1. To-Increase Dynamics 365 for Finance & Operations
  2. Security and compliance studio
  3. Manage security

Manage security roles

All users must be assigned to at least one security role to get access to D365 FO. The security roles that are assigned to a user determine the duties that the user can perform and the parts of the user interface that the user can view.
For more information, refer to Role-based security.


Security administrator Security administrator Start Start How to create  a security role? How to create  a security role? Manage security scenarios

Manage security scenarios and match roles

You can use security scenarios to record and define all securable objects and related access levels that are required for a user to perform one or more tasks.
You can create a security role in several ways. In the Security and compliance studio, you can record the working tasks for a target user. The recording results are stored in a security scenario. You can use this security scenario to fine-tune all securable objects and related access levels that are required for the target user to perform the working tasks.
If the security scenario is complete, you can search for a role that matches the security scenario. If no perfect match is found, you can create a security role for the security scenario in several ways. You can link the matched or new security role to the applicable users.


 Create security role Create security role All users must be assigned to at least one security role to have access to Dynamics 365 for Finance and Operations. The security roles that are assigned to a user determine the duties that the user can perform and the parts of the user interface that the user can view. You can use the Security role wizard to create or edit a security role. You can select the desired duties, privileges, and entry points. Snapshot The Security role wizard uses the latest snapshot as a basis. So, for the Security role wizard to have the best performance, make sure the latest snapshot is up-to-date. In the Security and compliance studio parameters, the Enable dynamic snapshot parameter exists. If set to: Yes, the roles that you create with the Security role wizard are saved automatically in the latest snapshot. No, no automatic updates are done to the latest snapshot. If you want a new role to be available for Security and compliance studio functions, create a new snapshot. Procedure 1. Click Security management. 2. Click Create role. 3. Click Next. 4. In the New or existing role field, select an option. 5. In the Role name field, type or select a value. 6. In the Role description field, type a value. 7. In the Security policy context string field, type a value. 8. Define if you want to include duties in the security role setup. Select Yes in the Include duties field. Note: If you select No, the All duties step is skipped. 9. Define if you want to include privileges in the security role setup. Select Yes in the Include privileges field. Note: If you select No, the All privileges step is skipped. 10. Define if you want to include entry points in the security role setup. Select Yes in the Include entry points field. Note: If you select No, the Entry points step is skipped. 11. Select Yes in the Segregation of duties validation field. 12. You can define the maximum access level of the securable objects that you want to include in the security role. The maximum access level limits the number of securable objects that are shown in the available objects lists. In the Maximum access level field, select an option. Note: If you edit an existing security role, the maximum access level does not remove securable objects with a higher access level from the security role. 13. Click Next. Note: You can only click Next if you at least have: Typed or selected a value in the Role name field. Set one of these fields to Yes: Include duties Include privileges Include entry points 14. Sub-task: Select duties. 15. Select Yes in the Not linked to any roles field. 16. Select Yes in the Show additional details field. 17. In the Available duties list, select the duties that you want to include in the security role. 18. Click Add to selection. 19. In Selected duties list, select the duties to be excluded from the security role. 20. Click Mark as excluded. Note: To re-include an excluded duty, select the excluded duty and click mark as included. 21. Click Next. 22. Sub-task: Select privileges. 23. Select Yes in the Not linked to any roles field. 24. Select Yes in the Show additional details field. 25. In the Available privileges list, select the privileges that you want to include in the security role. 26. Click Add to selection. 27. In Selected privileges list, select the privileges to be excluded from the security role. 28. Click Mark as excluded. Note: To re-include an excluded privilege, select the excluded privilege and click mark as included. 29. Click Next. 30. Sub-task: Select entry points. 31. In the Module field, enter or select a value. 32. Select Yes in the Show additional details field. 33. In the Available entry points list, select the entry points that you want to include in the security role. 34. In the Move with: field, select an option. 35. Click Add. 36. In Selected entry points list, select the entry points to be excluded from the security role. 37. Click Mark as excluded. Note: To re-include an excluded entry point, select the excluded entry point and click mark as included. 38. Click Next. 39. Click Finish. Duplicate security role Duplicate security role Consider creating a subset of security roles that are actually used in your company. This way, the security administrator has a better overview of the security roles that are used in your company. This topic explains how you can create an exact copy of a security role. Procedure 1. Click Security management. 2. Click the Roles tab. 3. In the list, find and select the desired record. 4. Click Duplicate role. 5. In the Role Name field, type a value. 6. In the Description field, type a value. 7. Click OK. Note: Once the security role is created, it is validated automatically to verify if it complies with the segregation of duties rules. If enhanced segregation of duties rules are enabled, the role is validated against the enhanced segregation of duties rules. Merge  security roles? Merge  security roles? Merge security roles

Merge security roles

You can merge existing security roles into another existing security role or a new security role.

