1. To-Increase Dynamics 365 for Finance & Operations
  2. Security and compliance studio

Activities

Activity Area Description

Add entry points of module menu to security scenario

 		Security management
You can use a security scenario to indicate all securable objects and related access levels that are required for a user to perform one or more tasks.
This topic explains how to add entry points of a module menu as securable objects to a security scenario. Each entry point in the menu of the module results in a securable object in the scenario.
You can add entry points from several modules to a security scenario.

Add existing task recording to security scenario

 		Security management
You can use a security scenario to indicate all securable objects and related access levels that are required for a user to perform one or more tasks.
This topic explains how to add an existing task recording to a security scenario. 
You can add a task recording:
  • From a folder.
  • That is already available in the Security and compliance file share workspace.
You can add several existing task recordings to a security scenario. When you add an existing task recording to a security scenario:
  • It is added to the Files section of the Scenario details page. In the File details pane, all recorded steps of the selected task recording are shown.
  • All securable objects that are touched in the task recording, are added to the scenario. In the Access required section of the Scenario details page, only the task recording steps that are related to a securable object are shown with the related access level.
  • From a folder, it is saved to the Security and compliance file share workspace.
You can use the task recording steps to optimize the license cost when you create a security role. If an entry point (securable object an access level) increases the license cost, the related step can help you to decide if this access level is required or not.

Add table read permissions to role or privilege

 		Security management To any role or privilege, you can add read permissions for all tables or a selection of tables.
You can add table read permissions to a role or a privilege. In this task guide, the permissions are added to a role.

Analyze security configuration history

 		Security auditing
In the Security and compliance studio, you can audit the security configuration in several ways:
  • Global security history - Shows all information on all users, all security roles, duties, privileges, segregation of duties, stand-ins, and across all legal entities.
  • User security history - Shows all information on the selected user across all legal entities.
  • Role security history - Shows all information on the selected role across all legal entities.
Events done on the security configuration are logged in the security history. So, you can analyze the changes to the security configuration.
These events are logged:
  • AAD group created
  • AAD group deleted
  • Audit log initialized
  • Duty access to sensitive data given
  • Duty access to sensitive data undone
  • Duty created
  • Duty deleted
  • Duty modified
  • Entry point access to sensitive data given
  • Entry point access to sensitive data undone
  • Entry point created
  • Entry point deleted
  • Entry point modified
  • Objects published
  • Privilege access to sensitive data given
  • Privilege access to sensitive data undone
  • Privilege created
  • Privilege deleted
  • Privilege modified
  • Role access to sensitive data given
  • Role access to sensitive data undone
  • Role activated
  • Role assigned 
  • Role assigned dynamically
  • Role created
  • Role deleted
  • Role inactivated
  • Role locked
  • Role merged
  • Role modified
  • Role removed 
  • Role removed dynamically
  • Role unlocked
  • Security configuration exported
  • Security configuration imported
  • SoD conflict allowed
  • SoD conflict denied
  • SoD rule created
  • SoD rule deleted
  • SoD rule modified
  • SoD rules validated
  • Stand-in role assigned
  • Stand-in role removed
  • Stand-in rule conflict
  • Stand-in rule created
  • Stand-in rule deleted
  • Stand-in rules applied
  • User access to sensitive data given
  • User access to sensitive data undone
  • User created
  • User deleted
  • User disabled
  • User enabled
  • User modified

Analyze security scenario and define required access levels

 		Security management
You can use a security scenario to indicate all securable objects and related access levels that are required for a user to perform one or more tasks.
This topic explains how to analyze the created security scenario and how to define the required access level for each securable object in the scenario.

Analyze segregation of duties

 		Security auditing You can analyze the setup of rules to separate tasks that must be performed by different users. This concept is named segregation of duties. For example, you might not want the same person both to acknowledge the receipt of goods and to process payment to the vendor. Segregation of duties helps you reduce the risk of fraud, and it also helps you detect errors or irregularities. You can also use segregation of duties to enforce internal control policies.
This procedure explains how you can analyze the segregation of duties setup.

Analyze stand-ins

 		Security auditing As a security auditor, you can review the past, current, and future stand-in assignments.

Appoint stand-ins

 		Security management You can appoint a user as a stand-in for another user for a specified period. For example, if a user has a vacation, you can appoint a stand-in during this vacation.
For auditing purposes, you cannot delete stand-in records with periods in the past.

Approve security request

 		Security management
A security request usually needs approval by the security manager before it is implemented.
Once approved, the security manager can assign the security request to a security administrator for implementation.

Assign roles to user

 		Security management The match roles process often results in new security roles. To access Microsoft Dynamics 365 for Finance and Operations, Enterprise edition, users must be assigned to security roles. This procedure guides you to the pages where you can:
The role assignment is validated automatically to verify if it complies with the segregation of duties rules. If enhanced segregation of duties rules are enabled, the role assignment is validated against the enhanced segregation of duties rules.

