stand-in role assignment is validated against the enhanced segregation of duties rules.

Verify compliance of user-role assignments

Security management

You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. Use Verify compliance of user-roles assignments to verify whether user role assignments comply with new rules for segregation of duties. So, it verifies inter-role compliance and user-level validations.

A notification displays the results of the validation. When the definition of a security role or the role assignments of a user violate the rules, the conflict is logged. The security administrator must resolve all conflicts. Complete the following procedure to identify conflicts.

Verify compliance of user-role assignments (enhanced)

Security management

You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. Use Verify compliance of user-roles assignments to verify whether user role assignments comply with new rules for enhanced segregation of duties. So, it verifies inter-role compliance and user-level validations.

A notification displays the results of the validation. When the definition of a security role or the role assignments of a user violate the rules, the conflict is logged. You must resolve all conflicts.

Complete the following procedure to identify conflicts.

View access to sensitive data charts

Security auditing

You can use several charts to audit access to sensitive data:

Number of security objects with access to sensitive data
Number of users with access to sensitive data per organization
Number of roles per user with access to sensitive data
Reasons to give roles access to sensitive data

View asset classification chart

Security auditing

The asset classification chart shows:

How the defined asset classifications are divided over the used classifications.
The number of fields with an asset classification defined for each classification.

If you click a classification on the chart, the asset classification overview is opened. It shows all tables that have at least one field with the clicked asset classification.

View securable objects with access to sensitive data

Security auditing

It is important to know which securable objects give access to sensitive data. For these securable object types, you can review which securable objects give access to sensitive data:

Roles
Duties
Privileges
Users

View Security and compliance studio data on person search report

Security auditing

For Security and compliance studio, an extension is added to the Person search report.

On the Person search report, in the Security and compliance studio results section, you can find this security information:

Security requests of which the user is the owner.
Stand-ins in which the user is involved. Both possibilities are shown:
- The user is the stand-in for another user.
- Another user is the stand-in for the user.
Scenarios of which the user is the owner.
Table security recordings of which the user is the owner.

For more information, refer to Person search report.

View security management charts

Security management

Several charts are available to monitor the status of the security configuration.