Licensing Advent Calendar – Day 13 – Errors in standard security objects

Licensing Advent Calendar

Day 13. Number 13 is associated with bad luck. While reviewing the security roles to check for lower licenses, you might come across standard security elements with an incorrect implementation of permissions, causing a higher license requirement. What are your options here?

Standard security objects

In yesterday’s post, I talked about finding privileges for not entitled objects. In the example of the project manager role, I mentioned removing specific duties. Let me show the last screenshot again.

In the custom role, standard duties were used. If you look carefully at the first duty, Inquire into collections status, you can notice that in the third and fourth row, the permissions for Update and Create are granted. Granting access to permissions other than only Read is causing a Write access level. In this example, it is weird to have write access in a duty intended to be used to inquire into data. By duplicating the security objects, you can make changes, e.g., removing the privileges from the new duty. This will bring the maximum access level to Read, and in this way, you can lower the license.

Another example. This week, an issue was reported in the Engage feedback group for F&O user license reporting, saying that for a specific privilege with only one menu item, there was no license available to use this object. That is an error in the standard application.

Here, the access level is Write instead of read. The person who found this issue also found that it was an earlier-reported bug and should be fixed in version 10.0.46. The screenshot above is taken from an environment with 10.0.45. When checking the latest release, the issue is indeed solved.

The change is in the privilege where menu item access was changed from full access to read-only.

License calculation versus privilege implementation

As mentioned in an earlier post, the license calculation is running as a microservice outside of the Dynamics 365 F&O environment. The underlying metadata has settings which licenses are allowed per securable object and access level. Where the calculation is working independently, the Dynamics 365 version and updates can have different settings for the securable elements on the privileges. This can cause differences in the license requirements, as shown above.

I did do a check on the view intended privileges in version 10.0.46. About 70 privileges might have an issue as described above, where these should be a Team members license, but do have elements not included for this license SKU. This is a huge improvement compared to a similar check I did months ago.

Note that my method might not be fully correct. Maybe some naming convention might be showing privileges that are actually intended to have some write access levels. You can perform a similar check by applying the next filters on the top grid.

There might be more privileges with permission issues, e.g., an Operations – Activity intended license is raised to Finance due to write access, when it could be read-only. There is no quick trick to find them. In case you come across privileges with a full license requirement, and you wonder if they can be lowered, you can check which securable elements are not entitled to privileges with a specific license, and in a duplicate, you can reduce access levels or remove some objects. During work this year at clients with security optimizations, I came across several of these privileges and was able to remove some permissions. In particular cases, a menu item with write access might be required for the business process. It was pretty harsh to see some cases where only 1 not entitled element caused a higher license. You can then try to create a support ticket, but depending on the intention of the license guide, it will be honored or not.

There is more…

During the Advent period, each day in December, I will share some thoughts and tips related to the Dynamics 365 user license enforcement. If you have questions about this topic, feel free to contact me via LinkedIn, the comments section below, or the contact form on this blog. I will then either update one of the planned blogs for the coming 24 days or answer questions in a new post.

Dynamics 365 Licensing Enforcement Advent Calendar



I do hope you liked this post and will add value for you in your daily work as a professional. If you have related questions or feedback, don’t hesitate to use the Comment feature below.


That’s all for now. Till next time!

/0 Comments/by
You might also like
Dynamics 365 Saturday Amsterdam 2019Dynamics 365 Saturday is visiting Amsterdam
Combined capacity reportingCombined capacity reporting for Dataverse and Operations
Let your Operations Flow - Part 2Let your Operations Flow – Part 2
Move all user and security settings with data entities
Security configuration synchronize allSecurity configuration – What is the ‘Synchronize all’ button?
Feature recommendation notificationsImage by Gerd Altmann from PixabayHow to reverse engineer feature management features
Cleanup orphaned security roles in Microsoft Dynamics AX Update 1 local VM
The F&O Twist on Process Mining – Use a data entity to connect a process
0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.