1. Data Management
  2. Security and Compliance Studio
  3. Manage security

Manage security requests

Use security requests to register any required changes in the security setup.

You can create a security request in these ways:
  • As a system user, you can create a security request from any page.
  • In Security and compliance studio, you can create security requests from the Security management workspace.
Usually, a security request is approved by the security manager and implemented by the security administrator.


Security administrator Security administrator The security administrator (SysSecSecurityAdministrator) maintains user and security setup in D365 F&SCM, grants the ability to create and maintain security roles, duties, and privileges and the ability to assign users to roles, define role assignment rules, and maintain data security policies. Security manager Security manager Security request user Security request user The security request user (DSMSecurityRequestUser) creates security requests to register any required changes in the security setup. As a Security request user, you can create a security request from any page. Start Start Create security request from any page Create security request from any page Use security requests to register any required changes in the security setup. As a user, you can create a security request from any page. You can only do so if the 'Security request user' role is assigned to your user setup.Security request typeFor each security request type, a different type-specific section is added to the Security request page. In this section, fill in or add the required type-specific information.This table shows the available security request types, for each type the related section, and a description of what to do in this section (see step 10):TypeType-specific sectionDescriptionGeneral-Request a security configuration change that is not related to any of the types.Create userCreate usersRequest the creation of a user.Add the desired roles for the user. To each role, assign the companies in which the user has the role. You can assign:All organizations: The user has the role in all existing companies.Specific organizations: You can select specific companies from all legal entities or from the organization hierarchies.You can set the From date and To date fields to define the period when the user must be active. When approved, the user is created but is only active in the defined period. Once the defined period is over, the user is automatically deactivated.Assign role to userAssign roles to userRequest to add one or more roles to an existing user.To each role, assign the companies in which the user has the role. You can assign:All organizations: The user has the role in all existing companies.Specific organizations: You can select specific companies from all legal entities or from the organization hierarchies..You can set the From date and To date fields to define the period when the role must be assigned to the user. When approved, the role is only assigned in the defined period. Once the defined period is over, the role is automatically removed.Remove role from userRemove roles from userRequest to remove one or more roles from an existing user.You can set the From date and To date fields to define the period when the role must be removed from the user. When approved, the role is only removed in the defined period. Once the defined period is over, the role is automatically re-assigned.Disable userDisable usersRequest to disable one or more existing users.You can set the From date and To date fields to define the period when the user must be disabled. When approved, the user is only disabled in the defined period. Once the defined period is over, the user is automatically re-enabled.Enable userEnable usersRequest to enable one or more existing users.You can set the From date and To date fields to define the period when the user must be enabled. When approved, the user is only enabled in the defined period. Once the defined period is over, the user is automatically disabled.Delete userDelete usersRequest to delete one or more existing users.Create roleCreate roleRequest to create a role.Use a security scenario to indicate all securable objects and related access levels that are required for the role to perform one or more tasks. You can select an existing scenario or upload a task recording that defines the scenario.Modify roleModify roleRequest to modify one or more roles.For each role, you can use a security scenario to indicate all securable objects and related access levels that are required for the role to perform one or more tasks. You can select an existing scenario or upload a task recording that defines the scenario.Lock roleLock rolesRequest to lock one or more roles.Unlock roleUnlock rolesRequest to unlock one or more roles.Delete roleDelete roleRequest to delete one or more roles.Create ruleEnhanced SoD rulesRequest to create one or more enhanced segregation of duties rules.Resolve conflictEnhanced SoD conflictsRequest to solve one or more enhanced segregation of duties conflicts.Delete ruleDelete enhanced SoD ruleRequest to delete one or more enhanced segregation of duties rules.Add stand-inCreate stand-inRequest to appoint a stand-in for one or more users for a specified period. You