Security within Dynamics 365 for Finance and Operations (D365FO) is complex. Here is an overview of some of the native features and functionality built into the application that can help, and gaps that also exist.
To see a detailed listing of what each role, duty, and privilege have access to within D365FO navigate to System Adminitration -> Security Configuration -> Select a role/duty/privilege and click on ‘View permissions’:
A detailed access report is generated, that shows the entire security hierarchy from Role -> Subrole -> Duty -> Privilege -> Object -> Access -> License.
Gaps
While these detailed reports are great from the role access perspective, there is no user access type reporting available in D365FO. Once users get multiple roles assigned to them it is up to the end user to determine the user’s ‘effective access’.
On most forms within D365FO, if you navigate to Options -> Page Options -> Security Diagnostics you can determine what roles, duties, and privileges have access to that particular form.
When this is clicked, a dialog will appear out of the right side of the screen listing the security layers that have access to the form:
Gaps
This feature does not distinguish between what level of access each security layer has, so if a security layer has Read access or Delete access to the form it is shown in the list.
By default, this feature is only available to users assigned the SysAdmin role. If you would like other users to be able to utilize this feature please check out this blog post on how to accomplish that: How to Allow Non Admin Users to Access Security Features in D365FO - Alex Meyer (alexdmeyer.com)
In D365FO, there is an option to ‘record’ yourself performing a task or process using the Task Recorder functionality. This is normally used for testing or documentation purposes but can also be used to help set up security.
The output of a task recording is the collection of steps performed by the user. If we take the output and navigate to System Administration -> Security -> Security Diagnostics for Task Recordings and upload the task recording we will see the menu items consumed or utilized during the recording:
In this case, the task recording showed the user navigated to the ‘All Vendors’ form. I can then select any user from the drop-down and see if that user has permissions to perform the task. In this case, the ‘ARNIE’ user does not have permissions to the ‘All Vendors’ form:
Note: To find out more information on how to create a task recording, please visit: Task recorder resources - Finance & Operations | Dynamics 365 | Microsoft Learn
Gaps
This feature only reports on usage of menu item displays, it does not include menu item outputs and menu item actions. It also does not include the access type required for each menu item display. For a full listing of the gaps check out this post: Gaps in the Security Diagnostics for Task Recordings Feature in D365FO - Alex Meyer (alexdmeyer.com)
There are certain activities within any ERP system that one user should not be able to perform by themselves or without some sort of approval process. For example, the ability to create a vendor and then having the ability to pay vendors. These types of risks are called segregation of duties risks.
D365FO has an entire section under System Administration -> Security -> Segregation of Duties dedicated to helping prevent and reporting on these risks:
On the Segregation of Duties Rules page you can set up segregation of duty ‘rules’. These rules consist of pairing multiple duties together that should not be assigned to the same user:
On the Segregation of Duties Conflicts form you can then analyze your user access against these rules to see where violations occur:
This allows you to take action on users currently with risks.
For new user role assignments, the segregation of duty check is performed during the role assignment and cannot be completed until the conflicts are addressed:
The biggest gap that exists is that the segregation of duty analysis is done at the Duty level. This can lead to potentially false positive and false negative reporting of potential risks. For a full breakdown of the feature and gaps check out this post: Segregation of Duties in D365FO - Alex Meyer (alexdmeyer.com)
Conclusion
Hopefully this helps give an overview of the features and functionality available natively for D365FO security. If you have questions or would like more information on how you can appropriately address some of the gaps listed above, please feel free to reach out.