I recently attended the Dynamic Communities North America Summit Conference and presented numerous sessions surrounding security and licensing in D365FO. One of my new sessions was around Extensible Data Security (XDS) and I was a little worried about such a technical session being put on the final morning of the conference. But I didn’t need to worry at all because I had a full room of awesome community members ready to learn and ask some really great questions that I didn’t know the answer to immediately, but I did take note of them and wanted to answer those in a public format for others to be able to see as well.
Before we start I wanted show the configurations we will be using for testing.
We will have two roles: FPCustomersRole and FPXdsCustomersRole, both of which will be assigned the CustCustomersMaintain duty which give access to maintain customer records.
With the FPCustomersRole assigned to our test user, the user can see all customer records:
The FPXdsCustomersRole has an XDS policy applied to only show customers with a CustGroup of 10. With the FPXdsCustomersRole applied, our test user can only see those customers with a CustGroup of 10:
For all tests, I did a full compile as well as a database sync of my test project, I then logged out and logged back into D365FO as my test user.
Question 1 – What happens if you apply multiple roles to a user, role A has XDS applied and role B does not and they both grant access to the same object?
If we assign both roles to the user directly:
The XDS policy is applied to the user’s access:
So if multiple roles are assigned to a user, the most restrictive XDS access is applied.
Question 2 – Can I apply XDS to a sub role of a user?
If we apply the roles with the FPCustomersRole being the base role and the FPXdsCustomersRole being the sub role (so the role with XDS applied being the subrole):
We get an interesting outcome, our test user can see all customers:
This means that the XDS policy is not being applied.
What happens if we reverse it and have the XDS role being the base role and the normal role being the subrole?
Now the XDS policy is applied correctly:
This idea also works if the base role has no permissions directly assigned to it but has the normal role as a subrole. This type of scenario would be beneficial if one set of users should have XDS applied and another set of users should not, you can control access for both groups with one underlying role and control the XDS portion by creating parent roles with their context string set to the XDS policy that should be applied:
XDS cannot be applied as a subrole to another role, however a normal role can be a subrole to a role with XDS applied and it will function correctly.
Question 3 – Can you have a user see all instances of an object, but only update/create/delete specified objects via XDS?
In the previous questions (and my previous XDS posts) I had always set the Operation parameter for a security policy to ‘AllOperations’ but there are other options. One of those is ‘InsertUpdateDelete’, which means that the XDS policy will only apply to those SQL operations:
If we apply this security policy to a role and assign it to a user and load the All Customers form we can see all of the customers:
However this is what happens if you try to create a customer with a CustGroup other than 10:
And here is what happens if you try to edit a record with a CustGroup other than 10:
And here is what happens if you try to delete a customer with a CustGroup of 10:
So you do have the ability to see all objects but only Update, Create, or Delete objects with a specified parameter defined in the security policy.
Question 4 – If I have multiple XDS policies applied to the same role for the same object are the policies ‘AND’d together or ‘OR’d together?
Let’s use a combination of our CustGroup = 10 security policy and add in a CustGroup = 20 security policy and apply both policies to the same role via security context.
So now if we apply both to the role and assign it to the user we can see that the XDS scenarios are AND’d together as no customers are returned.
I want to thank the Dynamic Communities members that attended my session and asked such great questions! Hopefully this blog post helps to answer some of them. As always if there are questions others have around the topic feel free to reach out and they may become a future blog post!