What is the purpose of the workflow parameter ‘Require explicitly assigned users’?

,
Explicitly Assigned UsersImage created by AI using Microsoft Designer

Workflow and security do have strong relation in Microsoft Dynamics 365 Finance and Operations. A user not assigned to a workflow task can’t approve a workflow instance. Also, the user should have correct permissions from the security settings as I explained before in another blog. (Workflow security in Dynamics 365 Finance and Operations)

In this blog, I will explain the behavior of a setting available on the Workflow parameters form, called Require explicitly assigned users.

Security role participants

Before talking about the parameter, I will first give a context about a scenario where a user will get assigned to a workflow but will not be able to open the details and perform the approval. The workflow configuration has a setting to get approvers from the Purchasing manager role as shown in the screenshot below.

The next users are added to the Purchasing manager role. Via Organization assignment, my user is restricted to one single legal entity: DEMF. This user does not have system administrator rights.

The other two users do have access to all legal entities. Now a new purchase order is created and submitted to the workflow. When I check my open work items, I do see a pending task for approval. When trying to review or approve the purchase order, an error is raised as I don’t have access to the USMF company.

In this case, the work item is unnecessarily created as my user cannot access to the USMF company, only DEMF. Is it possible to avoid creating this work item? Continue reading for the answer.

Require explicitly assigned users

In the standard application, Microsoft provided a setting where you can indicate if there should be an additional check on the assigned organizations when creating work items in case the assignment type of the workflow is set to security roles. You can find this setting on the Workflow parameters form which you can find in the Organization administration menu. You can get confused as there is another Workflow parameters form in the System administration menu.

The system administration option has installation-wide settings where the form in the Organization administration menu has settings per organization, in this case per legal entity.

Go to Organization administration > Workflow > Workflow parameters. On the page that opens, you will find a setting called Require explicitly assigned users. Enable this setting to have the assigned organizations checked when users will be assigned when they are a member of a security role.

When this setting is enabled and a new purchase order is created, the workflow submission will only select the users valid for the current legal entity.

There is more…

I think this setting should be enabled to prevent incorrect assignments. In addition, if you have a setting where a percentage of approvers is required to have the workflow completed, incorrect assigned users will influence the calculation negatively.

Note that the setting I explained in this post is a setting per legal entity. You would need to enable the parameter per legal entity.

This setting only works with the security role assignment provider of the workflow. Other assignment types and participant providers are not checking the parameter. E.g. if you are using the position hierarchy for finding a manager, then this setting is not evaluated.

In the last screenshot, you can see the RetailServiceAccount user. This is a system-managed user assigned to several standard roles. When using the security roles as a participant provider, you must check if there are such users assigned to the role as they are not excluded with the standard participant provider. As most of the implementations do have their custom roles, you can leave out the system-managed users from your own roles.



I do hope you liked this post and will add value for you in your daily work as a professional. If you have related questions or feedback, don’t hesitate to use the Comment feature below.


That’s all for now. Till next time!

/2 Comments/by
You might also like
Security configuration repairPlease, Connect me if I’m Wrong!
Event log data requirementsOriginal image by mrtapp1 from PixabayThe F&O Twist on Process Mining – Event log data requirements
Change tile sizesAllow users to select and change tile sizes
Microsoft Edge InsiderTwo new features Chromium based Microsoft Edge and Microsoft Dynamics 365
Security configuration repairTips on AX 2012 Security Development Tool – Part 8
Security configuration repairHow to create a new country for localizing Dynamics 365 for Operations
Security configuration repairHow to enable record templates for non system administrators in AX 2012
Security configuration repairSecurity configuration – What is the ‘Repair’ button?
2 replies
  1. Samit Roy
    Samit Roy says:

    Hi Andre,

    Hope you are well. I noticed something not quite expected with this functionality. Here is a summary:

    We want to use “Require explicitly assigned users” option in the Organisation Adm > Workflow parameters across many of our workflows. Most of our workflows are designed to make use of this parameter to selectively assign workflow items, which meets the underlying security role and legal entities to which the security role applies to. 

    We have noticed the above parameter works for all other workflows in our scope barring the Purchase requisition workflow. In case of Purchase requisition workflow it is assigning the workflow item to all the users assigned to the security role irrespective of specific organisation assignments. I am not sure if this is as per MS design. Purchase requisition workflow is a system wide workflow as compared to other workflows such purchase order or Journal approval workflow which are organisation wide. 

    I am not sure if you have noticed this before. Any ideas will be highly appreciated.

    Regards
    Samit

    Reply
    • André Arnaud de Calavon
      André Arnaud de Calavon says:

      Hi Samit,

      Thanks for this great question. It made me realize that I forgot something to mention in this blog. This is probably not intended “by design”, but it is due to the design of the purchase requisitions. Unlike other table series in the application, such as purchase orders, the purchase requisition feature is built upon global tables. They are not company-specific. The same purchase requisition is visible in all legal entities. On the purchase requisition line, there is a field to indicate the buying legal entity. For one purchase requisition, you can have lines referencing distinct legal entities.
      So, as the table does not have the data saved per company (dataareaid), the Require explicitly assigned users is not evaluated for purchase requisitions. Depending on the number of legal entities, you can have conditions in the workflow configuration or develop a custom participant provider that evaluates the buying legal entity per line.

      Reply

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.