can request a stand-in for yourself or for another user.You can select which roles to assign to a stand-in user instead of automatically assigning all roles of the primary user. You can assign specific roles to limit security risks and only assign the necessary roles to the stand-in user. In the Create stand-in section, click Assign roles, and choose which of the primary user’s roles to assign to the stand-in user. You can only select roles that are not yet assigned to the stand-in.Cancel stand-inRemove stand-inRequest to remove a stand-in appointment for one or more users for a specified period. You can request to cancel a stand-in for yourself or for another user.Create business riskCreate business riskRequest to add an operational risk for your company.You can link the risk to enhanced segregation of duties rules. Procedure 1. Go to Accounts payable > Purchase orders > All purchase orders. 2. Click the Settings button and click My security requests. 3. Click New. 4. In the Request field, type a value. Note: The Request ID is usually generated from the number sequence set in the Security and compliance studio parameters. If no number sequence is set, you must manually enter the Request ID. After saving, you cannot edit the Request ID. 5. In the Type field, select an option. 6. In the Origin field, select an option. 7. In the Area field, enter or select a value. 8. Expand the Status section. 9. In the Priority field, select an option. 10. For each security request type, a different type-specific section is added to the Security request page. For more information, refer to the table in the topic description. In the type-specific section, fill in or add the required information. Note: For type 'General', no type-specific section is added. 11. In the Description section, enter a description of the security request. 12. Sub-task: Define applicable period. 13. Expand the Details section. 14. In the Start date field, enter a date. 15. In the End date field, enter a date. 16. In the External reference field, type a value. 17. Close the page. 18. Close the page. Notes For several security request types, you can set a From date and To date to define the period when the requested security setup change is valid.When the request is approved:If the defined period starts in the future, the Implement approved security requests batch job applies the change on the From date.If the defined period has already started, the change is applied immediately.The Implement approved security requests batch job undoes the change on the To date.Note: The Implement approved security requests batch job is configured and started automatically when you install Security and Compliance Studio. Submit security request for approval Submit security request for approval As a security request user, you can create a security request from any page. Usually, the security manager must approve a security request.Once you have completed the security request creation, submit the security request for approval.How the approval process is done depends on the setup:An approval workflow is active: You submit the security request to the approval workflow.No approval workflow is active: You manually assign the security request to a security manager for approval. Procedure 1. Click the Settings button and click My security requests. Note: You can open the My security requests page from any page. It always shows all security requests of which you are the owner. 2. Sub-task: Submit security request to approval workflow. 3. In the list, find and select the desired security request. 4. Click Workflow. 5. Click Submit. 6. On the dialog, click Submit. 7. Sub-task: Manually assign security request to security manager. 8. In the list, find and select the desired security request. 9. Click Owner to open the drop dialog. 10. In the list, find and select the desired security manager. 11. Click OK. 12. Click Status. 13. Click Waiting. 14. Close the page. Notes To use a workflow for the security request approval process, make sure the workflow:Is created.Is of type DSMSecurityRequestWorkflowType.Has an active version.To manage the security request workflow, go to Security and compliance > Setup > Security and compliance workflows. The Security and compliance workflows page is the standard D365 F&SCM Workflows page but filtered for the Security and compliance studio workflows. Create security request in Security and compliance studio Create security request in Security and compliance studio  As a security administrator, use security requests to register any required changes in the security setup. In Security and compliance studio, you can create security requests from the Security management workspace.Security request typeFor each security request type, a different type-specific section is added to the Security request page. In this section, fill in or add the required type-specific information.This table shows the available security request types, for each type the related section, and a description of what to do in this section (see step 9):TypeType-specific sectionDescriptionGeneral-Request a security configuration change that is not related to any of the types.Create userCreate usersRequest the creation of a user.Add the desired roles for the user. To each role, assign the companies in which the