I had a comment on one of my blog posts that Microsoft had updated the functionality that existed to help create a read only role from the D365FO user interface so I wanted to show how much easier it is to perform this process now.
In my previous post, I showed how you had to manually manipulate an XML file and use regular expressions find/replace to achieve the desired security file to be imported. This is no longer required as Microsoft has included a an option to ‘select all’ objects within a security dialog.
To utilize this option:
1) Go to System Administration -> Security Configuration
2) Go to privileges and create a new privilege
3) Click on Display Menu Items then click on ‘Add References’
4) In the dialog that pops up, click on the check mark in the menu bar next to ‘Name’ (this selects all options in the dialog)
5) In the bottom of the dialog, select which permission you would like to apply across all selected items (in our case we would select the Grant option on Read)
6) Click OK
Once we publish this privilege, we can validate that this process was successful by selecting our privilege we just created and clicking on ‘View Permissions’:
While the process I wrote about in my initial post is still valid, I think we can all agree the process above is much easier.
Just a thought – Will it be worth to add Action Menu Items as well with the same Grant Read permissions. Most of the Forms have buttons that is also controlled through Action Menu items also.
The problem with adding menu item actions to a ‘read only role’ is that menu items actions are either that you have access to the item or not. Granting Read access to the object is the same as granting Delete access, and some menu item actions allow you to perform transactions within the system (posting journals, printing checks, etc).
The argument could be made to add menu item outputs to this role as these are just reports generated by the system. But in most cases a users looking for this type of role just want read access to all forms in the system which correspond to menu item displays.
So helpfull. Thank you.
I noticed at the top left, that the License is Operations. I was expecting a Team Member license for a read-only privilege. Thank you
Some menu items have an Operations level license requirement as the ViewUserLicense parameter, which forces this ‘read only’ role to require an Operations level license. As the values for the ViewUserLicense/MaintainUserLicense values are set by Microsoft there is no way to avoid this except to exclude those menu items from the role.
After these privileges have been granted and published, can you remove certain privileges to further restrict what can be viewed?
Absolutely, this process just shows the potential for creating a ‘view only’ role, if there are modules or areas of D365FO that you do not want a user to have access to you can assign the menu items and then remove the ones that should not be assigned.
Thanks for the feedback. I have just created a custom “view only role” with access to only specific functionality and tested it. It works very well and saved me a lot of time.
This was extremely helpful
Thanks for this post, exactly what we are after!
Have you been able to identify the menu items to remove from the privilege to drop the license back to a team member license?
Here is a list of menu items that have above a ‘Team Members’ license at a View level: https://fastpath-my.sharepoint.com/:x:/g/personal/meyer_gofastpath_com/EdKsy5LyAedFm-B-2OcOjGMBRBKEn5LEUQ5zE7iZ075vKw?e=VDc2Gz
This is so helpful! Thank you for sharing this! Now I get to work on creating read-only access specific to roles versus the whole application. I thought that giving inquire/view duties would do that but it seems prior to my arrival that someone has added privileges to these duties that provide update/delete access in some cases. I am very grateful that the read only to everything is done though.
Question: to ensure that this only provides read access should I change the permissions for Update,Create,Delete to deny? I’m trying to ensure users truly only have ‘Read-only’ access.
I can understand the idea of wanting to do this, but there are objects a user will need access to at above a ‘Read’ level to operate within D365FO. If you look at the ‘System User’ role for example you can see there are quite a few entries which grant access at above a Read level but these are mostly to ‘system’ objects which would not have an impact on any organizational data.
My best piece of advice would be to follow the steps within the blog post to create a ‘Read Only’ role and then be sure to only assign this role plus the ‘System User’ role to a user. In that way you can be assured that the user will only be able to have ‘Read Only’ access.