Hello! We are working on a new D365 F&O Implementation. We are on a 30 year old legacy system and the D365 roles are going to need some configuration. How do I even begin to determine what roles our users can use out of the box and what will need a custom role? What are the best practices? Should I mix and match out of the box and custom? If a person is setup with two roles, can the roles conflict? Do the roles compound like they do in D365 for Sales (CRM/CE) or do they go to the most restrictive?
D365FO comes out of the box with pre-built roles, these roles are built from a functional perspective to allow users to perform certain tasks. But depending on your industry and audit requirements you may want to take a second look at these roles as they are not Segregation of Duties free and may give your users too much access.
When I talk to clients or give sessions on this topic, I always state that there are really two different approaches: a top down approach and a bottom up approach.
The top down approach would be to take an existing out of box role, clone it, make any changes you need to it and then assign this to your users. This allows you to keep the out of the box role free from any customizations and allows you to modify what access a user has. But this approach still has the potential that you are assigning too much security to a user.
The bottom up approach (also called a ‘Least Privilege Approach’) would be to build your security so a users has the minimum amount of security necessary for them to perform their day to day operations. There are a number of native tools within D365FO to help with this as well as other solutions. The biggest tool to look at would be the Task Recorder and the Security Diagnostics for Task Recordings. The Task Recorder allows you to record steps a user is performing in the user interface and the Security Diagnostics for Task Recordings allows you to pull the menu items out of the task recording itself so you can actually see the objects a user would need access to to perform that process.
The idea of least privilege security is important for three main reasons:
- Environment Risk – if a user has more access than needed, they may intentionally or inadvertently perform actions that could put your company at risk.
- User Licensing – since licensing is tied to user access, ensuring least privilege access is followed could save your company money on licensing costs.
- Segregation of Duties – following the same idea as environment risk, if a user has more access than needed, they may have unnecessary segregation of duties violations that go unaddressed.
I’ve written about using the Task Recorder to help set up security here: https://alexdmeyer.com/2016/12/12/missing-the-security-development-tool-in-dynamics-365-for-operations/
I’ve also written a free white paper around the idea of setting up and configuring least privilege security: https://www.gofastpath.com/d365-least-privilege
If you have any questions about this process, feel free to reach out.
Hey! The best approach is to create a matrix of the roles that come out of the box each running along side a business task (within each stream e.g. AP = Vendor creation, Raise POs etc.), then add any customisations into the correct streams and map them under the correct roles (whether it’s appended OOTB roles or new ones you have created), then map the organisational roles on top of this. From here you can identify deltas.
It is quite hard to write this down so feel free to reach out and we could have a phone call.