user has the role. You can assign:All organizations: The user has the role in all existing companies.Specific organizations: You can select specific companies from all legal entities or from the organization hierarchies.You can set the From date and To date fields to define the period when the user must be active. When approved, the user is created but is only active in the defined period. Once the defined period is over, the user is automatically deactivated.Assign role to userAssign roles to userRequest to add one or more roles to an existing user.To each role, assign the companies in which the user has the role. You can assign:All organizations: The user has the role in all existing companies.Specific organizations: You can select specific companies from all legal entities or from the organization hierarchies..You can set the From date and To date fields to define the period when the role must be assigned to the user. When approved, the role is only assigned in the defined period. Once the defined period is over, the role is automatically removed.Remove role from userRemove roles from userRequest to remove one or more roles from an existing user.You can set the From date and To date fields to define the period when the role must be removed from the user. When approved, the role is only removed in the defined period. Once the defined period is over, the role is automatically re-assigned.Disable userDisable usersRequest to disable one or more existing users.You can set the From date and To date fields to define the period when the user must be disabled. When approved, the user is only disabled in the defined period. Once the defined period is over, the user is automatically re-enabled.Enable userEnable usersRequest to enable one or more existing users.You can set the From date and To date fields to define the period when the user must be enabled. When approved, the user is only enabled in the defined period. Once the defined period is over, the user is automatically disabled.Delete userDelete usersRequest to delete one or more existing users.Create roleCreate roleRequest to create a role.Use a security scenario to indicate all securable objects and related access levels that are required for the role to perform one or more tasks. You can select an existing scenario or upload a task recording that defines the scenario.Modify roleModify roleRequest to modify one or more roles.For each role, you can use a security scenario to indicate all securable objects and related access levels that are required for the role to perform one or more tasks. You can select an existing scenario or upload a task recording that defines the scenario.Lock roleLock rolesRequest to lock one or more roles.Unlock roleUnlock rolesRequest to unlock one or more roles.Delete roleDelete roleRequest to delete one or more roles.Create ruleEnhanced SoD rulesRequest to create one or more enhanced segregation of duties rules.Resolve conflictEnhanced SoD conflictsRequest to solve one or more enhanced segregation of duties conflicts.Delete ruleDelete enhanced SoD ruleRequest to delete one or more enhanced segregation of duties rules.Add stand-inCreate stand-inRequest to appoint a stand-in for one or more users for a specified period. You can request a stand-in for yourself or for another user.You can select which roles to assign to a stand-in user instead of automatically assigning all roles of the primary user. You can assign specific roles to limit security risks and only assign the necessary roles to the stand-in user. In the Create stand-in section, click Assign roles, and choose which of the primary user’s roles to assign to the stand-in user. You can only select roles that are not yet assigned to the stand-in.Cancel stand-inRemove stand-inRequest to remove a stand-in appointment for one or more users for a specified period. You can request to cancel a stand-in for yourself or for another user.Create business riskCreate business riskRequest to add an operational risk for your company.You can link the risk to enhanced segregation of duties rules. Procedure 1. Click Security management. 2. On the Requests tab, click New. 3. In the Request field, type a value. Note: The Request ID is usually generated from the number sequence set in the Security and compliance studio parameters. If no number sequence is set, you must manually enter the Request ID. After saving, you cannot edit the Request ID. 4. In the Type field, select an option. 5. In the Origin field, select an option. 6. In the Area field, enter or select a value. 7. Expand the Status section. 8. In the Priority field, select an option. 9. For each security request type, a different type-specific section is added to the Security request page. For more information, refer to the table in the topic description. In the type-specific section, fill in or add the required information. Note: For type 'General', no type-specific section is added. 10. In the Description section, enter a description of the security request. 11. Sub-task: Define applicable period. 12. Expand the Details section. 13. In the Start date field, enter a date. 14. In the End date field, enter a date. 15. In the External reference field, type a value. 