You might know that the security administration is one of my favorite areas in Microsoft Dynamics 365 for Finance and Administration. I love to share the knowledge I gained to help other people and organizations. In this post, I will give a summary of former posts and how-to setup easy automatic role assignment.
Automatic role assignment is one of the features that is forgotten or overlooked during implementations. In many cases, manually assignment is used where you can make a lot of mistakes. Some mistakes might be assigning a wrong role, but if you have multiple legal entities in your environment, you might also forget to assign the correct legal entities. This all can lead to unwanted permissions for users, but maintaining the security role assignment in this way is also laborious.
I have talked with larger organizations having over 2500 legal entities and more than 1500 system users how to minimize the effort on the IT department for assigning the correct roles. In various implementations I have used the automatic role assignment to reduce the throughput time for setting up a worker with the correct access permissions. With just a user ID or name, you can’t achieve it. You need to have attributes of the worker to know what should be assigned.
In many companies, there is a form which should be completed to request user accounts. An administrator should then create an (Azure) Active Directory account and then also assign licenses for e.g. Microsoft Office, Dynamics 365 for Sales, Dynamics 365 for Supply Chain Management. On the form, next to a location, there is usually also a section which tells which roles should be assigned. Now with the location and roles on the for, you would like to complete the task as quick as possible. Finding a role is quite easy, but assigning the correct legal entities would be a bit more difficult based on a location.
An ideal scenario would be to have groups per location (country, group of companies). For example, you might think of the next example:
- Project manager (Belgium)
- Project manager (France)
- Project manager (Netherlands)
- Project manager (Spain)
But also, per country multiple roles, like:
- Accountant (Belgium)
- Accounts payable manager (Belgium)
- Collection agent (Belgium)
- Project manager (Belgium)
(Azure) Active Directory groups
The direction of thinking in groups makes it easy, but how to implement this thought for assigning the permissions for the correct legal entity? (Azure) Active Directory groups is a viable solution. In fact, the idea is my favorite. Just create a user, assign license and a security group in Active directory. Microsoft Dynamics 365 for Finance and Operations is capable of handling this scenario. However, there are some important drawbacks. How this works and a list of disadvantages can be found in my recent blog: How to use Azure Active directory for managing users and security in Dynamics 365 for Finance and Operations. There is an alternative solution in the security framework provided within Microsoft Dynamics 365 for Finance and Operations.
Automatic role assignment
The automatic role assignment feature is a framework where you can create rules on each security role and assign the correct legal entities using organization assignments. The rule is based on a query which start from the Users table. You can join other tables and filter ranges on the advanced query dialog. A few use cases are mentioned in two blogs I wrote in the past. At that time, the blogs were written based on AX2012. In concept, there is no change in Dynamics 365. The only changes, you can find in the data model.
Automatic role assignment in AX2012 – Part 1
In the first blog about automatic role assignment, I wrote about how to find the users in the system who are a project time sheet user. This was based on the worker setup. Unfortunately, the data model has been changed compared to Dynamics 365. The user is now linked to a resource instead of directly having a project setup on the worker. Below, you will find a slide deck of a recent presentation I did on the 365 Saturday in Brussels. One of the slides contains the query from user to the resource project setup.
Automatic role assignment in AX2012 – Part 2
The second post about automatic role assignment, has an explanation how to create a custom query in the application development area to be able to reuse the same query again which makes it easier to setup the rules for automatic role assignment. This also solved issues when you can’t create all table joins correctly due to missing or more than one table relations between the same tables. This example is about how to find which users are a manager in the HRM position hierarchy.
Both posts did not tell about the option to use groups like mentioned above. There are two entities where you can map users to a kind of group. The first is the User group concept. Another option is the internal organization Teams. My preference between these two options is using the Teams as it has more space for making descriptions and team membership is date effective. This is useful, so you can plan for workers leaving the company or replacements during absence.
