Wednesday 20 June 2018

Security Authorization and Access Control in D365

In this blog we will discuss how to authorize users security roles that are assigned to them including process cycles, duties, privileges, and permissions.

Security Roles
All users must be assigned to at least one security role in order to have access to D365. The security roles that are assigned to a user determine the duties that the user can perform and the parts of the user interface that the user can view. Administrators can apply data security policies to limit the data for the access of user roles.

For example a user in a role may have access to data only from a single organization. The administrator can also specify the level of access that the users in a role have to current, past, and future records and also users in a role can be assigned privileges that allow them to view records for all periods, but that allow them to modify records only for the current period.

By managing access through security roles, administrators save time because they do not have to manage access separately for each users. Security roles are defined one time for all organizations. In addition, users can be automatically assigned to roles based on business data.

For example the administrator can set up a rule that associates a Human resources position with a security role. Any time that users are assigned to that position, those users are automatically added to the appropriate security roles. Users can also be automatically added to or removed from roles based on the Active Directory groups that they belong to.

Security roles can be organized into a hierarchy. A role hierarchy enables roles to be defined as combinations of other roles.

For example the sales manager role can be defined as a combination of the manager role and the salesperson role. In the security model of D364, duties and privileges are used to grant access to the program also it can be assigned to maintain revenue policies and review sales orders duties.

By default, sample security roles are provided. All functionality in Microsoft Dynamics 365 for Finance and Operations is associated with at least one of the sample security roles. The administrator can assign users to the sample security roles, modify the sample security roles to fit the needs of the business, or create new security roles. By default, the sample roles are not arranged in a hierarchy.

Process Cycles
A business process is a coordinated set of activities in which one or more participants consume, produce, and use economic resources to achieve organizational goals.
To help the administrator locate the duties that must be assigned to roles, duties are organized by the business processes that they are part of. In the context of the security model, business processes are referred to as process cycles.

For example
in the accounting process cycle, you may find the Maintain ledgers and Maintain bank transactions duties. Process cycles are used for organization only. The process cycles themselves cannot be assigned to roles.

Duties correspond to parts of a business process. The administrator assigns duties to security roles. A duty can be assigned to more than one role. In the security model for Microsoft Dynamics 365 for Finance and Operations, duties contain privileges.

For example the Maintain bank transactions duty contains the Generate deposit slips and Cancel payments privileges. Although both duties and privileges can be assigned to security roles, it is recommended that you use duties to grant access to Microsoft Dynamics 365 for Finance and Operations.

You can assign related duties to separate roles. These duties are said to be segregated. By segregating duties, you can better comply with regulatory requirements, such as those from Sarbanes-Oxley (SOX), International Financial Reporting Standards (IFRS), and the United States Food and Drug Administration (FDA). In addition, segregation of duties helps reduce the risk of fraud, and helps you detect errors or irregularities. Default duties can provide administrator to modify the privileges that are associated with a duty, or create new duties.

In the security model for Microsoft Dynamics 365 for Finance and Operations, a privilege specifies the level of access that is required to perform a job, solve a problem, or complete an assignment. Privileges can be assigned directly to roles. However, for easier maintenance, we recommend that you assign only duties to roles. A privilege contains permissions to individual application objects, such as user interface elements and tables.

For example the Cancel payments privilege contains permissions to the menu items, fields, and tables that are required to cancel payments.

By default, privileges are provided for all features in Microsoft Dynamics 365 for Finance and Operations. The administrator can modify the permissions that are associated with a privilege, or create new privileges.

In the security model for Microsoft Dynamics 365 for Finance and Operations, a permission grants access to logical units of data and functionality, such as tables, fields, forms, and server side methods. Only developers can create or modify permissions. The screen shot on top shows the Security configuration form where system administrators can create and edit roles and view the duties, privileges, and so on that are related.

No comments:

Post a Comment

How to Get Customer Free Text Invoice "Totals" form field value with X++ in D365FO

Customer free text invoices are an essential aspect of financial management in D365FO. In this blog, I have compiled all the code needed to ...