Manage users
Users are internal employees of your organization or customers and external suppliers who need access to the system to perform their treatments. It is not recommended to add users outside of your company to your organization.
Administrators cannot delete roles that are automatically assigned to users. Users can be excluded from roles by the administrator. When a user is excluded from a role, the role assignment is no longer automatically controlled for that user. Excluded users are listed in role membership when automatic role assignment rules are executed or when an Active Directory group is assigned to a role. However, they are marked as excluded. Access associated with the role is not granted to excluded users. Users excluded from the role cannot be re-assigned to it until the administrator has removed the exclusion.
For user creation, security role assignment and record linking:
- Create users: before you can access D365 Finance, you must first be added to the Users page in System administration > Users. Users include internal employees of your organization, or external customers and suppliers. Users can be imported or added manually. All users must have a license to ensure that they are used properly.
- Add an external user in Microsoft Entra ID and assign a license: the external users must exist in your Tenant (Microsoft Entra ID) to be able to assign licenses to them. These external users must be added to your Tenant in Microsoft Entra ID as guest users and then the appropriate licenses must be assigned to them. The guest user’s company must use Microsoft Entra ID to use D365 Finance.
- Manage users and security roles: to use more advanced features in D365 Finance, users must be assigned to security roles. You can automatically assign users to roles based on rules and business data, exclude users from automatic role assignments, or manually add users to roles.
- Automatically assign users to roles: based on business data, system administrators can automatically assign roles to users.
- Exclude users from automatic role assignment: when you remove an exclusion by resetting the user’s status, the user’s role is automatically reassigned. However, the user is not immediately assigned to the role or excluded from the role when you reset the status. Instead, the user is assigned to the role or removed from the role the next time the automatic role assignment rules are executed.
- Manually assign roles to users: users whose security roles have been assigned manually must also be removed manually by the administrator.
- Manually remove roles to users: users whose security roles have been assigned manually must also be removed manually by the administrator.
Security Role & Batch Manager
By assigning a user to the Batch Manager security role, the user has the necessary permissions to copy batch processes. It can change who can run the treatments and specify the time intervals for which the treatments can run. Batch maintenance is part of the Batch Manager’s security role. It allows a user to create an unscheduled batch process and grant privileges to other users.
Segregation of duties
Security or policies may require specific tasks to be performed by different users. You can set up rules to separate tasks that must be performed by different users. This concept is called segregation of duties.
For example, you may not want the same person to acknowledge receipt of the goods and process payment to the supplier. Segregation of duties allows you to reduce the risk of fraud, but also to detect errors or irregularities. You can also use segregation of duties to apply internal control strategies.
To comply with regulatory requirements, such as SOX, IFRS and FDA segregation of duties.
Default duties are provided. The administrator can change privileges associated with duty or create new ones.
Identify and resolve conflicts
When the definition of a security role or the roles assigned to a user violate the rules, the conflict is recorded.
All conflicts must be resolved by the administrator. To identify and resolve conflicts and check whether the user role assignments are in accordance with the new segregation of duties rules, you must run the Verify compliance of user-role assignments process from System administration > Security > Segregation of duties > Verify compliance of user-role assignments.
If there is a conflict, you can open the Users page and change the user’s role assignments.
Conflicts are also recorded on the Segregation of duties conflicts page.
Perform security reports
D365 Finance provides a comprehensive set of security reports to help you understand all the security roles available in your environment and all the users assigned to each role.
Security reports are located under System administration> Inquiries >Security .
User role assignments report
The User Role Assignments report generates a view of the current user role assignments in your system. By default, the report includes all users to whom roles are assigned. You can limit the report to a specific set of users when generating the report.
For each user of the report, a list of roles is provided, along with restrictions at the legal entity or organization level.
Role to user assignment Report
Role to user assignmentreport provides an aggregation of role assignments. The report’s role development displays the list of users assigned to the role and the username development displays the restrictions applied by the role.
The same method of filtering all users can be applied to this report.
Security role effective access Report
The Security role effective access report provides a view of the actual permissions for each security role. This report provides a flattened list of permissions grouped by type for all the sub-roles, duties and privileges contained in the role.
This report may take some time to complete. You can optionally limit the roles to include in the report by adding a filter under Records to include.
The development of a role displays the category of objects to which the role has access. The development of one of the object types displays a detailed list of each object of that type included in the role.
Security duty assignments Report
The Security duty assignments report provides a view of all responsibilities contained in the role. This report can be configured to run on any role collection to ensure responsibilities are distributed across roles. By default, the report includes all roles. To limit the roles included, use the filtering provided.
The role development in the report displays each role assigned responsibility, along with details of the duties.
Compliance with user license requirements
The licensing requirements for users are determined by the security roles assigned to them. Security roles are based on a hierarchy of directly referenced sub-roles, duties, privileges and securable objects.
Licensing requirements for users are determined at the organization or tenant level. When using multiple environments and applications, you need to analyze requirements in all environments.
Examples of licensing requirements include None, Team Members, Activity and Operations.
The Operations license requirement indicates that a full user license is required. Some privileges are unique to a specific full user license and require a base or attachment license before a full user license is assigned to a user.
Roles for selected user FactBox
View the license requirements for each role in the Roles for selected user FactBox. To view license requirements, go to System Administration > Security Configuration > View Permissions and select any security object (role, duty, permission). The highest license requirement determines the actual license requirement for a user.
User license counts report
You can run the User license counts report to get the number of licenses required by license type.
The report also provides details about each user and license requirements for each assigned role. Users are listed under the highest license type. If the license requirement is identified as Operations, you must use the User License Estimator state to determine the specific full user license requirements.
User license estimator Report
If a user has no privileges that require a specific full user license, this user is displayed but no specific full user license is specified in this report. The user complies with any full user license assigned to him.
If the privileges assigned to a user require one or more specific full-user licenses, those licenses are displayed in this report.
D365FOAdviceTips 
Leave a comment