1. Data Management
  2. Security and Compliance Studio
  3. Audit security

Manage snapshots

A snapshot is an image of the security configuration at a specific date and time. A snapshot consists of:

  • All securable objects: roles, duties, privileges, and entry points, with the related license type and access level.
  • The associations between the securable objects: user-role, role-duty, role-privilege, duty-privilege, and privilege-entry point.

The snapshot functionality is introduced to improve the performance of several Security and compliance studio features.

The latest snapshot is the security configuration that, for example, is used to:
  • Explore the security configuration.
  • Match roles.
  • Refresh the new license type information.
  • Create and edit roles with the Security role wizard.
You can also compare snapshots to review the changes made between two snapshot versions.
As snapshots can consist of a lot of data. Keeping many snapshots can slow performance. To avoid this, you can set up automatic clean-up of snapshots. As a result, older snapshots are deleted according to defined rules.


Security administrator Security administrator The security administrator (SysSecSecurityAdministrator) maintains user and security setup in D365 F&SCM, grants the ability to create and maintain security roles, duties, and privileges and the ability to assign users to roles, define role assignment rules, and maintain data security policies. Security auditor Security auditor Create snapshot Create snapshot You create snapshots to be able to use Security and compliance studio functions, for example: Security explorer Match roles Compare snapshots Security role wizard Snapshot A snapshot is an image of the security configuration at a specific date and time. A snapshot consists of: All securable objects: roles, duties, privileges, and entry points, with the related license type and access level. The associations between the securable objects: user-role, role-duty, role-privilege, duty-privilege, and privilege-entry point. Snapshot creation You create a snapshot in these cases: The first time you want to explore the security configuration or match roles. Changes are made to the security configuration. So, these changes become available for the security explorer or match roles function. You want to compare the current security configuration with a previous security configuration. You are advised to create snapshots: In batch, if you frequently make changes to the security configuration. In the background, because the creation of a snapshot can take quite some time. Dynamic snapshot In the Security and compliance studio parameters, you can use the 'Enable dynamic snapshots' field to enable automatic updates of security configuration changes to the latest snapshot. So, no new snapshot is required each time you change the security configuration. Automatic updates of security configuration changes to the latest snapshot are done when you, for example: Publish changes. Approve security requests. Update or create a role with the wizard. Import security configurations. Assign users to roles. Note: If yo use dynamic snapshots, you are advised to create a snapshot regularly. You do so to ensure that no security inconsistencies occur and to create a safety net, Procedure 1. Click Security management. 2. Click the Snapshots tab. 3. Click Create snapshot. 4. Sub-task: Set recurrence and background processing. 5. Expand the Run in the background section. 6. Select Yes in the Batch processing field and fill in the other batch fields as required. 7. Click Recurrence and define the recurrence settings. 8. Click OK. 9. Click OK. Refresh licenses Refresh licenses The licensing model of D365 F&SCM has changed. Previously, for D365 F&SCM, these license types were available: Operations Activity user Team member Currently, the previous Operations license type is split into these base license types: Commerce Finance Human resources Project operations SCM Each full user must have a base license. And if required, for each user, you can add these attach licenses: Commerce Finance Human resources Project operations SCM To show the latest license usage data, first, refresh the licenses on the Security explorer. The license usage data is refreshed based on the latest snapshot of the security configuration. On the All users tab and Full users tab, the New license type field is shown next to the User license field. The new license types can be shown in these formats: One license type: Only the shown base license is required. Several license types with plusses: All shown licenses are required. Use one of the shown licenses as base license and the other shown licenses as attached license. Example: Finance+SCM. Several license types with forward slashes: One of the shown base licenses is required. No attached licenses are required. Example: Finance/SCM/Retail. Any base license: Any of the base licenses is required. It doesn't matter which one. To show the required new license types in Security and compliance studio, refresh the new license type information. The new license types are refreshed based on the latest snapshot of the security configuration. As a result, the applicable new license types are retrieved and shown in the Security explorer for each of these securable objects: Users Roles Duties Privileges Entry points Also, on other forms, the new license types are filled after refreshing the licenses. The New license type field is shown on each form where the User license field is shown. The new license types can be shown in these formats: One license type: Only the shown base license is required. Several license types with plusses: All shown licenses are required. Use one of the shown licenses as base license and the other shown licenses as attached license. Example: Finance+SCM. Several license types with forward slashes: One of the shown base licenses is required. No attached licenses are required. Example: Finance/SCM/Retail. Any base license: Any of the base licenses is required. It doesn't matter which one. Procedure 1. Click License optimization. 