One security issue I’ve seen in D365FO, especially from those that have updated from AX 2012, is the idea that company/legal entity restrictions only need to be applied to the System User role and no other roles assigned to a user. What is the rationale behind this? What issues arise if this is done? And what can be done to address this?
Why Apply Company Restrictions to Only the System User Role?
The System User controls access to the Default Dashboard menu item which is used as a landing page when a user is logging in. The thought is that if you restrict the companies a user can get to when logging in you can restrict what companies a user has access to in the system itself. For example if I log into D365FO and try to navigate to a company I don’t have access in I would see an error message like the one below:
Why is This a Bigger Issue in D365FO?
Unfortunately the above idea is flawed in many aspects. The biggest being that just because a user cannot switch companies on the Default Dashboard form does not mean that the user cannot switch companies on another form where the user isn’t restricted to particular companies.
To show this in action, I took a test user and restricted their access on the System User role to just the GLSI, GLRT, GLCO legal entities.
I also assigned this user the Accounts Payable Clerk role with no company restrictions.
I then logged in as this user and navigated to the VendTableListPage form and then simply switched companies from the company drop down. You can also notice that the company ID is listed in the URL, a user could just as easily change this route to a different Company ID and be presented with the same page.
The reason you are able to do this is because the company drop down in D365FO is set by looking to see all legal entities a user has access to. On the left is when I restrict all roles assigned the to the user and on the right is when I restrict the System User role but leave other roles assigned to the user with no company restrictions.
What Can Be Done to Address These Issues?
The best option in this case is to always apply all company restrictions to all roles assigned to a user. Unfortunately, the method for assigning company restrictions that is native within AX/D365FO is not very user friendly to perform this task, especially if you have a large number of company restrictions to apply. You do have the option of using Organizational Hierarchies to help and there are also 3rd party tools like Fastpath Identity Manager would be useful as you can easily ‘roll down’ company restrictions to all roles assigned to a user.