In an earlier blog post I went into great detail on the changes to the Security Development Tool from AX 2012 to D365FO: How To Simulate the Security Development Tool in D365FO
In that post, I pointed out that one of the features that was currently missing was the ability to open a test workspace for a particular role or roles to analyze their access. Well through numerous posts with different D365FO community members, a way to add this functionality has been found. Here is how to add this functionality.
1. So the first thing to know, is that this tooling already existed internally at Microsoft we just have to expose it to the Visual Studio user interface. If you RDP to your D365 development box and go to the following path you will find a Visual Studio extension installer:
<PlatformUpdateRoot>\Services\DevToolsService\Scripts\Microsoft.Dynamics.Framework.Tools.InternalDevTools.vsix
So as an example, on my machine this happened to be the following path:
E:\rainfndprod\7.0.4612.35162\retail\Services\DevToolsService\Scripts\Microsoft.Dynamics.Framework.Tools.InternalDevTools.vsix
This is a Visual Studio extension file, if you double click and install this extension you will notice that a number of options are added to your Dynamics 365 -> Add-ins menu.
Before:
After:
2. One of the added menu items in this list is ‘View with Role Set’ which is the tool we are looking for
3. Click on this opens the dialog below, from here you can select a ‘Role Set’ that you would like to use. One nice feature is that you can select an already existing users and see what roles that user is currently assigned or you can create a new role set and start from scratch. The idea below is to move the roles you would like to test to the Assigned Roles side from the Available Roles. Users who have experience with this feature in AX 2012 will notice one big difference is that you can now very easily select multiple roles to test at once, by default in AX 2012 you could only test one role at a time (you could get around this by using subroles but it was not very user friendly). Once you are satisfied with your choices you can click the OK button.
4. This will launch a test environment with the role(s) you have selected to let you see what a user would have access to if they were to be assigned those roles. Some things to point out:
- A test user is actually created for this purpose and is assigned the role(s) selected, this user will show up in your user list in your environment (this user also has to be enabled)
- All tests need to be assigned the SystemUser role otherwise you will get errors launching the test environment as most roles do not have explicit access to the initial dashboard (which is always the first screen to load in the testing environment)
This feature set was the last piece to the puzzle of features that existed in the Security Development Tool that did not exist in D365FO. Hopefully this feature will become part of the default Visual Studio experience and become a little more user friendly but it’s definitely a good thing to know that this feature is there.
Hi Alex,
Thanks for your helpful blog posts, they really give a good foundation to start with. Since you seem to have some experience in Security, a small question…
In D365fo when looking at an audit trail and comparing permissions on a security role, there is an option “Revert” under the OPTION menu. I’m wondering if you can use this to revert a selected change in the audit trail? I have selected the unique changes and tried to ‘revert’ them. The undo button in the security configuration was not an option in this case on the role. Note that I have tried with changes that were published and not published yet, but no difference.
So question, is there a possibility to undo a change as shown in the audit trail when the undo button is not available anymore on a Role for instance?
Thanks in advance!
Ken
I don’t believe that Revert functionality will do anything on this page as you cannot edit anything in the report normally, so it doesn’t have the ability to revert any changes.
If the undo button is not available the only solution, from what I have found, is to manually undo the change yourself.
Hi Alex,
I’m working in a dev environment, messing around with security roles and permissions. The tool you describe in this post seems perfect for testing the functionality of my created roles. Unfortunately, I’m unable to find the file path you outline above. Do you have any tips or is there something I’m missing?
Thanks in advance for any advice you’re able to give me!
James,
The drive letter you will find it under may be different than the one I used, but the file path should be the same once you find the Services directory.
I have also only checked this on Platform Update 9 and Platform Update 10, if you are running on an earlier version I am not sure if this is available.
Thanks for getting back so quickly!
I’m on Platform Update 8, so I have a feeling that’s my issue. Good information for future use, though.
Hi, I am working on a dev-box version 8.1 PU20.
I can’t seem to find the .vsix file. Do you know if this blogpost and the described approach is still valid for 8.1PU20?
thx,
Sven
Sven,
I was able to find it at the following path on a 8.1 PU20 box:
E:\AppMUStab\8.1.136.24\retail\Services\DevToolsService\Scripts\Microsoft.Dynamics.Framework.Tools.InternalDevTools.vsix
Hi Alex,
I’m using the same version as Alex (8.1 PU20). I can’t find any DevToolsService folder on the VM. Is there another way to get a copy of the vsix file?
