In the past, I have talked about that there are two separate licensing mechanisms in D365FO: entry point and privilege based. I have recently found that there is a third… the Dynamics 365 Licensing Guide itself.
Dynamics 365 Licensing Guide
This is an almost 60 page document that Microsoft releases on a semi-regular basis and gives the overview of how to license Dynamics 365, the most current release is April 2021. One of the interesting parts of this document is that Microsoft lists certain out-of-the-box roles and their required license types. When I was comparing these required licenses to our licensing reports in Fastpath I found that most roles matched up in that the licensing guide matched the entry point/privilege based licensing methodology we have discussed in the past. But some roles were not matching up, the licensing guide was saying that they required a different licensing level than what is required from an entry point/privilege level. Here are the roles I found to be mismatched:
In some cases the license requirements were higher and some were lower, so what is going on? After doing some digging, I found that the roles listed in the licensing guide have been designated by Microsoft as requiring these licenses and overriding the normal entry point and privilege based licensing. This means that if a user is assigned one of these out of the box roles their required license will be whatever the licensing guide has documented.
What Impact Does This Have on Custom Security?
So what happens if you need to make a change to these roles and make a clone of the out of the box roles? Since the ‘licensing override’ is done on the role’s AOT name, once it is cloned the licensing requirements fall back to the normal entry point and privilege based licensing as before.
So if a user is assigned the Chief Financial Officer role they will be required to have an Activity license, but if you make a clone of that role and assign it to a user they will require some sort of base license (either Finance, SCM , Retail, or ProjectOperations).
The same can happen in reverse as well, where if you have a role like Vendor Admin (External) which requires an SCM license based on the licensing guide, if you clone it and assign it to a user it will only require a Team Member license.
*** Note: I am in no way condoning modifying your security in this way to circumvent Microsoft licensing. It is merely here for demonstration purposes. ***
What About Users With Multiple Roles?
Remember that licensing is additive, just because a user is assigned one of the above roles does not mean that they couldn’t also be assigned other roles that will require additional licensing.
What Does the User License Estimator Report Show?
So I set up the Chief Financial Office scenario I described above, I cloned the role and assigned the base role and the cloned role to different users respectively:
I then went and ran the User License Estimator Report in a 10.0.17 environment. In this case, it doesn’t appear that the license estimator is showing this logic correctly as it is showing both users as requiring some sort of base license. I would have expected the TIM user to not show up on this report, I’m hoping future releases of this report will correctly show this.
User Licensing Visio Diagram
This change also means I have to update my licensing Visio diagram I created: