In this document we will walk through the process of creating a Custom/view-only security role in Microsoft Dynamics 365 Finance & Operations (D365F&O), using role-based security configuration. Additionally, we’ll demonstrate how to assign this role on a legal entity basis. While it’s possible to customize existing security roles, for this guide, we’ll focus on creating a new role from scratch and assigning it view-only permissions. The same approach can be applied to any form within the system, allowing you to either create new roles or assign multiple permissions to existing duties.

Before diving into role creation, it’s important to understand the security architecture of D365F&O. This foundational knowledge makes it significantly easier to tailor security configurations to meet specific business needs. Below is a high-level overview of the security model, which includes roles, duties, and privileges and how they relate to each other:

With role-based security, administrators can assign specific roles to users and then assign permissions to those roles. The permissions that can be assigned include:

Key Concepts in D365 Security

 Microsoft Dynamics 365 leverages a comprehensive, role-based security model to manage user access and protect sensitive data. Hosted within Microsoft Azure’s secure and scalable infrastructure, it ensures high performance, reliability, and enterprise-grade security.

This security framework is built on the principle of least privilege—granting users only the access necessary to perform their assigned duties. Through clearly defined roles, privileges, and hierarchical structures, Dynamics 365 enforces data integrity and minimizes security risks.

Designed for modern organizations, the model supports compliance, enhances operational control, and ensures users interact with the system in a secure, controlled manner.

Security Roles

 A security role in Microsoft Dynamics 365 is a structured set of privileges that governs what actions a user can perform and which data they can access within the system. These roles are assigned to individual users or teams and are essential in enforcing access control and operational boundaries.

For example:

• Sales Manager: Has the ability to view and edit all sales-related records across the
• Customer Service Representative: Restricted to viewing and editing only the cases assigned specifically to

This role-based approach ensures that users have the appropriate level of access based on their responsibilities, supporting both security and efficiency.

Duties

 A duty is a logical grouping of privileges that represents a specific business task or responsibility within Microsoft Dynamics 365. Duties are modular and reusable, allowing them to be associated with multiple security roles to streamline role configuration and management.

For example:

• Maintain Customer Records: Grants privileges to create, read, update, and delete customer
• Generate Invoices: Grants privileges to create and post

By organizing privileges into duties, organizations can ensure consistency, simplify role maintenance, and enhance

the security model’s scalability.

Privileges

A privilege represents the most granular level of access control in Microsoft Dynamics 365. It defines a user’s ability to perform a specific action—such as creating, reading, updating, or deleting—on a particular type of data record.

Privileges are the foundational components of the security model. They are grouped into duties, which are then assigned to roles, forming a structured hierarchy of access.

Examples of privileges include:

• Read: Allows viewing of a
• Write: Allows editing of a
• Delete: Allows removal of a

This layered structure ensures precise access control while maintaining flexibility and consistency across roles.

Uses of Roles, Duties and Privileges works in D365

 The Microsoft Dynamics 365 security model is built on a hierarchical structure that promotes flexibility, consistency, and reusability across the organization:

• Privileges define specific actions on data (e.g., Read, Write, Delete).
• Duties group related privileges to represent a task or
• Roles consist of one or more duties and define access at a functional
• Users or Teams are assigned roles to control what they can access and do in the

For example, the Maintain Customer Records duty—comprising privileges to create, read, update, and delete customer records—can be included in both the Sales Manager and Customer Service Representative roles. This ensures consistent access rules while allowing roles to be tailored to different business functions.

Designing Security roles in d365

 As a consultant, building a secure and scalable security model involves a structured approach. Follow these key steps to design effective security roles that align with organizational needs while maintaining data protection:

1.      Analyze Business Requirements

• Identify all user groups (e.g., Sales, Marketing, Finance).
• Understand the tasks each group performs and the data they require access

2.      Define Privileges

• Determine specific actions each group must perform (e.g., Read, Write, Delete).
• Ensure alignment with the principle of least privilege, granting only necessary

3.      Group Privileges into Duties

• Create duties that represent business tasks or
• Example: A Generate Reports duty might include privileges to read data and run

4.      Create Security Roles

• Combine duties into roles based on job
• Example: A Sales Representative role might include Maintain Customer Records and

Generate Invoices duties.

5.      Assign Roles to Users or Teams

• Assign roles based on the user’s function in the
• Use teams to manage access consistently across groups, simplifying role

This systematic approach ensures secure, role-based access control while supporting operational efficiency and compliance.

Create New Custom Security Role

Scenario: We will create a new ‘view only’ security role for the Customer master data. We can apply the same process on any D365 form.

1.Go to System Administrator > Security > Security Configuration > Role, then click Create New to define and save a new security role.

• Define the name for the role, for example: “New Custom Role_001”

Create a new duty by navigating to Duties > Create New, enter the name “New Custom Duty_001”, then click OK.

• Create a new privilege by navigating to Privileges > Create New, enter the name “New Custom Privilege_001”, then click OK.

1. Go to All Customers, right-click on the Name column, select Form Information, and note the Form Name: CustTable

Copy the Menu Item Name from the form information; it should be CustTableListPage

1. Go to Privileges, select the newly created privilege, then under Display Menu Item, click Add Reference

and use the Filter to search for the menu item.

1. Now Go back to Roles, select the new role “New Custom Role_001”, go to Duties, click Add Reference, filter and select “New Custom Duty_001”, then click OK.

1. Go to Duties, select the created duty, navigate to Privileges, click Add Reference, find and select “New Custom Privilege_001”, then click OK.

Now you can verify that Privileges are assigned to the Duty, and the Duty is assigned to the Role. You will also see that CustTableListPage has only one permission granted under the assigned privilege

1. After completing the above steps, go to ‘Unpublished Objects’, select all, and click Publish. Once published, the role is ready to be assigned by the system admin, and the assigned user will have display- only access to the All Customers

1. After assigning the role, go to Role > Assign Organization, then choose whether to grant the permission to all legal entities or to a specific one by selecting the appropriate organization.