16. Close the page. Notes You can also create a security request for a specific record from the Security requests FactBox on several Security management pages:Stand-inTable security recordingScenarioSegregation of duties rulesUsersLocked security role For several security request types, you can set a From date and To date to define the period when the requested security setup change is valid.When the request is approved:If the defined period starts in the future, the Implement approved security requests batch job applies the change on the From date.If the defined period has already started, the change is applied immediately.The Implement approved security requests batch job undoes the change on the To date.Note: The Implement approved security requests batch job is configured and started automatically when you install Security and Compliance Studio. Submit security request for approval Submit security request for approval As a security administrator, you can create a security request from the Security management workspace. Usually, a security request is approved by the security manager. Once you have completed the security request creation, submit the security request for approval. How the approval process is done, depends on the setup: An approval workflow is active: You submit the security request to the approval workflow. No approval workflow is active: You manually assign the security request to a security manager for approval. Procedure 1. Click Security management. 2. Sub-task: Submit security request to approval workflow. 3. On the Requests tab, in the list, click the link of the desired security request. 4. Click Workflow. 5. Click Submit. 6. On the dialog, click Submit. 7. Close the page. 8. Sub-task: Manually assign security request to security manager. 9. On the Requests tab, in the list, click the link of the desired security request. 10. Click Owner to open the drop dialog. 11. In the list, find and select the desired security manager. 12. Click OK. 13. Click Status. 14. Click Waiting. 15. Close the page. Notes To use a workflow for the security request approval process, make sure the workflow: Is created. Is of type DSMSecurityRequestWorkflowType. Has an active version. To manage the security request workflow, go to Security and compliance > Setup > Security and compliance workflows. The Security and compliance workflows page is the standard D365 F&SCM Workflows page, but filtered for the Security and compliance studio workflows. Approve security request Approve security request Usually, a security manager must approve the security request before it is implemented.How the approval process is done depends on the setup:An approval workflow is active: Approve the security request using the approval workflow.No approval workflow is active: Manually approve the security request.When you review the security request, on the Security requests page, on the Action Pane, on the Requests tab, you can:View the related record, if defined.Change the priority.Once approved, the security request is implemented automatically.If dynamic snapshots are enabled, the implemented security configuration changes are updated automatically in the latest snapshot. Procedure 1. Click Security management. 2. On the Requests tab, in the list, click the link of the desired security request. 3. Sub-task: Approve using approval workflow. 4. Click Workflow. 5. Click the desired action that defines the next workflow step and status. For example, click Approve. 6. On the dialog, in the Enter a comment field, type a value. 7. Click OK. Note: On approval, a segregation of duties (enhanced) validation is done. If a conflict is found, the request is not approved. Depending on the workflow setup, the request status is set to 'Change request' or 'Cancelled'. To continue with the request, resolve the conflict. 8. Sub-task: Approve manually. 9. Click Status. 10. Click Review. 11. Click Status. 12. Click the desired status, for example, Approved. Note: If you need, for example, additional information on the security request, you can reject or re-open it. Also, change the ownership to the Created by user. The Created by user can make changes to the security request only if the status is Open or Rejected. On approval, a segregation of duties (enhanced) validation is done. If a conflict is found, the request is not approved. To continue with the request, resolve the conflict. 13. Close the page. Notes From/to dateFor several security request types, you can set a From date and To date to define the period when the requested security setup change is valid.When the request is approved:If the defined period starts in the future, the Implement approved security requests batch job applies the change on the From date.If the defined period has already started, the change is applied immediately.The Implement approved security requests batch job undoes the change on the To date.Note: The Implement approved security requests batch job is configured and started automatically when you install Security and Compliance Studio.Notification emailIf you approve a security request of type ‘Assign role to user’, and the assigned role gives access to sensitive data, a notification email is sent based on the Sensitive role notification setup. The email is sent to the relevant user and, if defined, to other users as well.Note: If no applicable notification setup exists, no email is sent. End End