2. Click the Security explorer tile. 3. Click Refresh licenses. 4. Sub-task: Refresh licenses in batch. 5. Expand the Run in the background section. 6. Select Yes in the Batch processing field and fill in the other batch fields as required. 7. Click Recurrence and define the recurrence settings. 8. Click OK. 9. Click OK. Notes The previous D365 FO license types are still shown in the User license type field. The user license type is filled automatically. So, it is not related to Refresh licenses function. Compare snapshots Compare snapshots You can compare snapshots to review the changes made between two snapshot versions. A snapshot is an image of the security configuration at a specific date and time. A snapshot consists of: All securable objects: roles, duties, privileges, and entry points, with the related license type and access level. The associations between the securable objects: user-role, role-duty, role-privilege, duty-privilege, and privilege-entry point.On creation of a snapshot, a full compare is done with the previous snapshot version. So, if you compare two subsequent snapshots, the Compared field is already set to Yes.You can also compare non-subsequent snapshot versions. If you do so for the first time, you can manually do a full compare or only compare selected records. Procedure 1. Click Security audit. 2. Click the Snapshots tab. 3. Sub-task: Compare subsequent snapshots. 4. In the list, find and select a snapshot. 5. In the list, find and select the next snapshot. 6. Click Compare. Note: Loading the snapshot data can take some time. 7. In the Select security object type field, select an option. 8. In the First snapshot pane, you can review the objects that are: - Changed (marked in blue) - Deleted (marked in red) For each changed object, you can review the changes in the Differences pane. In the list, find and select a changed object (marked in blue). Note: Click Show changes only to only have the changed, deleted, and added objects shown in the First snapshot grid and the Second snapshot grid. 9. In the Second snapshot pane, you can review the objects that are added (marked in green). 10. Sub-task: Compare non-subsequent snapshots. 11. In the First snapshot field, enter or select a snapshot. 12. In the Second snapshot field, enter or select a snapshot. Select a snapshot version later than but not next to the First snapshot. Note: If this is the first time that you compare these snapshots, in the first snapshot pane, the Compared field is empty. 13. In the First snapshot grid or in the Second snapshot grid, in the list, find and select the objects to be compared. 14. Click Compare selected. 15. You can also do a full compare. So, all objects of the selected snapshots are compared. Click Full compare. Note: A full compare can take some time. 16. Click OK. Start Start Delete snapshots Delete snapshots As a snapshot can consist of a lot of data, keeping many snapshots can slow performance. Therefore, you are advised to have a maximum of five snapshots.You can set up automatic clean-up of snapshots. As a result, older snapshots are deleted according to these rules: The value of the Limit number of snapshots field on the Security and compliance studio parameters. The number, as defined in this field, is the number of snapshots that is kept if you delete snapshots.The Protected check box for snapshots. The snapshots that are marked as protected are kept. On deletion, counting of snapshots to be kept starts with the latest snapshot, while protected snapshots are skipped in the count. The remaining older snapshots are deleted. No snapshots are deleted if the value of the Limit number of snapshots field is 0, or less than or equal to the number of snapshots. Example:In September 2018, eight snapshots are created, of which two are marked as protected. At the end of the month, you do your monthly snapshot clean-up.Limit number of snapshots = 3This table shows which snapshots are kept and which ones are deleted: Procedure 1. Click Security management. 2. Click the Snapshots tab. 3. Click Set up automatic deletion. 4. Sub-task: Set recurrence. 5. Expand the Run in the background section. 6. Select Yes in the Batch processing field and fill in the other batch fields as required. 7. Click Recurrence and define the recurrence settings. 8. Click OK. 9. Click OK. Snapshot comparison  required? Snapshot comparison  required? End End Yes No

Activities

Name Responsible Description

Create snapshot

Security administrator

You create snapshots to be able to use Security and compliance studio functions, for example:

  • Security explorer
  • Match roles
  • Compare snapshots
  • Security role wizard

Snapshot

A snapshot is an image of the security configuration at a specific date and time. A snapshot consists of:
  • All securable objects: roles, duties, privileges, and entry points, with the related license type and access level.
  • The associations between the securable objects: user-role, role-duty, role-privilege, duty-privilege, and privilege-entry point.

