By default, in Dynamics AX/365FO when assigning a user to a role, this access is granted across all companies/legal entities. What options do you have to restrict this?
Assign Organizations
Under System Administration -> Users you are able to see the roles assigned to a user. When you select a particular role you can then select Assign Organizations to restrict which companies/legal entities the user has this role’s access in.
The first time you visit this page, the ‘Grant access to all organizations’ option will be selected.
If you select ‘Grant access to specific organizations’ you can then select a company/legal entity and then scroll to the bottom of the page and select Grant.
This user now only has this role access in the company/legal entity selected. So in the example above, the Alicia user only has the Accounting Manager role in the Contoso Consulting company.
So what does this look like from a technical perspective?
User to role associations are stored in the SecurityUserRole SQL table. Company/legal entity restrictions to user role associations are stored in the SecurityUserRoleCondition table. If there is no entry in the SecurityUserRoleCondition table for a specific SecurityUserRole entry that means the user has that role access across all companies/legal entities.
In the SQL example above, you can see the Alicia user is assigned a number of different roles. The roles with a value of NULL in the DataArea column mean that there was no entry in the SecurityUserRoleCondition table and therefore the user has that access across all legal entities. The entry for the Accounting Manager role has a value in the DataArea column which means that role is being restricted to that specific legal entity.
The above process is the normal way to restrict user role access to specific companies/legal entities.
Using Organizational Hierarchies to Help With Company Restrictions
If you have a large number of legal entities to restrict a user to you may be asking if there is an easier way to assign these company/legal entity restrictions instead of granting one at a time? The answer is to use organization hierarchies.
In Organization Administration -> Organizations -> Organization Hierarchy Purposes there are a number of our of box hierarchy purposes, one of which is titled Security. This is the ‘organization hierarchy purpose’ that allows us to help with user role company restrictions.
Once created, you will be taken to the hierarchy designer. This is where you can actually set up a hierarchy of companies/legal entities. In the example below, I have the Contoso Consulting legal entity as the parent to Contoso Consulting France, United States, and Great Britain legal entities.
Now if we go back to the user role company restrictions, in the ‘Select Organization Hierarchy’ drop down you can now see the organizational hierarchies with a purpose of security (in our example the organizational hierarchy FPSecurity).
In the ‘Available Organization Nodes’ area, we can see the hierarchy of the legal entities. You still have the ability to select an individual company/legal entity and grant the access, but now you also have the ability to ‘Grant with Children’ which means that the currently selected level and all of child levels will be granted in the company restriction area.
From a technical perspective, the organizational hierarchy information is stored across the OmUserRoleOrganization, OmInternalOrganization, and OmHierarchyRelationship tables.
In the example above, I granted selected the Contoso Consulting legal entity and selected Grant with Children. In the database, we can see in the for the Accounting Manager role there is an entry in the SecurityUserRoleCondition table for each legal entity in our hierarchy. So instead of having to grant each legal entity separately, we can just grant the singular organization hierarchy which will then grant all child legal entities as well.
Thanks Alex. I recall having discussed this topic with you previously, and was encouraged to see it documented here. Appreciated greatly.
Very interested in this topic, thanks for posting this.
In Segregation of duties can I restrict role each legal entity wise..
Suresh,
Roles cannot be restricted by legal entity, they are system wide. However you can apply a legal entity restriction to a user role assignment. So when you first assign a role to a user that user gets that access across all legal entities. You then have the ability to apply a legal entity (or organization hierarchy) restriction which would only allow users to be assigned that roles access to that legal entity (or set of legal entities in the organization hierarchy case).
Thanks for your reply, Alex.. but example will tell one scenario, Account Role will perform 2 duties like 1st duty maintain vendor vendor invoices, 2nd duty maintain vendor payments, in this case in one legal entity both duties required, another legal entity only one duty required, any option is there like restriction of duties each legal entity wise…
Suresh,
You would have to have two different roles:
– Role 1 would have duties 1 & 2
– Role 2 would have duty 1
You can then assign these role to a user and restrict which legal entities that the users have access to
Quick Question. Some of our users with a customized role are not able to see “pending invoice assigned to me” in AP although they have the right to see their pending invoices.
FYI the customized role is LE restricted. any guess what the issue here.
Bruk,
Can the users not see the ‘Pending Invoice Assigned to Me’ form or can they not see the invoices in the grid on the form?
The form itself is controlled by the VendInvoiceAssignedtoMeListPage menu item display so the user would need access to that for the option to show up.
If the user is not seeing vendor invoices, this form calls the VendInvoiceInfoListPageAssignedToMe query to populate the grid on for the VendInvoiceInfoListPage form.