 Inactivation or activation  of security role required? Inactivation or activation  of security role required? Inactivate or activate security roles Inactivate or activate security roles When changes to a security role are required, you can choose to create a new version of it. In this case, the previous version of the security role must become inactive. So, it can't be assigned to users anymore.Before you inactivate a security role, make sure it's not assigned to any user. If you inactivate a security role that is still assigned to users, you get an error message listing the users to which it is assigned.You can also activate an inactive security role. Procedure 1. Click Security management. 2. Click the Roles tab. 3. Sub-task: Inactivate security role. 4. In the list, find and select the desired active security roles. 5. Click Mark active/inactive role. Note: As a result, the selected security roles are added to the list of inactive security roles. 6. Close the page. 7. Sub-task: Activate security roles. 8. In the list, find and select the desired inactive security roles. 9. Click Mark active/inactive role. Note: As a result, the selected security roles are deleted from the list of inactive security roles. 10. Close the page. Notes You can also manually inactivate or activate security roles. Go to Security and compliance > Security > Inactive security roles. To inactivate, add a security role and to activate delete a security role. Add read table  permissions? Add read table  permissions? Add table read permissions to role or privilege Add table read permissions to role or privilege To any role or privilege, you can add read permissions for all tables or a selection of tables. You can add table read permissions to a role or a privilege. In this task guide, the permissions are added to a role. Procedure 1. Go to Security and compliance > Periodic tasks > Add table permissions to role or privilege. 2. In the Privilege name field, enter or select a value. 3. Select Yes in the Overwrite access level field. 4. Expand the Records to include section. 5. Click Filter. 6. Click Add. 7. In the Field field, enter or select a value. 8. In the Criteria field, type a value. 9. Click OK. 10. Click OK. 11. Click Yes. End End From  scenario Duplicate With the  Security role  wizard No Yes Yes No Yes No

Activities

Name Responsible Description

Manage security scenarios

Security administrator

 		You can use security scenarios to record and define all securable objects and related access levels that are required for a user to perform one or more tasks.
You can create a security role in several ways. In the Security and compliance studio, you can record the working tasks for a target user. The recording results are stored in a security scenario. You can use this security scenario to fine-tune all securable objects and related access levels that are required for the target user to perform the working tasks.
If the security scenario is complete, you can search for a role that matches the security scenario. If no perfect match is found, you can create a security role for the security scenario in several ways. You can link the matched or new security role to the applicable users.

Create security role

Security administrator

All users must be assigned to at least one security role to have access to Dynamics 365 for Finance and Operations. The security roles that are assigned to a user determine the duties that the user can perform and the parts of the user interface that the user can view.

You can use the Security role wizard to create or edit a security role. You can select the desired duties, privileges, and entry points.

Snapshot

The Security role wizard uses the latest snapshot as a basis. So, for the Security role wizard to have the best performance, make sure the latest snapshot is up-to-date.

In the Security and compliance studio parameters, the Enable dynamic snapshot parameter exists. If set to:

  • Yes, the roles that you create with the Security role wizard are saved automatically in the latest snapshot.
  • No, no automatic updates are done to the latest snapshot. If you want a new role to be available for Security and compliance studio functions, create a new snapshot.

Duplicate security role

Security administrator

Consider creating a subset of security roles that are actually used in your company. This way, the security administrator has a better overview of the security roles that are used in your company.

This topic explains how you can create an exact copy of a security role.

Merge security roles

Security administrator

 		You can merge existing security roles into another existing security role or a new security role.

Inactivate or activate security roles

Security administrator

When changes to a security role are required, you can choose to create a new version of it. In this case, the previous version of the security role must become inactive. So, it can't be assigned to users anymore.

Before you inactivate a security role, make sure it's not assigned to any user. If you inactivate a security role that is still assigned to users, you get an error message listing the users to which it is assigned.

You can also activate an inactive security role.

Add table read permissions to role or privilege

Security administrator

 		To any role or privilege, you can add read permissions for all tables or a selection of tables.
You can add table read permissions to a role or a privilege. In this task guide, the permissions are added to a role.

Merge security roles

Apply administrator view

Provide feedback