Snapshot creation

You create a snapshot in these cases:

  • The first time you want to explore the security configuration or match roles.
  • Changes are made to the security configuration. So, these changes become available for the security explorer or match roles function.
  • You want to compare the current security configuration with a previous security configuration.

You are advised to create snapshots:

  • In batch, if you frequently make changes to the security configuration.
  • In the background, because the creation of a snapshot can take quite some time.

Dynamic snapshot

In the Security and compliance studio parameters, you can use the 'Enable dynamic snapshots' field to enable automatic updates of security configuration changes to the latest snapshot. So, no new snapshot is required each time you change the security configuration.

Automatic updates of security configuration changes to the latest snapshot are done when you, for example:

  • Publish changes.
  • Approve security requests.
  • Update or create a role with the wizard.
  • Import security configurations.
  • Assign users to roles.

Note: If yo use dynamic snapshots, you are advised to create a snapshot regularly. You do so to ensure that no security inconsistencies occur and to create a safety net,

Refresh licenses

Security administrator

The licensing model of D365 F&SCM has changed. Previously, for D365 F&SCM, these license types were available:

  • Operations
  • Activity user
  • Team member
Currently, the previous Operations license type is split into these base license types:
  • Commerce
  • Finance
  • Human resources
  • Project operations
  • SCM
Each full user must have a base license. And if required, for each user, you can add these attach licenses:
  • Commerce
  • Finance
  • Human resources
  • Project operations
  • SCM
To show the latest license usage data, first, refresh the licenses on the Security explorer. The license usage data is refreshed based on the latest snapshot of the security configuration.
On the All users tab and Full users tab, the New license type field is shown next to the User license field. The new license types can be shown in these formats:
  • One license type: Only the shown base license is required.
  • Several license types with plusses: All shown licenses are required. Use one of the shown licenses as base license and the other shown licenses as attached license. Example: Finance+SCM.
  • Several license types with forward slashes: One of the shown base licenses is required. No attached licenses are required. Example: Finance/SCM/Retail.
  • Any base license: Any of the base licenses is required. It doesn't matter which one.
To show the required new license types in Security and compliance studio, refresh the new license type information. The new license types are refreshed based on the latest snapshot of the security configuration.
As a result, the applicable new license types are retrieved and shown in the Security explorer for each of these securable objects:
  • Users
  • Roles
  • Duties
  • Privileges
  • Entry points
Also, on other forms, the new license types are filled after refreshing the licenses. The New license type field is shown on each form where the User license field is shown.
The new license types can be shown in these formats:
  • One license type: Only the shown base license is required.
  • Several license types with plusses: All shown licenses are required. Use one of the shown licenses as base license and the other shown licenses as attached license. Example: Finance+SCM.
  • Several license types with forward slashes: One of the shown base licenses is required. No attached licenses are required. Example: Finance/SCM/Retail.
  • Any base license: Any of the base licenses is required. It doesn't matter which one.

Compare snapshots

Security auditor

 		You can compare snapshots to review the changes made between two snapshot versions.
A snapshot is an image of the security configuration at a specific date and time. A snapshot consists of:
  • All securable objects: roles, duties, privileges, and entry points, with the related license type and access level.
  • The associations between the securable objects: user-role, role-duty, role-privilege, duty-privilege, and privilege-entry point.
On creation of a snapshot, a full compare is done with the previous snapshot version. So, if you compare two subsequent snapshots, the Compared field is already set to Yes.
You can also compare non-subsequent snapshot versions. If you do so for the first time, you can manually do a full compare or only compare selected records.

Delete snapshots

Security administrator

 		As a snapshot can consist of a lot of data, keeping many snapshots can slow performance. Therefore, you are advised to have a maximum of five snapshots.
You can set up automatic clean-up of snapshots. As a result, older snapshots are deleted according to these rules:
  • The value of the Limit number of snapshots field on the Security and compliance studio parameters.
    The number, as defined in this field, is the number of snapshots that is kept if you delete snapshots.
  • The Protected check box for snapshots.
    The snapshots that are marked as protected are kept.
On deletion, counting of snapshots to be kept starts with the latest snapshot, while protected snapshots are skipped in the count. The remaining older snapshots are deleted.
No snapshots are deleted if the value of the Limit number of snapshots field is 0, or less than or equal to the number of snapshots.
Example:
In September 2018, eight snapshots are created, of which two are marked as protected. At the end of the month, you do your monthly snapshot clean-up.
Limit number of snapshots = 3
This table shows which snapshots are kept and which ones are deleted:

Provide feedback