Create Security Roles in AX 7 / Dynamics 365 Finance and Operations

Dynamics 365 continues to use user role based security, similar to that in Dynamics AX 2012, which follows the basis that permissions are not granted to the user, but to the security roles assigned to a given user.

Without a role or roles, a user will not be able to access or use Dynamics 365. Roles are built upon duties and privileges which determine the business process and access level for a given role, respectively.  Below is a diagram of the connection between the different elements to role-based security.

While the functionality remains the same, there are two new features that make the process easier to understand and create the various parts of the security architecture – the security diagnostic and security configuration tools. These tools have been extremely helpful while configuring custom security roles on a recent Dynamics 365 project.

Security Diagnostic Tool

In previous versions of Dynamics AX, a project team would need to install the Security Development Toolset in an environment to more easily determine the roles, duties and privileges needed to complete a given task. Now, in Dynamics 365, users with a security administrator or system administrator role are able to run the Security Diagnostic Tool on any form to find out the roles, duties and privileges necessary to complete a task. Personally, I have used the Security Diagnostic Tool as my starting point for building out custom roles within Dynamics.

To access the Security Diagnostic Tool a user can select Option tab > Page Options > Security Diagnostics on any form and it will run automatically.

 

Once run, the tool will list all the roles, duties and privileges associated with that form. Users are also able to select Object Identifiers to expose the AOT tables/field names associated with the object.

Alternatively, if you would like to run the Security Diagnostic Tool for an end to end process, you can use the Security Diagnostics to Task Recordings Functionality. Users can access this through System Administration > Security > Security diagnostics for task recordings. Once selected, you will be prompted to open the task recording from PC or Lifecycle Services.

Once uploaded, the all menu item access in the task recording will populate. You can then select a user from the User ID dropdown to see whether or not they currently have permissions to access those menu items.

The one downfall of the Security Diagnostic toolset is that you are unable to see which role is associated with the desired duties/privileges. Once I have identified the desired duty/privilege, I will go into the second new toolset, the Security Configuration tool, to find out which roles currently have them.

Security Configuration Tool

In previous versions of Dynamics AX, the Security Development Tool, as well as the Security Roles form, were used to test and explore roles, duties and privileges. These tools have been replaced with a single tool, the Security Configuration tool, which allows users to explore security roles and allows for security roles to be created and modified within the user interface.

This toolset is extremely users friendly and intuitive; however, it must be mentioned that if changes are made within the user interface, they are not done in the AOT. This means that these changes are not permanent and can be removed via the user interface and/or an environment refresh. Instead, changes are saved as a data export file that can be imported and published into the desired environments.

Users are able to click through and get more granular with the different pieces related to a role, duty or privilege. As mentioned in the previous section, I typically use the Security Diagnostic Tool to determine the desired duty. Once I have the duty, I’ll open the Security Configuration Tool, select the Duties tab and paste the duty name into the filter. Users are then able to explore the associated privileges for the duty, and what roles currently have the duty assigned to it.

In addition to exploring out-of-the-box security components, users are able to create custom roles within the user interface. The below section explores the creation of a new role within the Security Configuration Tool.

1. Navigate to System Administration > Security > Security Configuration

2. With the ‘Roles’ tab selected, click ‘Create new’ this will allow you to create a brand new role within Dynamics. Note: users are also able to ‘Duplicate’ existing roles

3. Enter the name of the new role. Note: it is recommended to use a different naming convention with new roles so that they are easily identifiable

4. The role will be created, however, it will have no duties or privileges. To add a duty to the role, ensure the new role is highlighted and select ‘Duties’ in the second column. Note: the ‘We didn’t find anything to show here’ message is acknowledging that there is currently no duties associated with this role
5. Once selected click Add references

6. All the out of the box duties (OOTB) (and custom if created) will be available in the list. Select one or more duty and they will become available on the role, as well as that duties respective privileges

7. Similar to adding references, users can remove references if they are not desired/required. Note: privileges should never be removed from an OOTB duty, as it will be removed from all roles that have that duty. Instead, the duty should be duplicated and added to the role, then the privilege as well as the OOTB duty can be removed from the role

8. As updates are made in the Security Configuration Tool, the number of unpublished objects will grow. Before each change is available it must be published. Once published, the custom security roles can be exported from the current environment and import to any other environment. Once the file is imported the data entities must be published. Below is a screenshot of what the data export file looks like with the custom roles