I had a comment on one of my blog posts that Microsoft had updated the functionality that existed to help create a read only role from the D365FO user interface so I wanted to show how much easier it is to perform this process now.
In my previous post, I showed how you had to manually manipulate an XML file and use regular expressions find/replace to achieve the desired security file to be imported. This is no longer required as Microsoft has included a an option to ‘select all’ objects within a security dialog.
To utilize this option:
1) Go to System Administration -> Security Configuration
2) Go to privileges and create a new privilege
3) Click on Display Menu Items then click on ‘Add References’
4) In the dialog that pops up, click on the check mark in the menu bar next to ‘Name’ (this selects all options in the dialog)
5) In the bottom of the dialog, select which permission you would like to apply across all selected items (in our case we would select the Grant option on Read)
6) Click OK
Once we publish this privilege, we can validate that this process was successful by selecting our privilege we just created and clicking on ‘View Permissions’:
While the process I wrote about in my initial post is still valid, I think we can all agree the process above is much easier.
Just a thought – Will it be worth to add Action Menu Items as well with the same Grant Read permissions. Most of the Forms have buttons that is also controlled through Action Menu items also.
Ananda,
The problem with adding menu item actions to a ‘read only role’ is that menu items actions are either that you have access to the item or not. Granting Read access to the object is the same as granting Delete access, and some menu item actions allow you to perform transactions within the system (posting journals, printing checks, etc).
The argument could be made to add menu item outputs to this role as these are just reports generated by the system. But in most cases a users looking for this type of role just want read access to all forms in the system which correspond to menu item displays.
So helpfull. Thank you.
I noticed at the top left, that the License is Operations. I was expecting a Team Member license for a read-only privilege. Thank you
Yuri,
Some menu items have an Operations level license requirement as the ViewUserLicense parameter, which forces this ‘read only’ role to require an Operations level license. As the values for the ViewUserLicense/MaintainUserLicense values are set by Microsoft there is no way to avoid this except to exclude those menu items from the role.
After these privileges have been granted and published, can you remove certain privileges to further restrict what can be viewed?
Thor,
Absolutely, this process just shows the potential for creating a ‘view only’ role, if there are modules or areas of D365FO that you do not want a user to have access to you can assign the menu items and then remove the ones that should not be assigned.
Thanks for the feedback. I have just created a custom “view only role” with access to only specific functionality and tested it. It works very well and saved me a lot of time.
This was extremely helpful