Activities

Name Responsible Description

Create security request from any page

Security request user

Use security requests to register any required changes in the security setup. As a user, you can create a security request from any page. You can only do so if the 'Security request user' role is assigned to your user setup.

Security request type

For each security request type, a different type-specific section is added to the Security request page. In this section, fill in or add the required type-specific information.

This table shows the available security request types, for each type the related section, and a description of what to do in this section (see step 10):

TypeType-specific sectionDescription
General-Request a security configuration change that is not related to any of the types.
Create userCreate users

Request the creation of a user.
Add the desired roles for the user. To each role, assign the companies in which the user has the role. You can assign:

  • All organizations: The user has the role in all existing companies.
  • Specific organizations: You can select specific companies from all legal entities or from the organization hierarchies.

You can set the From date and To date fields to define the period when the user must be active. When approved, the user is created but is only active in the defined period. Once the defined period is over, the user is automatically deactivated.

Assign role to userAssign roles to user

Request to add one or more roles to an existing user.

To each role, assign the companies in which the user has the role. You can assign:

  • All organizations: The user has the role in all existing companies.
  • Specific organizations: You can select specific companies from all legal entities or from the organization hierarchies..

You can set the From date and To date fields to define the period when the role must be assigned to the user. When approved, the role is only assigned in the defined period. Once the defined period is over, the role is automatically removed.

Remove role from userRemove roles from user

Request to remove one or more roles from an existing user.

You can set the From date and To date fields to define the period when the role must be removed from the user. When approved, the role is only removed in the defined period. Once the defined period is over, the role is automatically re-assigned.

Disable userDisable users

Request to disable one or more existing users.

You can set the From date and To date fields to define the period when the user must be disabled. When approved, the user is only disabled in the defined period. Once the defined period is over, the user is automatically re-enabled.

Enable userEnable users

Request to enable one or more existing users.

You can set the From date and To date fields to define the period when the user must be enabled. When approved, the user is only enabled in the defined period. Once the defined period is over, the user is automatically disabled.

Delete userDelete usersRequest to delete one or more existing users.
Create roleCreate roleRequest to create a role.
Use a security scenario to indicate all securable objects and related access levels that are required for the role to perform one or more tasks. You can select an existing scenario or upload a task recording that defines the scenario.
Modify roleModify roleRequest to modify one or more roles.
For each role, you can use a security scenario to indicate all securable objects and related access levels that are required for the role to perform one or more tasks. You can select an existing scenario or upload a task recording that defines the scenario.
Lock roleLock rolesRequest to lock one or more roles.
Unlock roleUnlock rolesRequest to unlock one or more roles.
Delete roleDelete roleRequest to delete one or more roles.
Create ruleEnhanced SoD rulesRequest to create one or more enhanced segregation of duties rules.
Resolve conflictEnhanced SoD conflictsRequest to solve one or more enhanced segregation of duties conflicts.
Delete ruleDelete enhanced SoD ruleRequest to delete one or more enhanced segregation of duties rules.
Add stand-inCreate stand-in

Request to appoint a stand-in for one or more users for a specified period. You can request a stand-in for yourself or for another user.

You can select which roles to assign to a stand-in user instead of automatically assigning all roles of the primary user. You can assign specific roles to limit security risks and only assign the necessary roles to the stand-in user. In the Create stand-in section, click Assign roles, and choose which of the primary user’s roles to assign to the stand-in user. You can only select roles that are not yet assigned to the stand-in.

Cancel stand-inRemove stand-inRequest to remove a stand-in appointment for one or more users for a specified period. You can request to cancel a stand-in for yourself or for another user.
Create business riskCreate business risk

Request to add an operational risk for your company.

You can link the risk to enhanced segregation of duties rules.

Submit security request for approval

Security request user

As a security request user, you can create a security request from any page. Usually, the security manager must approve a security request.

Once you have completed the security request creation, submit the security request for approval.

How the approval process is done depends on the setup:

  • An approval workflow is active: You submit the security request to the approval workflow.
  • No approval workflow is active: You manually assign the security request to a security manager for approval.

Create security request in Security and compliance studio

Security administrator
 

As a security administrator, use security requests to register any required changes in the security setup. In Security and compliance studio, you can create security requests from the Security management workspace.

Security request type

For each security request type, a different type-specific section is added to the Security request page. In this section, fill in or add the required type-specific information.

This table shows the available security request types, for each type the related section, and a description of what to do in this section (see step 9):

TypeType-specific sectionDescription
General-Request a security configuration change that is not related to any of the types.
Create userCreate users

Request the creation of a user.
Add the desired roles for the user. To each role, assign the companies in which the user has the role. You can assign:

  • All organizations: The user has the role in all existing companies.
  • Specific organizations: You can select specific companies from all legal entities or from the organization hierarchies.

