I recently ran into an interesting issue with OData that I wanted to share. Within our Fastpath product suite we have a tool called Identity Manager that helps with the compliant provisioning, modification, and termination of user and user role assignments. Our clients use this module to help ensure that users are assigned the correct access at the correct time while also keeping SOD compliance. To perform the assignment and revoking of roles we have been using the SecurityUserRole and SecurityUserRoleOrganization data entities within D365FO, these entities use the OData protocol to allow for CRUD operations on D365FO data.

So for example granting of a role would look something like this (in C#):

And revoking of a role would look something like this:

Both of these are fairly straightforward and work in every case… except when trying to revoke the SysAdmin role from a user. When this is requested, the OData request succeeds with a 200 response but the role is not removed and there is no indication on the request that it did not perform the operation. I can find no documentation on this but my assumption is that there is some validation going on within D365FO to stop this process as a protection to end users who could potentially inadvertently remove all SysAdmins which would leave their environment in a precarious state.

Available Solutions

There are really two options I can see going forward:

  • Instead of trying to remove the role update the AssignmentStatus of the user role assignment from ‘Enabled’ to ‘Disabled’
    • The downside here would be that you would have to have special logic when interacting with the SysAdmin role, which I try to avoid
  • Create a custom service operation endpoint to handle this scenario
    • This is the option I ended up using as it allows for the most flexibility

Conclusion

I’m hoping this helps document this OData edge case and shows possible solutions to this issue.