Assign stand-in roles

 		Security management
If you have set up stand-ins, the actual assignment of the required security setup is only done for the defined period. Use the Assign stand-in roles batch job to do the actual assignment. This batch job activates and deactivates the required security setup for the stand-ins:
  • If the current date is the From date, the security setup is activated for the stand-in. As a result, the security setup of the user who is substituted is merged with the security setup of the stand-in.
  • If the current date is past the To date, the security setup is deactivated for the stand-in. As a result, the security setup merge is undone.
Notes:
  • The security setup of the substituted user stays unchanged.
  • If the stand-in has already (partially) the same security setup as the substituted user, this security setup isn't changed on activation or deactivation.
You are advised to run this batch job daily. Preferably, before working hours. For example, run the batch job at 00:01.

Change table security recording

 		Security management You can make changes to a table security recording.

Compare snapshots

 		Security auditing You can compare snapshots to review the changes made between two snapshot versions.
A snapshot is an image of the security configuration at a specific date and time. A snapshot consists of:
  • All securable objects: roles, duties, privileges, and entry points, with the related license type and access level.
  • The associations between the securable objects: user-role, role-duty, role-privilege, duty-privilege, and privilege-entry point.
On creation of a snapshot, a full compare is done with the previous snapshot version. So, if you compare two subsequent snapshots, the Compared field is already set to Yes.
You can also compare non-subsequent snapshot versions. If you do so for the first time, you can manually do a full compare or only compare selected records.

Copy security setup to another user

 		Security management You can copy the security setup of a selected user to another user. All security roles, as assigned to the selected user, are copied to the other user.
You can also copy the organization access, as defined for the copied roles, to the other user. If a copied security role is already assigned to the other user, this role is updated with the organization access rights from the copied role.
On copy, the security setup of the other user is validated for segregation of duties violations. Note: If enhanced segregation of duties rules are enabled, the security setup is validated against the enhanced segregation of duties rules.

Create role from scenario based on selected role and selected duties and/or privileges

 		Security management
If a partially matched security role is found, you can create a new security role based on the selected role and selected duties and/or privileges. 

Create security audit report

 		Security auditing
You can use the security audit report to analyze permissions and permission changes that are made to recorded elements during a specific period.

You can create the report based on:
  • Scenario - The report shows any permission changes to the securable objects as made in the selected scenario.
  • Data security record - The report shows any permission changes to the tables and table fields as made in the selected data security record.
You can only create this report if Security and compliance IT audit is initialized.

Create security log report

 		Security auditing
You can generate a security history log report for audit or other compliance requirements. These compliance requirements can be internal or external.
You can generate the report with:
  • Selected logged events.
  • Events logged for selected users.
  • Events logged for selected roles.

Create security request from any page

 		Security management Use security requests to register any required changes in the security setup. As a user, you can create a security request from any page. You can only do so, if the 'Security request user' role is assigned to your user setup.
Usually, a security request is approved by the security manager and implemented by the security administrator.

Create security request in Security and compliance studio

 		Security management
Use security requests to register any required changes in the security setup. In Security and compliance studio, you can create security requests from the Security management workspace.
Usually, a security request is approved by the security manager and implemented by the security administrator.

Create security role

 		Security management
Each user must be assigned to at least one security role to have access to Finance and Operations. The security roles that are assigned to a user determine the duties that the user can perform and the parts of the user interface that the user can view.
This topic explains how to create a security role.

Create security role from duties and privileges

 		Security management
All users must be assigned to at least one security role to have access to Dynamics 365 for Finance and Operations. The security roles that are assigned to a user determine the duties that the user can perform and the parts of the user interface that the user can view.

You can use the Create role wizard to create a security role for selected privileges and duties.
You can select:
  • Privileges from a list of unallocated privileges. These privileges are not directly allocated to a security role and not indirectly (via a duty) allocated to a security role.
  • Privileges from a list of all privileges.
  • Duties from a list of all duties.
To have an up-to-date set of duties and privileges to select from, you can update the user license types before you select duties and privileges for a new role.

This procedure explains how to create a security role based on a selection of privileges and duties.

Create security role from scenario with selected duties

 		Security management If you match roles to the securable objects from a security scenario, you can choose to create a new role from a selection of matched duties. So, you can create a specific security role, which is still based on the security scenario.

The matched duties have at least one of the securable objects from the scenario. In determining the match, the access level for the securable objects, as defined on the security scenario, are not considered.

Note that:
  • A duty can be shown several times, for a different securable object.
  • A securable object can be shown several times as it can be linked to several duties.
  • For each entry, the related license types are shown.
This information offers the opportunity to reduce license costs. You can search for and select the duties with the lowest license type.

Create security role from scenario with selected privileges

 		Security management If you match roles to the securable objects from a security scenario, you can choose to create a new role from a selection of matched privileges. So, you can create a specific security role, which is still based on the security scenario.