You can set the From date and To date fields to define the period when the user must be active. When approved, the user is created but is only active in the defined period. Once the defined period is over, the user is automatically deactivated.

Assign role to userAssign roles to user

Request to add one or more roles to an existing user.

To each role, assign the companies in which the user has the role. You can assign:

  • All organizations: The user has the role in all existing companies.
  • Specific organizations: You can select specific companies from all legal entities or from the organization hierarchies..

You can set the From date and To date fields to define the period when the role must be assigned to the user. When approved, the role is only assigned in the defined period. Once the defined period is over, the role is automatically removed.

Remove role from userRemove roles from user

Request to remove one or more roles from an existing user.

You can set the From date and To date fields to define the period when the role must be removed from the user. When approved, the role is only removed in the defined period. Once the defined period is over, the role is automatically re-assigned.

Disable userDisable users

Request to disable one or more existing users.

You can set the From date and To date fields to define the period when the user must be disabled. When approved, the user is only disabled in the defined period. Once the defined period is over, the user is automatically re-enabled.

Enable userEnable users

Request to enable one or more existing users.

You can set the From date and To date fields to define the period when the user must be enabled. When approved, the user is only enabled in the defined period. Once the defined period is over, the user is automatically disabled.

Delete userDelete usersRequest to delete one or more existing users.
Create roleCreate roleRequest to create a role.
Use a security scenario to indicate all securable objects and related access levels that are required for the role to perform one or more tasks. You can select an existing scenario or upload a task recording that defines the scenario.
Modify roleModify roleRequest to modify one or more roles.
For each role, you can use a security scenario to indicate all securable objects and related access levels that are required for the role to perform one or more tasks. You can select an existing scenario or upload a task recording that defines the scenario.
Lock roleLock rolesRequest to lock one or more roles.
Unlock roleUnlock rolesRequest to unlock one or more roles.
Delete roleDelete roleRequest to delete one or more roles.
Create ruleEnhanced SoD rulesRequest to create one or more enhanced segregation of duties rules.
Resolve conflictEnhanced SoD conflictsRequest to solve one or more enhanced segregation of duties conflicts.
Delete ruleDelete enhanced SoD ruleRequest to delete one or more enhanced segregation of duties rules.
Add stand-inCreate stand-in

Request to appoint a stand-in for one or more users for a specified period. You can request a stand-in for yourself or for another user.

You can select which roles to assign to a stand-in user instead of automatically assigning all roles of the primary user. You can assign specific roles to limit security risks and only assign the necessary roles to the stand-in user. In the Create stand-in section, click Assign roles, and choose which of the primary user’s roles to assign to the stand-in user. You can only select roles that are not yet assigned to the stand-in.

Cancel stand-inRemove stand-inRequest to remove a stand-in appointment for one or more users for a specified period. You can request to cancel a stand-in for yourself or for another user.
Create business riskCreate business risk

Request to add an operational risk for your company.

You can link the risk to enhanced segregation of duties rules.

Submit security request for approval

Security administrator

As a security administrator, you can create a security request from the Security management workspace. Usually, a security request is approved by the security manager.

Once you have completed the security request creation, submit the security request for approval.

How the approval process is done, depends on the setup:

  • An approval workflow is active: You submit the security request to the approval workflow.
  • No approval workflow is active: You manually assign the security request to a security manager for approval.

Approve security request

Security manager
Usually, a security manager must approve the security request before it is implemented.

How the approval process is done depends on the setup:

  • An approval workflow is active: Approve the security request using the approval workflow.
  • No approval workflow is active: Manually approve the security request.

When you review the security request, on the Security requests page, on the Action Pane, on the Requests tab, you can:

  • View the related record, if defined.
  • Change the priority.

Once approved, the security request is implemented automatically.

If dynamic snapshots are enabled, the implemented security configuration changes are updated automatically in the latest snapshot.

See also

Provide feedback