D365 Finance & Operations and Dynamics AX Forum

Good Morning, looking to see how other customers, partners or ISV's may have addressed this question we have from a customer using our ISV solution

Customer would like to restrict our module access in D365. They would like these 4 different roles:

1.        View Only – Can view all screens our module but no access to modify(Process/Update/Resend) any documents or configurations. 
2.        Support User – Can view all screens and process transactions in all screens(Allowed to reset/process any documents but no access to delete them. Archive is allowed.) but no access to change anything under Cross References tab, Setup Tab or Settings tab.
3.        Support Manager - Can view all screens and process transactions in all screens(including delete) but no access to change anything under Cross References tab, Setup Tab or Settings tab.
4.        SysAdmin – Which will have access to everything including configuration changes.

I have 20 years of GP experience, a little new to D3FO. Based on my past experience with GP - this would be something handled within GP security. Is this something the user and their partner should be able to do within security configuration maybe.


------------------------------
Andrea Smiley
Product Manager
Providence RI
------------------------------

Hi Andrea,

This is definitely something that can be addressed with security privileges. You may need to create custom roles to do this, but you can restrict tables to be read, create, update, delete. This is pretty "in the weeds" of the security setup in D365FO, but definitely possible.
Sys admin by default has access to everything, there might be out of the box roles that will provide something similar to the Support Manager role. What we have done in our system is duplicate the out of the box roles and then modified those and assigned them to users.

Pretty much any screen in D365 will show you what privileges/duties/roles have access to a certain page by clicking on Options > Security Diagnostics. From a privilege you can dig deeper into what tables or entities the privilege provides access to and restrict access by only granting "read" and denying "create", "update", and "delete".

I hope this helps, feel free to reach out if you want more information.

Kerstin

------------------------------
Kerstin Newman
Business Analyst
StarTech.com
London ON
------------------------------

Original Message:
Sent: Aug 14, 2019 10:52 AM
From: Andrea Smiley
Subject: Security Permissions

Good Morning, looking to see how other customers, partners or ISV's may have addressed this question we have from a customer using our ISV solution

Customer would like to restrict our module access in D365. They would like these 4 different roles:

1.        View Only – Can view all screens our module but no access to modify(Process/Update/Resend) any documents or configurations. 
2.        Support User – Can view all screens and process transactions in all screens(Allowed to reset/process any documents but no access to delete them. Archive is allowed.) but no access to change anything under Cross References tab, Setup Tab or Settings tab.
3.        Support Manager - Can view all screens and process transactions in all screens(including delete) but no access to change anything under Cross References tab, Setup Tab or Settings tab.
4.        SysAdmin – Which will have access to everything including configuration changes.

I have 20 years of GP experience, a little new to D3FO. Based on my past experience with GP - this would be something handled within GP security. Is this something the user and their partner should be able to do within security configuration maybe.


------------------------------
Andrea Smiley
Product Manager
Providence RI
------------------------------

Thank you - so this is something their D3FO partner should be able to help them with vs. an ISV.

------------------------------
Andrea Smiley
Product Manager
TrueCommerce
Providence RI
------------------------------

Original Message:
Sent: Aug 14, 2019 03:23 PM
From: Kerstin Newman
Subject: Security Permissions

Hi Andrea,

This is definitely something that can be addressed with security privileges. You may need to create custom roles to do this, but you can restrict tables to be read, create, update, delete. This is pretty "in the weeds" of the security setup in D365FO, but definitely possible.
Sys admin by default has access to everything, there might be out of the box roles that will provide something similar to the Support Manager role. What we have done in our system is duplicate the out of the box roles and then modified those and assigned them to users.

Pretty much any screen in D365 will show you what privileges/duties/roles have access to a certain page by clicking on Options > Security Diagnostics. From a privilege you can dig deeper into what tables or entities the privilege provides access to and restrict access by only granting "read" and denying "create", "update", and "delete".

I hope this helps, feel free to reach out if you want more information.

Kerstin

------------------------------
Kerstin Newman
Business Analyst
StarTech.com
London ON

Original Message:
Sent: Aug 14, 2019 10:52 AM
From: Andrea Smiley
Subject: Security Permissions

Good Morning, looking to see how other customers, partners or ISV's may have addressed this question we have from a customer using our ISV solution

Customer would like to restrict our module access in D365. They would like these 4 different roles:

1.        View Only – Can view all screens our module but no access to modify(Process/Update/Resend) any documents or configurations. 
2.        Support User – Can view all screens and process transactions in all screens(Allowed to reset/process any documents but no access to delete them. Archive is allowed.) but no access to change anything under Cross References tab, Setup Tab or Settings tab.
3.        Support Manager - Can view all screens and process transactions in all screens(including delete) but no access to change anything under Cross References tab, Setup Tab or Settings tab.
4.        SysAdmin – Which will have access to everything including configuration changes.

