SECURITY IN D365 F&O (II)

I promised to deep dive into more complex and key security topics, here we go ! That article is part of a series of articles about security in D365 F&0. I am an internal controller in an organization, and I need to see the log of users who have been logged on to D365 F&O and if they have access to sensitive data for my organization.

User log report 

Navigate to System administration > Inquiries > User log

Go to the Role settings tab

For each security role, you can specify which one gives access to sensitive information.
You just need to tick Access to sensitive data

For instance, let’s do it for Accountant
Then, assign the Accountant role to your user

Log out and log back in D365 F&O

Navigate to System administration > Inquiries > User log

Go to the Overview tab

You can see an audit log of users who have logged on to D365 F&O. It helps protect the organisation data and shows who has access to sensitive data.

In the Roles with access to sensitive data column, I can see [Accountant].

In addition, I need to allow the HR department to see vendors and vendor bank accounts related to employees. However, they won’t be able to see the other vendors or vendor bank accounts.

The Extensible Data Security (XDS) framework is a feature in D365 F&O that enables us to cover that requirement. That’s an extra layer of security to supplement security roles and it allows you to restrict access to tables.

XDS Policy

First we need to identify the constrained and primary tables.

——————————————————————————————————————–

Constrained tables = tables from which data is filtered. In our case, the constrained table is VendBankAccount

Primary tables = used to filter the content of the related constrained table. In our case, the primary table is VendTable

——————————————————————————————————————–

Open Visual Studio

How do we set up the XDS ? You can follow those steps 

Create a new query in your VS project

Enter the Name
Click Add

Add the VendTable in the Data Source

Set Dynamic Fields to No
Select VendTable in the Table field (Primary table)

Add the AccountNum field  in the Fields tab not to impact the performance

In our scenario we are limiting the user to only be able to see vendors and vendor bank accounts that have a vendor group of ‘EMPLOYEE’.

In the Ranges tab, add the VendGroup field and type in the value EMPLOYEE.

Create the Security policy in your VS project

Enter the Name
Click Add

We set the following parameters:
Constrained table = Yes
Context type = RoleName
Primary Table = VendTable
Query = AlEmployeeVendBankAccountQuery
Role Name = AlHcmHumanResourceAssistant

Add a constrained table

We set the following parameters:
Constrained = Yes
Name = VendBankAccount
Table Relation = VendTable

Build your project

If you checked the previous article, I showed you how to test security roles.

Navigate to Dynamics 365 > Addins > View with role set

Select the role associated with the security policy (RoleName parameter)

Click OK

Navigate to Accounts payable > Vendors > All vendors

I can only see vendors assigned to the EMPLOYEE vendor group and vendor bank accounts associated with vendors assigned to the EMPLOYEE vendor group.

💬 You can also apply the XDS to a group of security roles.

In the properties of the security policy, update the Context type to RoleProperty and type in the Context string

Finally, go to the security roles, and open the properties.

Type in the context string

Please contact Dynagile Consulting if you need additional information or stay tuned until the next article!

I prepare an article about field level security.