The matched privileges have at least one of the securable objects from the scenario. In determining the match, the access level for the securable objects, as defined on the security scenario, are not considered.
Note that:
  • A privilege can be shown several times, for a different securable object.
  • A securable object can be shown several times as it can be linked to several privileges.
  • For each entry, the related license types are shown.
This information offers the opportunity to reduce license costs. You can search for and select the privileges with the lowest license type.

Create security scenario

 		Security management
You can use a security scenario to indicate all securable objects and related access levels that are required for a user to perform one or more tasks.
This topic explains how to create a security scenario.

Create security scenario based on RapidValue task guide

 		Security management You can use task guides, which are exported from RapidValue, to create security scenarios in the Security and compliance studio.
Note: The task guides are exported from RapidValue as XML files and added to a ZIP file. When downloaded, extract the ZIP file. So, the task guide XML files can be read by the Security and compliance studio.

Create segregation of duty from Match roles

 		Security management You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. For example, you might not want the same person both to acknowledge the receipt of goods and to process payment to the vendor. Segregation of duties helps you reduce the risk of fraud, and it also helps you detect errors or irregularities. You can also use segregation of duties to enforce internal control policies. Complete the following procedure to create a rule from the Match roles page.

Create snapshot

 		Security auditing

You create snapshots to be able to use these Security and compliance studio functions:
  • Security explorer
  • Match roles
  • Compare snapshots
A snapshot is an image of the security configuration at a specific date and time. A snapshot consists of:

  • All securable objects: roles, duties, privileges, and entry points, with the related license type and access level.
  • The associations between the securable objects: user-role, role-duty, role-privilege, duty-privilege, and privilege-entry point.

You create a snapshot in these cases:

  • The first time you want to explore the security configuration or match roles.
  • Changes are made to the security configuration. So, these changes become available for the security explorer or match roles function.
  • You want to compare the current security configuration with a previous security configuration.

You are advised to create snapshots:

  • In batch, if you frequently make changes to the security configuration.
  • In the background, because the creation of a snapshot can take quite some time.

Create task recording for security scenario

 		Security management
You can use a security scenario to indicate all securable objects and related access levels that are required for a user to perform one or more tasks.
This topic explains how to create a task recording for a security scenario and how to add the task recording to the scenario. You can create several task recordings for a security scenario. 
When you save a task recording to a security scenario:
  • It is added to the Files section of the Scenario details page. In the File details pane, all recorded steps of the selected task recording are shown.
  • All securable objects that are touched in the task recording, are added to the scenario. In the Access required section of the Scenario details page, only the task recording steps that are related to a securable object are shown with the related access level. 
  • It is saved to the Security and compliance file share workspace.
You can use the task recording steps to optimize the license cost when you create a security role. If an entry point (securable object an access level) increases the license cost, the related step can help you to decide if this access level is required or not.

Create user

 		Security management
Users are internal employees of your organization, or external customers and vendors, who require access to the system to perform their jobs.
You can manually create users in the system.

Delegate work items for users

 		Security management If a user is planned to be out of the office or otherwise unavailable to act on work items for a period, you (as security or system administrator) can automatically delegate new work items to other users.
To configure automatic delegation of user work items to other users, you must create delegation rules. these rules define when certain types of work items are delegated.
Users can also delegate own work items themselves. For more information on how to do so, refer to Delegate work items in a workflow.

Delete snapshots

 		Security auditing As a snapshot can consist of a lot of data, keeping many snapshots can slow performance. Therefore, you are advised to have a maximum of five snapshots.
You can set up automatic clean-up of snapshots. As a result, older snapshots are deleted according to these rules:
  • The value of the Limit number of snapshots field on the Security and compliance studio parameters.
    The number, as defined in this field, is the number of snapshots that is kept if you delete snapshots.
  • The Protected check box for snapshots.
    The snapshots that are marked as protected are kept.
On deletion, counting of snapshots to be kept starts with the latest snapshot, while protected snapshots are skipped in the count. The remaining older snapshots are deleted.
No snapshots are deleted if the value of the Limit number of snapshots field is 0, or less than or equal to the number of snapshots.
Example:
In September 2018, eight snapshots are created, of which two are marked as protected. At the end of the month, you do your monthly snapshot clean-up.
Limit number of snapshots = 3
This table shows which snapshots are kept and which ones are deleted:

Disable users that do not exist in Azure Active Directory

 		Security management You can run the Active directory user status batch job to disable users in D365 FO if these users no longer exist in the Azure active directory.
Make sure, this batch job is run about 30 minutes before the Analyze license usage (Named user license count reports processing) batch job is run. So, the license usage count is based on actual users.

Download image

 		Security management In the Security and compliance file share workspace, you can download image files that are used in security requests.

Download task recording

 		Security management In the Security and compliance file share workspace, you can download task recording files that are used in security scenarios.

Duplicate role from Match roles

 		Security management

It is advisable to create a subset of security roles that are actually used in your company. This way, the security administrator has a better overview of the security roles that are used in your company.

So, if a standard security role matches a scenario, you can create an exact copy of this standard security role and assign this copy to the applicable users.

