I had a comment on one of my blog posts that Microsoft had updated the functionality that existed to help create a read only role from the D365FO user interface so I wanted to show how much easier it is to perform this process now.
In my previous post, I showed how you had to manually manipulate an XML file and use regular expressions find/replace to achieve the desired security file to be imported. This is no longer required as Microsoft has included a an option to ‘select all’ objects within a security dialog.
To utilize this option:
1) Go to System Administration -> Security Configuration
2) Go to privileges and create a new privilege
3) Click on Display Menu Items then click on ‘Add References’
4) In the dialog that pops up, click on the check mark in the menu bar next to ‘Name’ (this selects all options in the dialog)
5) In the bottom of the dialog, select which permission you would like to apply across all selected items (in our case we would select the Grant option on Read)
6) Click OK
Once we publish this privilege, we can validate that this process was successful by selecting our privilege we just created and clicking on ‘View Permissions’:
While the process I wrote about in my initial post is still valid, I think we can all agree the process above is much easier.
Just a thought – Will it be worth to add Action Menu Items as well with the same Grant Read permissions. Most of the Forms have buttons that is also controlled through Action Menu items also.
Ananda,
The problem with adding menu item actions to a ‘read only role’ is that menu items actions are either that you have access to the item or not. Granting Read access to the object is the same as granting Delete access, and some menu item actions allow you to perform transactions within the system (posting journals, printing checks, etc).
The argument could be made to add menu item outputs to this role as these are just reports generated by the system. But in most cases a users looking for this type of role just want read access to all forms in the system which correspond to menu item displays.
So helpfull. Thank you.
I noticed at the top left, that the License is Operations. I was expecting a Team Member license for a read-only privilege. Thank you
Yuri,
Some menu items have an Operations level license requirement as the ViewUserLicense parameter, which forces this ‘read only’ role to require an Operations level license. As the values for the ViewUserLicense/MaintainUserLicense values are set by Microsoft there is no way to avoid this except to exclude those menu items from the role.
After these privileges have been granted and published, can you remove certain privileges to further restrict what can be viewed?
Thor,
Absolutely, this process just shows the potential for creating a ‘view only’ role, if there are modules or areas of D365FO that you do not want a user to have access to you can assign the menu items and then remove the ones that should not be assigned.
Thanks for the feedback. I have just created a custom “view only role” with access to only specific functionality and tested it. It works very well and saved me a lot of time.
This was extremely helpful
Hi Alex,
Thanks for this post, exactly what we are after!
Have you been able to identify the menu items to remove from the privilege to drop the license back to a team member license?
Thanks
Lauren
Lauren,
Here is a list of menu items that have above a ‘Team Members’ license at a View level: https://fastpath-my.sharepoint.com/:x:/g/personal/meyer_gofastpath_com/EdKsy5LyAedFm-B-2OcOjGMBRBKEn5LEUQ5zE7iZ075vKw?e=VDc2Gz
This is so helpful! Thank you for sharing this! Now I get to work on creating read-only access specific to roles versus the whole application. I thought that giving inquire/view duties would do that but it seems prior to my arrival that someone has added privileges to these duties that provide update/delete access in some cases. I am very grateful that the read only to everything is done though.
Question: to ensure that this only provides read access should I change the permissions for Update,Create,Delete to deny? I’m trying to ensure users truly only have ‘Read-only’ access.
Tracey,
I can understand the idea of wanting to do this, but there are objects a user will need access to at above a ‘Read’ level to operate within D365FO. If you look at the ‘System User’ role for example you can see there are quite a few entries which grant access at above a Read level but these are mostly to ‘system’ objects which would not have an impact on any organizational data.
My best piece of advice would be to follow the steps within the blog post to create a ‘Read Only’ role and then be sure to only assign this role plus the ‘System User’ role to a user. In that way you can be assured that the user will only be able to have ‘Read Only’ access.
This help me as well thanks for sharing,
I have a question after creating in TEST how can we move to Prod? or we need to create there again ?
Syed,
This blog post may help: https://alexdmeyer.com/2020/03/10/best-practice-for-moving-d365fo-security-between-environments/
Hi Alex,
When I try to add all display menu items by selecting them all, I get an error ‘it appears you lost network connectivity’. Adding a few does work.
Do you have any advice for this issue?
Sander,
It sounds like either your network or environment you are performing this on is not fast enough to perform adding all of the menu items to the role before the sessions times out. In this case, you may have to add the menu items in batches unfortunately.
Hello!
Can someone explain what are the columns “Correct” & “Invoke” in View Permissions page?
George,
The ‘Invoke’ permission is used for Service Operation endpoints, if a user has ‘Invoke’ access then they have access to call the endpoint otherwise they will not.
The ‘Correct’ permission is a hold over from AX 2012, it was used to update data within state tables (https://learn.microsoft.com/en-us/dynamicsax-2012/developer/security-privilege-properties#entry-point-properties).
Hi Alex,
Do you have any tip how to “split” the read-only role per APP i.e. Finance, SCM and Project?
Thanks,
Martin
Martin,
Are you looking to split it via license type? That will be difficult to do as the license you are referring to (Finance, SCM, and Project) are determined at the privilege level not the securable object level (https://alexdmeyer.com/2021/01/25/current-state-of-d365fo-user-licensing/).
As another approach, I am helping lead a project to create ‘template roles’ that would allow you to assign view/maintain access by D365FO module: https://appsource.microsoft.com/en-us/marketplace/consulting-services/roberthalf_protiviti.d365forfinanceandsupplychainsecurityroletemplates
Feel free to reach out if you would like more information on this.