I have 20 years of GP experience, a little new to D3FO. Based on my past experience with GP - this would be something handled within GP security. Is this something the user and their partner should be able to do within security configuration maybe.


------------------------------
Andrea Smiley
Product Manager
Providence RI
------------------------------

Yes, the partner can definitely help them.

------------------------------
Shirley Adams
Solution Architect
AKA Enterprise Solutions
New York NY
------------------------------

Original Message:
Sent: Aug 14, 2019 04:40 PM
From: Andrea Smiley
Subject: Security Permissions

Thank you - so this is something their D3FO partner should be able to help them with vs. an ISV.

------------------------------
Andrea Smiley
Product Manager
TrueCommerce
Providence RI

Original Message:
Sent: Aug 14, 2019 03:23 PM
From: Kerstin Newman
Subject: Security Permissions

Hi Andrea,

This is definitely something that can be addressed with security privileges. You may need to create custom roles to do this, but you can restrict tables to be read, create, update, delete. This is pretty "in the weeds" of the security setup in D365FO, but definitely possible.
Sys admin by default has access to everything, there might be out of the box roles that will provide something similar to the Support Manager role. What we have done in our system is duplicate the out of the box roles and then modified those and assigned them to users.

Pretty much any screen in D365 will show you what privileges/duties/roles have access to a certain page by clicking on Options > Security Diagnostics. From a privilege you can dig deeper into what tables or entities the privilege provides access to and restrict access by only granting "read" and denying "create", "update", and "delete".

I hope this helps, feel free to reach out if you want more information.

Kerstin

------------------------------
Kerstin Newman
Business Analyst
StarTech.com
London ON

Original Message:
Sent: Aug 14, 2019 10:52 AM
From: Andrea Smiley
Subject: Security Permissions

Good Morning, looking to see how other customers, partners or ISV's may have addressed this question we have from a customer using our ISV solution

Customer would like to restrict our module access in D365. They would like these 4 different roles:

1.        View Only – Can view all screens our module but no access to modify(Process/Update/Resend) any documents or configurations. 
2.        Support User – Can view all screens and process transactions in all screens(Allowed to reset/process any documents but no access to delete them. Archive is allowed.) but no access to change anything under Cross References tab, Setup Tab or Settings tab.
3.        Support Manager - Can view all screens and process transactions in all screens(including delete) but no access to change anything under Cross References tab, Setup Tab or Settings tab.
4.        SysAdmin – Which will have access to everything including configuration changes.

I have 20 years of GP experience, a little new to D3FO. Based on my past experience with GP - this would be something handled within GP security. Is this something the user and their partner should be able to do within security configuration maybe.


------------------------------
Andrea Smiley
Product Manager
Providence RI
------------------------------

Andrea,

As others have mentioned, this can be handled by D365FO security.

If you would like an overview of how D365FO security works and how to utilize it for your use case you can check out my blog specifically around the features and functionality of security within the application: http://d365foblog.com/

Specifically if you are just starting out I would recommend these posts:
https://alexdmeyer.com/2016/11/27/permissions-in-dynamics-ax-vs-dynamics-365-for-operations/
https://alexdmeyer.com/2018/07/09/setting-up-security-in-dynamics-365-for-finance-and-operations-part-i-from-the-user-interface/
https://alexdmeyer.com/2018/07/19/setting-up-security-in-dynamics-365-for-finance-and-operations-part-ii-from-the-aot/

I have also set up the idea of 'least privilege' security for our own ISV solution so if you have any questions about how to go about doing this please feel free to reach out and I would be happy to answer them.

------------------------------
Alex Meyer
Director of Dynamics AX/365 for Finance & Operations Development
Fastpath
Des Moines, IA
------------------------------

Original Message:
Sent: Aug 14, 2019 10:52 AM
From: Andrea Smiley
Subject: Security Permissions

Good Morning, looking to see how other customers, partners or ISV's may have addressed this question we have from a customer using our ISV solution

Customer would like to restrict our module access in D365. They would like these 4 different roles:

1.        View Only – Can view all screens our module but no access to modify(Process/Update/Resend) any documents or configurations. 
2.        Support User – Can view all screens and process transactions in all screens(Allowed to reset/process any documents but no access to delete them. Archive is allowed.) but no access to change anything under Cross References tab, Setup Tab or Settings tab.
3.        Support Manager - Can view all screens and process transactions in all screens(including delete) but no access to change anything under Cross References tab, Setup Tab or Settings tab.
4.        SysAdmin – Which will have access to everything including configuration changes.

I have 20 years of GP experience, a little new to D3FO. Based on my past experience with GP - this would be something handled within GP security. Is this something the user and their partner should be able to do within security configuration maybe.


------------------------------
Andrea Smiley
Product Manager
Providence RI
------------------------------