“ Add Logging to SysAdmin Role Assignments in Dynamics 365 Finance ”

Microsoft D365 Finance and Operations is by far the most useful ERP system for businesses. Its capabilities are designed to empower enterprises and streamline their operations at every step. 

However, a crucial aspect of the system is managing Dynamics 365 Finance administration of users accessing and security roles. In this article, we will talk about the SysAdmin role to help you understand user accounts and security role assignments better. 

What is the role of finance and operations in d365?

The Finance and Operations module helps businesses streamline their financial and business processes, manage supply chain operations, and obtain useful insights through advanced analytics. Proper role assignments ensure that users in the Finance and Operations module may complete their jobs quickly while keeping data secure.

Microsoft Dynamics 365 Finance and Operations

What are role privileges in d365?

Role privileges specify which activities and tasks a user can perform within Dynamics 365 Finance and Operations. Security roles are made up of several privileges, and understanding these privileges is critical for efficient role management. 

Privileges can range from simple read and write access to more complex tasks such as data deletion or configuration changes. 

Assigning the appropriate privileges ensures that users have the essential permissions while avoiding unwanted access to critical information.

Manage users and security roles in d365

To use anything other than ordinary capabilities in financial and operations apps, users must be allocated security roles. Users can be assigned to roles automatically using rules and business data, excluded from automatic role assignment, or added to roles manually.

How do I assign user roles in Dynamics 365?

There are 2 ways to do it, both manually and automatically. Following are the steps for both. 

This procedure outlines how administrators can automatically allocate roles to users based on business data.

1
Navigate to Modules > System Administration > Security > Assign users to roles.
2
In the tree, choose 'Accounting supervisor'. Choose which role you wish to configure the rule for. In this example, choose Accounting Supervisor.
3
The dialog menu will appear when you select Add Rule.
4
In the pick a query list, locate and pick the appropriate record. Choose the query to use for this rule.
5
In the Membership rule name list, click the link in the desired row.
6
Select Edit Query. Edit the query as needed.
7
Select "OK."
8
Select "Run automatic role assignment."
9
Navigate to Navigation pane > Modules > System Administration > Users > Users (preferably in a separate browser tab).
10
Review the roles assigned to different users to ensure that the role assignment query was correct. Adjust and re-run as needed.

Users assigned to security responsibilities must be manually removed by the administrator. The guidelines for automated role assignment do not remove these users from their roles.

1
Navigate to Navigation pane > Modules > System administration > Security. Assign users to certain roles.
2
Choose a role from the tree, and then click Manually assign/exclude users in the Users allocated to Role option.
3
Users who have not been assigned the role appear in the Assign Users to or Exclude users from the role list with the Assignment mode set to None. Choose one or more users who should be assigned the position.
4
In the Action pane, choose Assign to role. The assignment mode has been changed to Manual, and each user has been assigned a new role.
5
In the Membership rule name list, click the link in the desired row.
6
Select Edit Query. Edit the query as needed.
7
Select "OK."
8
Select "Run automatic role assignment."
9
Navigate to Navigation pane > Modules > System Administration > Users > Users (preferably in a separate browser tab).
10
Review the roles assigned to different users to ensure that the role assignment query was correct. Adjust and re-run as needed.

Role Assignments in D365 FO - How do you assign a security role to a team in dynamics?

SysAdmin (System Administrator) role assignments are crucial in Dynamics 365 because they provide enhanced privileges that affect the entire system. To improve security, consider adding logging to SysAdmin role assignments. Logging enables administrators to log changes to role assignments, creating an audit trail of who made the changes and when. This can help to identify and mitigate security threats quickly.

The first step is to set up a table to track when a person was assigned or removed from the SysAdmin role. We provided the impacted user, the action being performed, and a reason box where you could perhaps write an explanation for why this assignment change occurred.

Design

Next, we wanted to be able to capture when this change occurred; in this case, we used the table events on the SecurityUserRole database and listened for just changes where the SysAdmin role was assigned/revoked.

Design 1

The updating and deleting table events varied differently since we had to use the Common object to retrieve the new data and care for the possibility of the RoleAssignmentStatus parameter changing.

Dynamics 365 Finance
Role Assignments in Dynamics 365 Finance

To allow user feedback on why the SysAdmin role was assigned/revoked, a custom form had to be created. The next step was to create the AmSysAdminReason form, which is referenced in the above code. We used a basic dialog to prompt the user for input. (Note: This field is optional, and clicking the Submit button closes the form).

Security Toolkit

So let’s see what this looks like in the application if we go back and use the capability provided at System Administration -> Alex Meyer’s Security Toolkit to revoke the SysAdmin role.

SysAdmin Role

When we click the button to assign or revoke the SysAdmin role, another form appears to request the user for the reason for the change:

Testing SysAdmin

Since the event listeners are done at the table level, this will also work for the regular user role assignment done using the System Administration -> User form:

User Form

Once we’ve logged this information, the following step is to report on it. In the System Administration -> Alex Meyer’s Security Toolkit menu path, I created a new element for reporting:

Reporting

This then brings you to the SysAdmin log report, which displays when the role change occurred, the user to whom it was assigned/revoked, the cause (if any), the action taken, and the user who updated it.

It is worth noting that if the User and Modified By user fields are the same, this process was completed using the ‘Assign/Revoke SysAdmin’ capability. If the users are different, it indicates that the was completed via the System Administration -> Users form.

SysAdmin Log Report

Bottom Line

Finally, Regularly assessing and upgrading role assignments ensures that your Dynamics 365 environment is secure and in line with your organization’s evolving demands. Finally, just be a little careful when you assign security roles. 

Know the responsibilities of the users and modify your code accordingly. If you need some professional assistance, let the DHRP experts help you with the process to make it easy for you.

dhrp team bottom line

INTERESTED

You consent to the processing of your personal data by clicking on the button. Terms of Use

HR & Payroll Software For Finance

Download Template

You consent to the processing of your
personal data by clicking on the button.
Terms of use.

Download Template

You consent to the processing of your
personal data by clicking on the button.
Terms of use.

Download Template

You consent to the processing of your
personal data by clicking on the button.
Terms of use.

Download Template

You consent to the processing of your
personal data by clicking on the button.
Terms of use.

Download Template

You consent to the processing of your
personal data by clicking on the button.
Terms of use.

Download Template

You consent to the processing of your
personal data by clicking on the button.
Terms of use.

Download Template

You consent to the processing of your
personal data by clicking on the button.
Terms of use.

Download Template

You consent to the processing of your
personal data by clicking on the button.
Terms of use.

Join The Team

You consent to the processing of your
personal data by clicking on the button.
Terms of use.

Download Template

You consent to the processing of your
personal data by clicking on the button.
Terms of use.