So the user would need access to these datasources as well as to actually have invoices assigned to them with a Status of ‘Pending’ in the WorkflowWorkItemTable and a status of ‘Not Executed’ in the VendInvoiceInfoTable.
Alex,
Thanks for replying, the user has the following custom role with these duties.
Approve purchase requisitions
Approve vendor invoices as employee
Maintain purchase requisitions
Inside the Approve vendor invoices as employee duty the View pending vendor invoices assigned to me list page privilege the MID VendInvoiceAssignedToMeListPage is READ Grant.
Yet the user’s dashboard has work items assigned to me listed but when the user clicks on the invoice it doesn’t take them anywhere but a blank. The custom role is LE-restricted and users have the appropriate company assigned. but the minute
the LE restriction is lifted users can see their pending invoices on their dashboard or emails and can access them. Is this a Microsoft bug?
Bruk,
Because this works when no LE restrictions, this sounds like something not set up correctly as far as the LE’s assigned to the user role.
Just to confirm, can the users see their invoices with the LE restricted role or not? Your post seems to indicate both scenarios.
If they can see them what exactly happens when they click on them? You mention it takes them to a blank something but doesn’t look like it was a finished sentence.
If they can’t see them, that would indicate to me that the assigned legal entities are not correct to see the invoice (or an underlying piece of data the invoice is tied to).
Is the company filter being used on the page?
Alex,
just to clarify, the LE assigned to the users and the pending invoices under those LEs are appropriate and correct. but still, the users are not able to see their pending invoices when they click on the specific pending invoice via “work assigned to me” on their dashboard or via a link they receive from the D365 notification email. The users are able to see their pending invoices when the LE restriction is lifted from the custom role.
Hi Alex,
Great Inputs. This will really help us in demonstrating the customer requirements. The customer business demands restricting the users Entity-wise, and the same users requires access to one more entity and may perform one or more roles.
Also, can you please thru some light on the benefits and disadvantage of creating a greater number of Legal entities, also the environment will have more integrations and what will be implication when we move on periodically with the version upgrade of D365F0.
SP,
The number of legal entities you have should really be driven by a business case not just based on security setup. If entities within your organization require that their financial transactions or business processes be kept separate from one another that would be a cause for creating additional legal entities. If you just want to restrict access within a legal entity then you can use things like the normal role/duty/privilege security hierarchy as well as XDS to help restrict it further. Obviously the larger number of legal entities you have the more complex your environment will be but you can use things like organization hierarchies to help reduce the complexity.
Hi Alex, great posts on security, can this approach be used to restrict a role further to specific operating units such as departments within a legal entity, using a hierarchy
Nigel,
To achieve this, you would have to use the Extensible Data Security framework (https://alexdmeyer.com/2019/02/20/extensible-data-security-xds-framework-in-d365fo/), I actually have a blog post about a very similar example to what you are looking for here: https://alexdmeyer.com/2022/10/03/how-to-approach-advanced-xds-scenarios-in-d365fo/
Hi,
The ‘Grant access to specific organizations’ seems to work fine, however on HR level, this setting is not bulletproof as I’ve experienced myself.
For a client that can only have access to personnel data within D365 FO, I have selected this option.
However apparently the user still has the possibility to unselect the view option ‘Restrict to current legal entity’ on Employee level within the personnel management module.
Which means this user an still access all personnel data of employees across all legal entities within this D365…
So while the ‘Grant access to specific organizations’ is a good option, it’s not in all cases sufficient. Some extra work within security is needed where a specific setting within the user role is disabled. (which that is, I’m still searching)
Arne,
If you restrict the role granting access to the personnel data to only specific legal entities it will restrict what data the user can see because it sounds like whatever role is granting that access is currently not being restricted. Looking at the form which I believe you are referring to, the security here is controlled by the HcmWorkerListPage_Employees which uses the DirPartyTable as the data source.
Also keep in mind that an employee/worker record is separate from the user record that is controlled by security.
Is there no way to bulk remove from the hierarchy???
Christopher,
I’m not sure what question you are asking, can you clarify what you are trying to do?
Hi Alex
It is possible to restrict the role granting access by Legal entity to Admin Users?
I was trying but I can´t find the way to do that.
If users have standar roles, it is possible, but if users have System administrator Role, I can´t restrict the access to users to any legal entity
I need to restrict access to a new legal entity while the legal entity is being configured. Only consultants should have access to the new Legal entity.
The SysAdmin role cannot be restricted in any way – if you are assigned this role you get full access to all objects across all legal entities.
If you need to restrict this type of access to a particular legal entity you will need to create a custom role with elevated permissions and assign this with the legal entity restriction.
Thank you Alex.
I will try your suggestion.
Thanks for an informative post