Purpose
Grant users access that allows only the levels of information required to do their jobs. Prevent access to objects a user does not own or share.
Overview of role-based security
Security roles
All users must be assigned to at least one security role to have access to finance and operations. The security roles that are assigned to a user determine the duties that the user can perform and the parts of the user interface that the user can view.
Duties
Duties correspond to parts of a business process. The administrator assigns duties to security roles. A duty can be assigned to more than one role.
In the security model, duties contain privileges. For example, the Maintain bank transactions duty contains the Generate deposit slips and Cancel payments privileges. Although both duties and privileges can be assigned to security roles.
Privileges
In the security model, a privilege specifies the level of access that is required to perform a job, solve a problem, or complete an assignment. Privileges can be directly associated with the roles like the duties.
References in privilege
Action menu items +
Access to those buttons which directly performs the actions. For example:
“Confirm” button on purchase order.
See how
Go to the privilege and click on Action menu items +
Find out the confirm purchase order button name in and Unset the permissions:
Result
User will not be able to confirm the purchase order as we can see the button is not here on user screen:
Display menu items +
These are the buttons which open another temporary form. For example, I need to grant access to user to click on below button (settle transactions) the form of invoice journal:
I will found the button access with name of VendOpenTrans
See how
Go to the invoice journal and click on settle transactions.
On the form, right click on anywhere and click on form information:
Find the menu item name (button):
Find out the menu item name from the privilege and grant permissions.
Select the required display menu item (display button) and grant permission:
Result: user will be able to see and click the menu button on from. He can perform his job by clicking on the button.
System walkthrough
Let’s walkthrough the configurations and settings in D365 regarding security diagnostics, roles, duties, and privilege. We will also see how to assign the role to the business user etc.
Custom security role
There are OOTB security roles are available D365. Whenever we work with roles, for safe side, always create a duplicate role and give a name that should be near to default name. For example, in the start add legal entity name like NSS Purchasing Agent or (NSS) Purchasing agent etc.
How to find required security role
Let’s understand, how to identify the relevant role which is required to be assigned to the business user?
For example, we need to create a custom role to access the data management import export home page.
Go to the data management workspace and click on options to identify
In above screenshot we can see that the yellow highlighted role is self explanatory. This is the role which can be assigned to the user.
Find and create duplicate role
Find the role name from security configuration form and make Duplicate role of it to create custom role:
Assign a name and press OK:
Add appropriate description about the role. We can see the available duties inside the role:
There is also a parent role inside the selected role:
Publish objects
Now the role needs to be published so that system admin can assign this created role to the relevant business user:
Assign role
Role has been published and now we can assign the role to the relevant business user.
Navigation: System administration > Users > Users
Find the published role, select it and press OK:
Role is assigned to the user:
Verify the access from business user
Ask the business user to cross verify the access provided. For this scenario I have logged in the test user into another browser for verification. See, the test user only have the access to the data management workspace:
In data management form, the below access is provided in created role:
Note: This user cannot import or export any data in or from D365. Because we did not assigned any data entity to this user.