Duplicate security role

 		Security management

Consider creating a subset of security roles that are actually used in your company. This way, the security administrator has a better overview of the security roles that are used in your company.

This topic explains how you can create an exact copy of a security role.

Explore security configuration for any Dynamics 365 for Finance and Operations page

 		Security management You can explore the security configuration for any page in Dynamics 365 for Finance and Operations. You can use this, for example, to see if you can lower the license type for a user to reduce license cost.

Each page can have several securable objects. For a selected securable object of a page, you can explore the related references. For example, if the selected object is of type Duty, you can explore:
  • The related roles.
  • The users that are assigned to these roles.
  • The related privileges.
  • The entry points of these privileges.
For the pinned level, the references with the highest user license type are highlighted. You can set the highlight color in the Security and compliance studio parameters.

The license type of each reference is indicated with a colored dot:
  • Red dot - Operations
  • Orange dot - Activity users
  • Gray dot - None
  • No dot - Team members
You can open the security explorer for any page. In this procedure, it is opened from the Sales order processing and inquiry workspace.

Explore security configuration in Security and compliance studio

 		License management
You can, for each level in the security configuration, explore the related references. You can use this, for example, to see if you can lower the license type for a user to reduce license cost.

For example, for a pinned duty, you can explore:
  • The related roles.
  • The users that are assigned to these roles.
  • The related privileges.
  • The entry points of these privileges.
For the pinned level, the references with the highest user license type are highlighted. You can set the highlight color in the Security and compliance studio parameters.

The license type of each reference is indicated with a colored dot:
  • Red dot - Operations
  • Orange dot - Activity users
  • Gray dot - None
  • No dot - Team members
You can open the Security explorer from several places in the Security and compliance studio:
  • License optimization workspace: Security explorer tile, All users tab, Full users tab, Activity users tab, and Team members tab
  • Security management workspace: Security explorer tile, Roles tab, and Users tab.
  • Security audit workspace: Security explorer tile, Role history tab, and User history tab
In this procedure, it is opened from the License optimization workspace, Security explorer tile. 

Export security explorer data to Microsoft Excel

 		Security management You can export security explorer data to a Microsoft Excel file for further analysis.
You can choose to export:
  • All data of the security explorer.
  • Only the related references of a pinned securable object in the security configuration.
For example, for a pinned duty, you can export:
  • The related roles.
  • The users that are assigned to these roles.
  • The related privileges.
  • The entry points of these privileges.

Export security role configuration

 		Security management You can export a security role with all its related security setup. So, you can import and use it in another environment.

Export sensitive data access setup to Microsoft Excel

 		Security auditing You can export sensitive data access setup to a Microsoft Excel file for further analysis.
You can choose to export:
  • All data of the sensitive data access setup.
  • Only the sensitive data access setup that is related to a pinned security object in the security configuration.
For example, for a pinned duty, you can export sensitive data setup for:
  • The related roles.
  • The users that are assigned to these roles.
  • The related privileges.
  • The entry points of these privileges.

Extend table security recording

 		Security management You can extend an existing table security recording with additionally recorded table fields.

Give access to sensitive data

 		Security management You can give a securable object access to sensitive data.
If you give a securable object access to sensitive data, automatically also all related securable objects get access to sensitive data.
For example, if you give a duty access to sensitive data, the related users, roles, privileges, and entry points also get access to sensitive data.
In the steps, as an example, a duty is given access to sensitive data.

Give user roles access to organizations

 		Security management You can give a user access to several organizations by assigning several user roles to these organizations.

Implement security request

 		Security management Once a security request is approved, it can be implemented by a security administrator.

Import and publish security role configuration

 		Security management You can import a security role and all its related security setup from a file that is exported from another environment.
Once imported, you must publish each imported object before you can use it.

Import user

 		Security management
Users are internal employees of your organization, or external customers and vendors, who require access to the system to perform their jobs.
You can import users from the Azure Active Directory users.

Inactivate or activate security roles

 		Security management

When changes to a security role are required, you can choose to create a new version of it. In this case, the previous version of the security role must become inactive. So, it can't be assigned to users anymore.

Before you inactivate a security role, make sure it's not assigned to any user. If you inactivate a security role that is still assigned to users, you get an error message listing the users to which it is assigned.

You can also activate an inactive security role.

Initialize Security and compliance IT audit

 		Security auditing During implementation, to make security configuration event logging possible, you must once initialize the Security and compliance studio IT audit.
You can also use this job to clean up the security log.
As a result:
  • All already logged events are deleted.
  • The existing role and user assignments are entered as events.

Lock or unlock security role

 		Security management
You can lock a security role. So, it can't be used as a target role when roles are merged.
If a security role lock is no longer required, you can unlock the security role.

Manually add securable objects to security scenario

 		Security management You can use a security scenario to indicate all securable objects and related access levels that are required for a user to perform one or more tasks.
This topic explains how to manually add securable objects to a security scenario.

Match security roles to security scenario

 		Security management Use match roles to match all securable objects, as defined on a security scenario, to security roles.
In general, a match means that the securable object is available on the role with a given access level.