As you can see, there is a link between a user and a group like the Active Directory groups. The difference is that the assignment will be done in Microsoft Dynamics. Now, per role, you can create rules to get the users per team. The data model is not that difficult, but to be able to setup the rules more quickly and prevent errors, I did create a custom query for this. If you continue reading, you will find links where you can download a free customization which contains the query from user via person to the team assignment.
Once the rules are all setup based on the grouping, the automatic role assignment logic will manage the role assignments and also the restrictions on legal entities.
Easier with enhanced features
To be able to manage user group or team assignments easier, I do think it makes sense to have a view from the point of the user next to the option to e.g. assign users to teams. When you create a user, you would also directly like to assign the correct groups or teams. For that reason, I have also created two forms as customization which can be started from the main menu, but also from the User details.
Usually, when you create users in advance, you don’t have to worry about the assignment of the roles itself. It will be done by the batch job for automatic role assignment. There are scenarios where you would like to run the job manually. However, in that case, it is per role. When there is an acute need to create a user, you would probably like to run the role assignment job directly for this user. This option is also part of my example customization.
I have created a GitHub project where you can download the above-mentioned customization including some sample AOT queries to extend the choices when creating new rules. The queries included are:
- Select users which are a manager in the HRM position hierarchy
- Select users per team
- Select users per user group
The GitHub project has two releases. One for Microsoft Dynamics 365 for Finance and Operations and one for Microsoft Dynamics AX 2012 R3. There are some differences between the two versions. Also, it is good to know what level of development was done:
|Topic||Dynamics 365||Dynamics AX 2012|
|Labels||Label file used||No label file used; hardcoded labels|
|Security||Privileges and duty included||Privileges and duty included|
|Menu||Menu extensions used||System administration menu overlayering|
|Best practices||A few best practices left; needs to be reviewed||Mainly best practices related to label usage|
You may freely download, use and modify the software to your needs. You can read the exact license details on GitHub and when you download a release. The software is shipped as a model file. The software is provided as-is without warranties. When there will be improvements, I will release new versions. If you find any bugs or have some additional ideas, I can decide to fix the issues or add features. To install the software, you can read the documentation online how to import models:
Dynamics 365: Export and import models
AX 2012: Export and import a model
If you are using AX 2012 R3, be aware that the System administration menu is overlayered and you probably have to merge existing customizations. When you have an older version of AX 2012, you can try to extract an XPO from an AX 2012 R3 environment. Or contact me using the comments below or contact form. Then I can provide the XPO file to you.
Two times, I did a presentation related to the automatic role assignments. You can find the slides below. The contents might be helpful for you to also start using it or improving the security setup in your current or future environments. If you go to SlideShare, you can download a PDF version of these slides which will probably have a higher resolution.
I do hope you liked this post and will add value for you in your daily work as a professional. If you have related questions or feedback, don’t hesitate to use the Comment feature below.
That’s all for now. Till next time!
Nice comprehensive post 🙂
Our company generally work with smaller organizations below 100 users and fewer than 10 legal entities. My approach is to use the organizational roles and map them in excel to one or more roles in D365 FO.
I like your approach a lot, but there is more setup required, where do you see the breakeven in terms of organizational complexity?
Thanks a lot for sharing your insights.
Thanks for your comments. A break-even is hard to tell. You are using another tool to maintain security role assignments. This is probably also already more effective. I do think you can gain already when you have to restrict access to individual legal entities. Probably not always in time, but also more governance that you don’t forget to assign the legal entities.
hope you doin well.
as i remember your nice solution from TMF thank you for the hint how to do something similar for D365 – as i do not have access to D365 dev envi… (and we are in early stage of implementation) – i am trying to find a way how to build the query for Assign Roles based on Teams simply from the scratch from D365 user interface. When i use simple one (User Info-DirPersonRelationship-OMTeam) its adding me only team administrator to the select. I need to somehow expand that for team members.
Thank you in advance!
As far as I have noticed, building the query from the user interface is not possible due to not able to choose the correct tables. So, the query needs to be created as part of a customization (or from my example).
thank you for the reply, i will ask for implementing your customization then! I like also the easy access to team assignment.