Hi Alex,
My bad. I thought you were referring to the VM when you said “development box”. I opened the development box provided on LCS and found the path as you have indicated above. I copied the .vsix file to my VM and it worked just as you have stated.
Thank you for posting this!
Thanks Alex – I tried to do this in a 10.0.4 cloud hosted environment.
I found the .vsix file, however after running it and restarting the hosted machine, I do not see any extra add-ins.
Do you know if this is still available for v10?
Mike,
I just validated this in a PU28 10.0.4 machine and it still works
I would validate that there were no open instances of VS when you were trying to install the extension and ensure that the extension installation completes successfully.
In my Version it does not work apart the role is assigned -SysAdmin-
10.0.8 Update32 (7.0.5493.35497)
All other Scenario will lead to error.
Insufficient informationexists to identify the cause of failure.
Would be a nice to have Feature.
Paul,
I have tested this is a PU32 and PU33 instances and was able to get the feature to work in both with assigning non-SysAdmin roles, I will say that I have VS2019 installed in both instances so not sure if that helps in your case or not.
I couldn’t initially get this working on a 10.0.0.8 machine.
2019 release wave 2
Installed product version : 10.0.8 (10.0.319.30022)
Installed platform version : Update32 (7.0.5493.46022)
Dev tools coming from E:\AppRing4\8.1.195.20001\retail\Services\DevToolsService\Scripts
They show as version 1.0 installed in VS2015 but no additional menu items. Tried restarting VS and the VM and uninstalling and reinstalling.
The extension installs to C:\Program Files (x86)\Microsoft Visual Studio 14.0\Common7\IDE\Extensions\32g51ubc.rkk and looks ok.
No joy. So I grabbed the most recent Platform and application binary package from LCS and got the tools from \DevToolsService\Scripts.
This worked.
Moral of the story – don’t use an old version of the tools.
Nick,
I really appreciate the insight, that’s great information!
Alex I am working for a client who are running d365 F&O / VS2017 – I looked at the threat above and and followed steps described by Nick May 14 2020 – I.e. I grabbed the latest file from LCS – Shared asset library ServiceUpdate – 10.0.,16 from 1/23/2021. Downloaded and copied the internalDevTools file from retail sub folder underneath “FinanceAndOperations_10.0.689.10004_Application”. Next I copied the file across to my devbox (Cloud based) and ran the installation. Installed the version for VS2017. Started up VS2017 and attempted to use “View with Roleset”. After selecting a role. I keep getting this error: “An unexpected win32Exception occurred”. I tried creating new roleset, testing with different roleset users etc. and I keep getting the same error. Any ideas? Thanks in advance
Carsten,
Microsoft broke this tool from PU32 onwards, since this is an internal tool there are no plans for Microsoft to fix this. Because of this I have been working on a project to fill this gap, it is not released yet but I am in the process of finalizing this for community release.
It allows for the following:
– Assigning a role, duty, or privilege to a ‘test’/’mock’ role
– Copy security from a user to the test/mock role to allow for easy ‘what if’ analysis
Once this is released, I will write a blog post surrounding how to use it. Feel free to reach out with any questions.
Hi Alex, Firstly thanks for this wonderful series to educate us related to D365 FinOps security. I’m new this this field of security implementation, when I tried to open the tool from VS-2017 after set the role assignment, system pop-up an error “An unexpected Win32Expection has occurred”
Arif,
I actually address this issue in a separate blog post here: D365FO Security Role Test Workspace
Alex,
Apricated your prompt feedback! If it’s possible can you please share any YouTube channel so It will help me to understand from scratch.
Arif,
Here is the official release video I made for the tool: D365FO Security Test Workspace – Official Release
Hi Alex
When I click on “View with role set” option I get exception “An unexpected FaultException`1 has occured”
Abdul,
I addressed that issue by creating my own role test workspace application:
https://alexdmeyer.com/2021/05/19/beta-release-of-d365fo-security-role-test-workspace/
I know there have been others (outside Microsoft) that have tried to get this tool itself working again but do not know the status of that.