Which roles are a match, is defined by:
  • The required access level for each securable object, as defined in the security scenario (only applicable for exact match). 
  • How you match the security roles.
  • The entry points as defined for the duties and privileges of each role.
You can match roles in these ways:
  • Exact match
    Only those security roles are a match that have the securable object with the required access level.
  • Minimum/maximum match
    Only those security roles are a match that have the securable object with an access level that is in the range of the defined minimum access level and maximum access level.
Each security role, with a match for at least one of the securable objects from the security scenario, is shown as a matched role. The matching degree of each matched security role indicates to what extent the role has matching entry points.

If you find a matched security role, you can assign users to it.

Merge security roles

 		Security management
You can merge existing security roles into another existing security role or a new security role.

On merge:
  • The selected roles stay unchanged.
  • The selected roles aren't added to the target role as such.
  • The duties and privileges of the selected roles aren't added to the target role as such.
  • All lowest entry points of the selected roles are grouped into one privilege or into a privilege for each selected type of entry point. For each selection, by default, a new privilege is created. However, if the target role already exists, you can also select an existing privilege of that role to which the entry points are added.
  • Entry points with a higher license type than the defined Max user license type are not added to the privileges.
  • If you do not define duties, the new privileges are added to the target role and, if applicable, entry points are added to the defined existing privileges.
  • You can add the defined privileges to one duty or to a duty for each selected type of privilege. For each selection, by default, a new duty is created. However, if the target role already exists, you can also select an existing duty of that role to which the privilege is added.
  • If you define duties, the new duties are added to the target role and, if applicable, privileges are added to the defined existing duties.
  • If the target role doesn't have any duties and privileges, it will only have the new privileges or duties.
  • If the target role already has duties and privileges which are not changed during the merge, these duties and privileges stay.
  • Permissions for the entry points are given as defined in the wizard. This only is applicable if the target role already exists and has the same entry points. You can choose:
    • Merge - The highest permission, whether it comes from the source role or the target role entry point, is set as the permission for the merged entry point.
    • Unset, Grant, or Deny - Whatever the permission for the entry point is in the source role or target role, it is set to the chosen one.
  • The target role is validated for segregation of duties violations. Note: If enhanced segregation of duties rules are enabled, the role assignment is validated against the enhanced segregation of duties rules.

Merge security scenarios

 		Security management
A user can have access to several business processes. To maintain this in one security scenario can be cumbersome. If so, you can maintain business process access in a separate security scenario for each business process. Before you match roles, you can merge these business process security scenarios into one security scenario. So, in match roles, all the relevant entry points are considered.

Monitor asset classification details

 		Security auditing
D365 FO provides a default set of classifications for the kinds of data that are stored in each table. These classifications are subject to change depending on the need to identify different kinds of data. The actual classification for each field in each table can change at any time, depending on differing needs for identifying data.
In Security and compliance studio, you can monitor all defined field asset classifications in one overview.
The asset classification overview shows:
  • Each table with asset classifications defined for at least one field.
  • For the selected table, the fields with an asset classification.

Monitor imported Azure Active Directory groups

 		Security management
You can import Azure AD groups to D365 FO. On synchronize Azure AD group members, the imported groups are loaded to Security and compliance studio. If a member of an imported Azure AD group exists as a user in D365 FO, the user is linked to the group in Security and compliance studio. So, members of Azure AD groups who do not exist as a user in D365 FO, are not shown in the Security and compliance studio.
With Security and compliance studio, you can monitor the groups, as imported Azure AD, and the linked D365 FO users.

Monitor latest login of users

 		System administration
You can monitor the latest login of users. You can use this information to reduce license costs. For example, you can remove users who have never logged in or who's latest login is more than three months back.

Monitor license usage per license type

 		License management For each license type, you can monitor the related number of users. You can also, for each user, monitor the related license type.
Note that the licensing model of D365 FO is changed. Previously, for D365 FO, these license types were available:
  • Operations
  • Activity user
  • Team member
Currently, the previous operations license type is split into these base license types:
  • Finance (Finance)
  • SCM (Supply Chain Management)
  • Retail (Retail)
  • ProjectOperations (Project Operations)
Each full user must have a base license. And if required, for each user, you can add these attach licenses:
  • Finance (Finance)
  • SCM (Supply Chain Management)
  • Retail (Retail)
  • Talent (Talent)
  • EAM (Asset Management)
  • ProjectOperations (Project Operations)
To show the latest license usage data, first, refresh the licenses on the Security explorer. The license usage data is refreshed based on the latest snapshot of the security configuration.
On the All users tab and Full users tab, the New license type field is shown next to the User license field. The new license types can be shown in these formats:
  • One license type: Only the shown base license is required.
  • Several license types with plusses: All shown licenses are required. Use one of the shown licenses as base license and the other shown licenses as attached license. Example: Finance+SCM.
  • Several license types with forward slashes: One of the shown base licenses is required. No attached licenses are required. Example: Finance/SCM/Retail.
  • Any base license: Any of the base licenses is required. It doesn't matter which one.

