In this article, we will focus on Microsoft Dynamics 365 security roles creation and discuss the solution that we have developed at XPLUS for easy security roles generation, management and Microsoft license optimization.

What exactly is a security role? It is an element that defines how different users in Dynamics 365 view and access different types of records. The best option is that you can fully control access to this data – to unify UI, enhance work efficiency and most importantly, to prevent any data fraud. This is also beneficial if you can easily both create new roles and modify the existing ones (also by re-assigning them to the users).

Due to the complexity of Dynamics 365 security roles creation – as there are multiple ways of security config within the application – security issue is more often than not simply looked over.

From our experience, when it comes to security projects, Clients are most anxious to have the Dynamics 365 security roles set up as precisely as possible. It might also happen that as security setup is not tested in the implementation phase, the issue crops up later on during the system development. The companies either do it at the very early stage of their ERP system implementation or having used what the standard security config is offering, they start looking for a more effective and less time-consuming solution.

This is where we come in with Security Setup – a tool that cuts back the security project from 12 months to 8 weeks on average.

Most organizations in order to support their business processes rely on custom security configuration. Dynamics 365 security roles setup can, however, be quite complex, if not totally inefficient when it comes to the duration of the project and its costs. The benefits of having precise, tailored security roles cannot be overlooked. That is why you should look out for a solution to make security config and management not only easier but at the end of the day also affordable.

Dynamics 365 security roles greatly help to define how different users, such as finance or invoice department, access specific records. To control access to different data, you should be able to modify the existing security setup: create new roles, rename, remove or reassign them. Although each user can have multiple security roles – and as defined by Microsoft standard, they usually have – most of the time, this is more than enough. Some users end up seeing elements from interface they should not be seeing. Not to mention the licensing for those users is costly.

Security design for any ERP system needs to be flexible, however to a certain extent. Too many options and permissions a user is given not only distract them from their daily work, but they also increase the risk of data breach and data fraud.
And last but not least, each user with multiple security elements and data entry points costs the organization money with regard to their licenses.

Creating roles based on task recordings and manually assigning action menu items – this is one way to do this. This approach, however, is described by our Clients as highly ineffective. You can also use standard roles combination and modify the privileges. Again, if you consider the massive number of duties and privileges within the company’s system, the approach is extremely time consuming. Setting up one security role can take as long as a day…

The standard of Dynamics 365 FSCM is limited only to automatic recognition of Display Items. The rest of the security setup needs to be identified and configured manually from scratch. This makes the process highly ineffective.

The other important issue with Microsoft standard security role assignment is that, in fact, as much as 30-40-% security objects (menu display items) are so deeply embedded in the code that you need skilled developers hired to do this for you. Therefore, if you wish to remove access or take away visibility of certain functionalities for individual users, that means a lot of work. If you would like to do tailored security roles, the security development project is so complicated and costly that it would take >= 1 year to complete for an implementation of Microsoft Dynamics 365 FSCM in a mid-size company.

Considering the limitations and extensive time for security project with the standard Microsoft Dynamics 365 security roles creation, we decided to invent a cost and time-effective solution. This is how we have developed a process-oriented approach to security roles generation and management. Instead of thinking of security roles as abstract entities in the system, we have defined security role as an individual position in the organisation and the duty as a business process to handle.

How do we do it? We extract all types of positions within the organisation (be it warehouse, logistics, management, finance and accounting, etc.) and identify their daily tasks and responsibilities. As the next step, we record these business processes as duties. Then, we put those recordings against the roles and so create security structure of roles and duties assigned to each role in the system.

What does our security project look like? We go to organizations and ask them for the list of employees, together with their positions. Then, we try to map the business processes onto each of the role (position within the organization). We record the business processes one-by-one. Once the duties have been applied onto the roles, we are doing cross-checks to verify if the role meets all the requirements.

Based on our experience in testing with security roles and security roles creation in Microsoft Dynamics 365, we have developed a process-oriented approach to security setup projects. How do we do it?

We recommend three different options when using our Security Setup tool:

Microsoft gives licenses for the users based on their access level. Those users who have more access are – basically speaking – more expensive for the company. If the licensing model is simplified – each user is given exactly the security elements that they need in their daily work – then you significantly cut down on licensing costs.

With SS, we want each business user to understand the specific role requirements, what kind of license level everyone needs, what is the total scope of licenses you need to purchase for your system. It might be the case that a number of level licenses across the organisation are simply redundant.

A single tailored role created with Security Setup – let’s say for an accountant position in the organisation – might consist of ca. 20 security objects. This reflects the real business processes (duties) that this person handles daily. With standard Dynamics 365 security roles setup, such a user has 1 000+ security objects assigned. Apart from the fact that they simply get distracted with the number of unused functionalities visible in their UI, they end up costing more than a role with less security. If you multiply the redundant licenses by the number of business users within the company, with Security Setup you can easily see that you might actually need only 10% of what Microsoft standard security roles licensing is offering.