Security in Dynamics 365 Finance and Operations (F&O) is not easy. When you want to define custom roles, this also has a licensing impact. Sometimes, you expect a particular license for your role, but the application states something different. In this post, I will provide a scenario where the license expectation is a Team members SKU as the intention is to have a read only role, but the role will end up as Operations license.

License requirement

In the past years, Microsoft made many changes to the licensing in Microsoft Dynamics 365 F&O. Next to a split in license SKUs, one major change is that license requirements are determined on the privilege level, which will override license details mentioned on the menu items with the base license SKU if maintained in a list that is part of the application. This was one way to fix the split of the Cloud Dynamics 365 SKUs. Another major change implemented by Microsoft is lowering the license requirements for read-only permissions. Where in the past in a lot of scenarios you would needed an expensive license SKU for read-only users, it should be now always a Teams member.

Incorrect license assignment

Several persons asked me a question about an incorrect license assignment to roles where I was able to find the culprit. It is good to share the knowledge, so you will know when and where exactly things can go wrong. In my example, I will take a random privilege which is part of the Accounts Receivable Manager role. The license requirement for this role is Finance. You can find the form from the screenshot by selecting a role, then click the action button View permissions.

The license is determined by all menu items and privileges used in the role. Properties on the menu item determines the license level, together with a list of privileges maintained in one of the dll resources of the web application. There are differences between technical and functional names of the license levels. Here is a list of the translations between functional and technical names.

FunctionalTechnicalComments
OperationsEnterpriseSKUs: Finance, Supply Chain Management, Commerce, Human Resources, Project Operations
ActivityActivity
Team memberUniversal
NoneNoneA user in Dynamics 365 with permissions will always require at minimum a Team member license

Within a library the name of privileges with the license SKU is maintained. In case a privilege is found in the list, it will replace the Operations value with one of the license SKUs. In the above example the privilege Maintain customer methods of payment is a Finance license.

In the development environment, each menu item has a property for Maintain user license, and View user license. In case the access is higher than view permissions, then the maintain user license will be active. If you continue reading, this last sentence is the key to the solution for a wrong license assignment. Do I have your attention? Curious? Now firstly, I will explain a bit more, step by step how to reproduce the wrong license assignment.

When you go to the tab Privileges on the Security configuration page, you can also open the View permissions form with a focus of all entry points for this privilege. You will then still notice that the privilege requires a Finance license. Assume you want to create a copy of this privilege to be able to create a read-only privilege. There might be already one available out of the box in this scenario. It would be best practice to check out existing security objects first to see if they meet the requirement. I will ingore this guideline now just to be able to finish my blog. What I show now is reality, otherwise I wouldn’t have gotten questions several times.

When using the Security configuration form to duplicate this privilege, you will notice an Operations license level after publishing the object. In this case I haven’t changed the permissions yet. This is different from the standard privilege because the new privilege is not in the list of privileges with an override for the license SKU. Now change the settings for the permissions Update, Create, and Delete to Unset like shown in the next screenshot. Don’t use the Deny permission unless really intended as that has priority over granting access. Combining security objects or assigning multipl roles will not grant access anymore if the Deny permission was used. Using this option should be only used in case you want to ensure segregation of duties or if there is really no other option.

Once you made the configuration changes, publish the privilege and you will see that this still have the Operations license tagged. In case you didn’t pay attention, you might have created many more privileges like this for an intended read-only role.

When I dived into this the first time, I opened the View permissions page for the role and searched for permissions having the operations license. Then I found out that not only read permissions were granted, but also an operation named Correct. As mentioned above, if more than only read permissions are granted, the maintain user license type will be effective. The Correct permission was used for time state tables only for updating records and correcting valid from and valid to date/time fields. This access level can only be maintained from Visual Studio.

For solving this wrong license, you can either remove the menu items from the privilege and add them again. This will be a tedious job in case there are many security resources with this issue. You can also take a view privilege as base for your custom privilege where the Correct permissions are not set and then make changes by removing or adding some menu items or other permissions.

When duplicating a privilege in Visual Studio and changing the access permissions will not have an issue. In case you configured new privileges from scratch in the application, it will not enable the Correct option.



I do hope you liked this post and will add value for you in your daily work as a professional. If you have related questions or feedback, don’t hesitate to use the Comment feature below.


That’s all for now. Till next time!

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.