Monitor risks

 		Security management You can identify the operational risks for your company. Several charts can help you monitor the risks.

Monitor security configuration history

 		Security management Events done on the security configuration are logged in the security history. So, you can monitor the changes to the security configuration.
These events are logged:
  • Audit log initialized
  • Duty created
  • Duty deleted
  • Duty modified
  • Objects published
  • Privilege created
  • Privilege deleted
  • Privilege modified
  • Role assigned 
  • Role assigned dynamically
  • Role created
  • Role deleted
  • Role locked
  • Role merged
  • Role modified
  • Role removed 
  • Role removed dynamically
  • Role unlocked
  • Security configuration exported
  • Security configuration imported
  • SoD conflict allowed
  • SoD conflict denied
  • SoD rule created
  • SoD rule deleted
  • SoD rule modified
  • SoD rules validated
  • Stand-in role assigned
  • Stand-in role removed
  • Stand-in rule conflict
  • Stand-in rule created
  • Stand-in rule deleted
  • Stand-in rules applied
  • User created
  • User deleted
  • User disabled
  • User enabled
  • User modified

Monitor work item delegation history

 		Security management You can monitor the work item delegation history.
All work item delegations are logged in the history. So, delegations added by users themselves and delegations added by security or system administrators are logged.

Move users to another role

 		Security management You can move users from one role to another role. You can use this, for example, if you have created a new variant of an existing role. You can then move the users from the old role to the new role.
As a result, the moved users are no longer available on the old role.

You can only move a user if it doesn't:
  • Already exist on the other role.
  • Cause segregation of duties violations. Note: If enhanced segregation of duties rules are enabled, the role assignment is validated against the enhanced segregation of duties rules.

Override permissions on roles

 		Security management To apply the table field permissions as defined for a table security record, you must override these permissions on the applicable roles.

Override permissions on roles based on security scenario

 		Security management You can override the permissions of a security role based on a security scenario. You typically do this to delimit access to specific data.
In a security scenario, you can indicate all securable objects and related access levels that are required for a user to perform one or more tasks. You can use this setup to override the permissions on one or more security roles.
If you override permissions of a security role:
  • For the first time, for each entry point type in the security scenario steps, a new duty and privilege are created. The name of the new duty and privilege is [Role name] ([entry point type]). Example: The role is Accountant and permissions are overridden for entry points type Display and Output. As a result, the new duty and privilege names 'Accountant (display)' and 'Accountant (output)'.
    The new privilege is added to the new duty with the same entry point type. All entry points and permissions, as defined for the security scenario, are added to the privilege for the entry point type.
  • And a duty and privilege are already available for an entry point type, the entry points and permissions are added to the existing privilege. If an entry point already exists for the privilege, its permission is overwritten.
If on the security scenario the access level of a securable object is:
  • No access, all permissions are denied.
  • View, only the Read permission is granted.
  • Edit, the Read and Update permissions are granted.
  • Create, the Read, Update, and Create permissions are granted.
  • Full control, all permissions are granted.

Rebuild asset classification

 		Security auditing In Security and compliance studio, you can monitor all specified field asset classifications.
To monitor up-to-date asset classifications, you are advised to daily rebuild the asset classification data.

Record table security

 		Security management

You can use table security to manage permissions on table field level. Use table security recording to define the tables and table fields for which you want to set or change permissions. After recording the fields, you can define the desired access right for each recorded field.

Refresh licenses

 		Security management The licensing model of D365 FO is changed. Previously, for D365 FO, these license types were available:
  • Operations
  • Activity user
  • Team member
Currently, the previous operations license type is split into these base license types:
  • Finance (Finance)
  • SCM (Supply Chain Management)
  • Retail (Retail)
  • ProjectOperations (Project Operations)
Each full user must have a base license. And if required, for each user, you can add these attach licenses:
  • Finance (Finance)
  • SCM (Supply Chain Management)
  • Retail (Retail)
  • Talent (Talent)
  • EAM (Asset Management)
  • ProjectOperations (Project Operations)
To show the required new license types in Security and compliance studio, refresh the new license type information. The new license types are refreshed based on the latest snapshot of the security configuration.
As a result, the applicable new license types are retrieved and shown in the Security explorer for each of these securable objects:
  • Users
  • Roles
  • Duties
  • Privileges
  • Entry points
Also, on other forms, the new license types are filled after refreshing the licenses. The New license type field is shown on each form where the User license field is shown.
The new license types can be shown in these formats:
  • One license type: Only the shown base license is required.
  • Several license types with plusses: All shown licenses are required. Use one of the shown licenses as base license and the other shown licenses as attached license. Example: Finance+SCM.
  • Several license types with forward slashes: One of the shown base licenses is required. No attached licenses are required. Example: Finance/SCM/Retail.
  • Any base license: Any of the base licenses is required. It doesn't matter which one.

