How Do I Manage Security Roles in Dynamics 365?

The data generated by your company and received from external sources is crucial for the flawless execution of workflows. Since this data is often confidential, it requires proper protection, which Microsoft Dynamics 365 provides with its security roles designed for handling privileges for data manipulation.

Microsoft Dynamics 365 Security System

A security role in Microsoft Dynamics 365 is a set of permissions to perform certain activities on data, for instance viewing or deleting. A security role can be applied to individual users as well as an entire team.

A team connects users from different departments working with the same data for the same goal, while business units are logical divisions with a vertical hierarchy.

Finally, the ERP system supports access configuration of a single record or a field comprising multiple records.

Build Hierarchy for Responsibilities

To make your work with the ERP system significantly easier, it is sensible to consider security roles to be sets of responsibilities and combine them for the same person if needed.

To understand better the way you can do it, you should be aware of the fact the most permissive role of Microsoft Dynamics 365 has the highest precedence, which makes it possible to assign several roles to the same person without causing system conflicts.

For example, if you have a security role allowing you to work exclusively with your activity records, getting an extra role for work with the activity records of other users will overwrite the initial role. Thus, you can start by assigning the roles with minimum permissions to everyone and gradually add extra roles with extended privileges to users with higher positions.

Use Business Units as Database Dividers

One of the most confusing parts of Microsoft Dynamics 365 is business unit management, which is often associated with the company’s departments. As a result, many enterprises are trying to use this functionality for recreating the real structure of their organizations within the ERP system, associating each of the departments with a separate business unit.

In reality, the concept of a business unit is connecting employees working with the same information together. This does not necessarily mean all of them are working in the same department. Thus, a more effective strategy is creating functional groups according to the data they are using as business units.

At the same time, you should be careful about adding colleagues who would be working with the same data within a certain business unit temporarily. Teams are providing more flexibility by giving all of the team permissions to an employee and deactivating them once this person is removed from the team automatically.

Avoid Sharing Records

To simplify collaboration on shared projects between roles featuring different permissions, Microsoft Dynamics 365 has created the sharing tool. With it, one can share a single record with a person who does not have access rights to work with it. This will automatically grant the user a required set of permissions for record manipulation.

Undeniably, this is a useful feature that speeds up the working process and makes it more flexible. Yet, it causes serious implications on the load of the ERP system. In practice, any time a person shares a record, Microsoft Dynamics 365 has to create a separate filter and run it whenever anyone is working with the database. The more such filters are added, the slower the system will be working.

Limit Delete Permissions

One of the actions your security roles can perform while working with data is deleting records. Sometimes this is necessary, for instance, when a user knows for sure some false data has been introduced to the system. Then, it has to be removed and no one will need to recover it in the future.

At the same time, such functionality increases the risks of accidental data removal. Even though deleting records in Microsoft Dynamics 365 still can be reverted with the disaster-recovery tool, this option is rather time-consuming and can cause disruptions in the workflow.

To avoid such an undesired scenario, it is highly recommended to substitute the delete permission with record deactivation. This does not remove records, however, it hides them from the list a user will be viewing. As a result, the person will not be confused by irrelevant data, while there will still be a possibility to check the records before you decide they should be completely erased from the system.

Learn more about Dynamics 365 Security Setup & Configuration: