top of page

Bottom-up approach for security configurations - Leveraging task recordings and BPM for analysis

Updated: Jun 17, 2021

Create and configure a UserID with no security role assigned: (one role without security access is required for analysis)

Navigate to BPM and create a new security library or copy RSAT library if applicable/possible: Add a task recording for each implemented process in D365FO broken down by task and user role. For each process in the security BPM library, assign client roles that will be performing the business process selected.

A user can now extract the BPM, if he/she wants to view role assignment per process in excel.

See excel extract below – see the client roles assigned to the process in the description field.

Security BPM Library - Extract
Download XLSX • 14KB

After BPM is fully built out, recordings are completed/uploaded for each process and client role assignments to each process are completed, start analysis in D365FO under Sysadmin/Security diagnostics for task recordings. Select Open from LCS.

Select Business process to analyze e.g. perform 3 way matching for purchase orders.

After that select the above userID that does not have a security role assigned yet.

Missing permissions are flagged.

Now, either go to reference and add privileges required to one custom duty manually or leverage DMF to update in bulk.

1. Manual assignment/creation:

Create custom duty under Sysadmin/Security configurations. Name it after the business process you are recording.

Publish security adjustments.

Perform analysis described above on the Sysadmin/Security diagnostics for task recordings form. Note: The add reference function on the analysis form only show OTB duties – thus we need to go through security configurations for assigning the privilege to the custom duty.

Add reference (privilege) to the custom duty created via security diagnostics form.

Repeat that for all menu item label show in the analysis form above and respectively add all duties required for this business process.

Analysis form:

End result – custom duty with all privileges assigned that are required for that specific process (bottom-up)

Now, create a custom role called the same than the client role (e.g. here buyer) and assign custom duty to custom buyer role.

Publish all changes.

2. Move security between environments and assignment via DMF:

Populate the following 3 entities and its resources folder and import via DMF to move security amongst environments or use “export/import data” button via UI on security configuration form:

- Security privilege metadata customizations entity

- Security duty metadata customizations entity

- Security role metadata customizations entity

Note: You need to adjust the xml file in the resources folder.

E.g. DMF import went successful:

See results in security configurations:

Assign the roles to a user - After doing so, the custom security role gives the most restricted access possible to JUST perform the tasks/steps recorded. You can assign custom and OTB security roles to users manually or via DMF. The DMF entities herefore are:

- User information

- Security user role association

- SystemSecurityUserRoleOrganizationEntity

See below manual assignment:

Voila! :)

Recent Posts

See All

Approvals in Microsoft Teams

Agenda: 1. Overview 2. Internal Educational Assistance Approvals via Teams 3. D365FO PO approval via Teams Approval Application 1. Overview Approvals in Microsoft Teams is an simple way to streamline


bottom of page