Register risks

 		Security management You can identify the operational risks for your company. These risks can be security-and-compliance related, or any other type of risk for your organization.
You can link a risk to segregation of duties rule to help reduce business risks, human errors, or fraudulent transactions.

Resolve segregation of duties conflicts

 		Security management

You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. If on verification, the definition of a security role or the role assignments of a user violate the rules, the conflict is logged. All conflicts must be resolved by the security administrator.

For each logged conflict, you can:

  • Deny the role assignment – Deny the assignment of the user to the additional security role. If you deny an automatic role assignment, the user is marked as excluded from the role. The excluded user is not granted the access that is associated with the role, and the user cannot be assigned to the role until the security administrator removes the exclusion.
  • Allow the role assignment – Override the conflict and allow the user to be assigned to both security roles. If you override a conflict, you must enter a reason in the Reason for override field.
Complete the following procedure to view and resolve conflicts.

Resolve segregation of duties conflicts (enhanced)

 		Security management

You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. If on verification, the definition of a security role or the role assignments of a user violate the rules, the conflict is logged. All conflicts must be resolved by the security administrator.

For each logged conflict, you can:

  • Deny the role assignment – Deny the assignment of the user to the additional security role. If you deny an automatic role assignment, the user is marked as excluded from the role. The excluded user is not granted the access that is associated with the role, and the user cannot be assigned to the role until the security administrator removes the exclusion.
  • Allow the role assignment – Override the conflict and allow the user to be assigned to both security roles. If you override a conflict, you must enter a reason in the Reason for override field.
Complete the following procedure to view and resolve conflicts.

Set Security and compliance studio parameters

 		Security management Before you start using the Security and compliance studio, set the Security and compliance studio parameters.

Set up areas

 		System administration You can use areas to categorize security requests.

Set up segregation of duties rules

 		Security management
You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. For example, you might not want the same person both to acknowledge the receipt of goods and to process payment to the vendor. Segregation of duties helps you reduce the risk of fraud, and it also helps you detect errors or irregularities. You can also use segregation of duties to enforce internal control policies. Complete the following procedure to create a rule.

Set up segregation of duties rules (enhanced)

 		Security management
You can set up rules to separate tasks that must be performed by different roles or users. This concept is named segregation of duties. For example, you might not want the same person both to acknowledge the receipt of goods and to process payment to the vendor. Segregation of duties helps you reduce the risk of fraud, and it also helps you detect errors or irregularities. You can also use segregation of duties to enforce internal control policies.
With the enhanced segregation rules, you can not only define segregation rules on duty level, but also on privilege level and entry point level.
Why consider using the enhanced segregation rules? With the enhanced segregation rules, you can not only define segregation rules on duty level, but also on privilege level and entry point level.
With a segregation rule on duty level only, the related privileges or entry points can also be linked to another duty to which the segregation rule does not apply. By defining the segregation on a lower level (privilege or entry point), you can enforce segregation more precisely.
Complete the following procedure to create an enhanced segregation rule on one of these levels: duty, privilege, or entry point.

Set up sensitive data access reasons

 		Security management If you give a securable object access to sensitive data, you must specify the reason why you do so. This topic explains how to set up sensitive data access reasons.
Each sensitive data access reason has one of these types:
  • Common personal - Used to indicate access to common personal data, like name and birth date.
  • Sensitive personal - Used to indicate access to sensitive personal data, like ethnic origin and trade union membership.
A set of predefined sensitive data access reasons is available. You are advised to upload these predefined sensitive data access reasons before you add new ones.

Set up user groups

 		Security management

To use some features and functionality in D365 FO, user groups can be required. For example, users are outside the organization hierarchy for budget planning but must work with budget plans. You can assign budget plans to user groups. You can also set up restrictions for journal posting that are based on user groups.

This topic describes how to create a user group and add users to it.

Synchronize groups with Azure Active Directory groups

 		Security management
You can import Azure AD groups to D365 FO. Synchronize Azure AD group members, to load the imported groups to Security and compliance studio. If a member of an imported Azure AD group exists as a user in D365 FO, the user is linked to the group in Security and compliance studio. So, members of Azure AD groups who do not exist as a user in D365 FO, are not shown in the Security and compliance studio.
After you imported an Azure AD group, changes can be made to its members on the Azure Portal. Members can be added to or removed from the Azure AD group. Usually, it is required that these changes are also applied to the imported groups in D365 FO. 
To keep the setup in Security and compliance studio up to date, you are advised to daily synchronize the Azure AD group members.
On synchronize of Azure AD group members:
  • Groups that are imported from Azure AD are loaded to the Security and compliance studio.
  • Members who are added to an Azure AD group, are also added to the related group in the Security and compliance studio. An Azure AD group member is only added to an imported group if it exists as a user in D365 FO.
  • Members who are removed from an Azure AD group, are also removed from the related group in the Security and compliance studio. An Azure AD group member is only removed from an imported group if it exists as a user in D365 FO.
If a previously imported Azure AD group is deleted in Azure AD, the related group is disabled in D365 FO on synchronization of imported groups. On synchronization of Azure AD group members, the linked users are disabled for this group in the Security and compliance studio.

Undo access to sensitive data

 		Security management You can undo the access to sensitive data for a securable object.
If you, for a securable object, undo the access to sensitive data, automatically also the access to sensitive data is undone for all related securable objects.
For example, if you undo access to sensitive data for a duty, the access to sensitive data is also undone for the related users, roles, privileges, and entry points.
In the steps, as an example, access to sensitive data is undone for a privilege.

Upload image

 		Security management In the Security and compliance file share workspace, you can upload image files to be used in security requests.

Upload task recording

 		Security management In the Security and compliance file share workspace, you can upload task recording files to be used in security scenarios.

Use predefined segregation of duties rules on demand

 		Security management

You can set up segregation of duties rules to separate tasks that must be performed by different users. On demand, a predefined set of segregation of duties rules is available.

These predefined segregation of duties rules are set up based on this risk identification matrix for several transaction types:


You can upload the predefined segregation of duties rules in Data management.

Validate segregation of duties

 		Security management You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. Use Validate segregation of duties to verify whether existing roles comply with new rules for segregation of duties. So, it validates intra-role compliance.
If any existing roles violate the selected rule, a message is displayed that contains the name of the role and the names of the conflicting duties. The security administrator must either indicate the mitigation for the security risk or modify the role so that it does not violate the rules for segregation of duties. If no roles violate the selected rule, a message indicates that all roles comply.

Validate segregation of duties (enhanced)

 		Security management You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. Use Validate segregation of duties to verify whether existing roles comply with new rules for enhanced segregation of duties. So, it validates intra-role compliance.
If any existing roles violate the selected rule, a message is shown that contains the name of the role and the names of the conflicting securable objects. You must either indicate the mitigation for the security risk or modify the role so that it does not violate the rules for enhanced segregation of duties. If no roles violate the selected rule, a message indicates that all roles comply.

Validate segregation of duties for stand-in

 		Security management You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties.
If you use segregation of duties rules, you can validate if the assignment of the user roles to the stand-in user complies with the segregation of duties rules.
If assigning the user roles to the stand-in violates the segregation of duties rules, a message is displayed with the name of the role and the names of the conflicting duties. The security administrator must either indicate the mitigation for the security risk or modify the conflicts so that segregation of duties rules are not violated. If no rules are violated, a message indicates that the stand-in role complies with the segregation of duties rules.
Note: If enhanced segregation of duties rules are enabled, the stand-in role assignment is validated against the enhanced segregation of duties rules.

Verify compliance of user-role assignments

 		Security management You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. Use Verify compliance of user-roles assignments to verify whether user role assignments comply with new rules for segregation of duties. So, it verifies inter-role compliance and user-level validations.
A notification displays the results of the validation. When the definition of a security role or the role assignments of a user violate the rules, the conflict is logged. All conflicts must be resolved by the security administrator. Complete the following procedure to identify conflicts.

Verify compliance of user-role assignments (enhanced)

 		Security management You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. Use Verify compliance of user-roles assignments to verify whether user role assignments comply with new rules for enhanced segregation of duties. So, it verifies inter-role compliance and user-level validations.
A notification displays the results of the validation. When the definition of a security role or the role assignments of a user violate the rules, the conflict is logged. You must resolve all conflicts.
Complete the following procedure to identify conflicts.

View access to sensitive data charts

 		Security auditing You can use several charts to audit access to sensitive data:
  • Number of security objects with access to sensitive data
  • Number of users with access to sensitive data per organization
  • Number of roles per user with access to sensitive data
  • Reasons to give roles access to sensitive data

View asset classification chart

 		Security auditing D365 FO provides a default set of classifications for the kinds of data that are stored in each table. These classifications are subject to change depending on the need to identify different kinds of data. The actual classification for each field in each table can change at any time, depending on differing needs for identifying data.
In Security and compliance studio, you can monitor all defined field asset classifications in the Asset classification chart.
The asset classification chart shows:
  • How the defined asset classifications are divided over the used classifications.
  • The number of fields with an asset classification defined for each classification.
If you click a classification on the chart, the asset classification overview is opened. It shows all tables that have at least one field with the clicked asset classification.

View securable objects with access to sensitive data

 		Security auditing It is important to know which securable objects give access to sensitive data. For these securable object types, you can review which securable objects give access to sensitive data:
  • Roles
  • Duties
  • Privileges
  • Users

View Security and compliance studio data on person search report

 		Security auditing For Security and compliance studio, an extension is added to the Person search report.

On the Person search report, in the Security and compliance studio results section, you can find this security information:
  • Security requests of which the user is the owner.
  • Stand-ins in which the user is involved. Both possibilities are shown: when the user is the stand-in for another user and when another user is the stand-in for the user.
  • Scenarios of which the user is the owner.
  • Table security recordings of which the user is the owner.
For more information, refer to Person search report.

View security management charts

 		Security management
Several charts are available to monitor the status of the security configuration.

Provide feedback