1. Data Management
  2. Security and Compliance Studio
  3. Flows

Explore security configuration
Activity Flow

You can explore the security configuration for:

  • Each level in the security configuration.
  • Each page in Dynamics 365 for Finance and Operations.
You can use this, for example, to see if you can lower the license type for a user to reduce license cost.
The security explorer gets the security configuration data from the latest snapshot.

Security administrator Security administrator The security administrator (SysSecSecurityAdministrator) maintains user and security setup in D365 F&SCM, grants the ability to create and maintain security roles, duties, and privileges and the ability to assign users to roles, define role assignment rules, and maintain data security policies. Start Start Is the  latest snapshot up-to-date? Is the  latest snapshot up-to-date? Create snapshot Create snapshot You create snapshots to be able to use Security and compliance studio functions, for example: Security explorer Match roles Compare snapshots Security role wizard Snapshot A snapshot is an image of the security configuration at a specific date and time. A snapshot consists of: All securable objects: roles, duties, privileges, and entry points, with the related license type and access level. The associations between the securable objects: user-role, role-duty, role-privilege, duty-privilege, and privilege-entry point. Snapshot creation You create a snapshot in these cases: The first time you want to explore the security configuration or match roles. Changes are made to the security configuration. So, these changes become available for the security explorer or match roles function. You want to compare the current security configuration with a previous security configuration. You are advised to create snapshots: In batch, if you frequently make changes to the security configuration. In the background, because the creation of a snapshot can take quite some time. Dynamic snapshot In the Security and compliance studio parameters, you can use the 'Enable dynamic snapshots' field to enable automatic updates of security configuration changes to the latest snapshot. So, no new snapshot is required each time you change the security configuration. Automatic updates of security configuration changes to the latest snapshot are done when you, for example: Publish changes. Approve security requests. Update or create a role with the wizard. Import security configurations. Assign users to roles. Note: If yo use dynamic snapshots, you are advised to create a snapshot regularly. You do so to ensure that no security inconsistencies occur and to create a safety net, Procedure 1. Click Security management. 2. Click the Snapshots tab. 3. Click Create snapshot. 4. Sub-task: Set recurrence and background processing. 5. Expand the Run in the background section. 6. Select Yes in the Batch processing field and fill in the other batch fields as required. 7. Click Recurrence and define the recurrence settings. 8. Click OK. 9. Click OK. Is the license information  on the latest snapshot  up-to-date? Is the license information  on the latest snapshot  up-to-date? Refresh licenses Refresh licenses The licensing model of D365 F&SCM has changed. Previously, for D365 F&SCM, these license types were available: Operations Activity user Team member Currently, the previous Operations license type is split into these base license types: Commerce Finance Human resources Project operations SCM Each full user must have a base license. And if required, for each user, you can add these attach licenses: Commerce Finance Human resources Project operations SCM To show the latest license usage data, first, refresh the licenses on the Security explorer. The license usage data is refreshed based on the latest snapshot of the security configuration. On the All users tab and Full users tab, the New license type field is shown next to the User license field. The new license types can be shown in these formats: One license type: Only the shown base license is required. Several license types with plusses: All shown licenses are required. Use one of the shown licenses as base license and the other shown licenses as attached license. Example: Finance+SCM. Several license types with forward slashes: One of the shown base licenses is required. No attached licenses are required. Example: Finance/SCM/Retail. Any base license: Any of the base licenses is required. It doesn't matter which one. To show the required new license types in Security and compliance studio, refresh the new license type information. The new license types are refreshed based on the latest snapshot of the security configuration. As a result, the applicable new license types are retrieved and shown in the Security explorer for each of these securable objects: Users Roles Duties Privileges Entry points Also, on other forms, the new license types are filled after refreshing the licenses. The New license type field is shown on each form where the User license field is shown. The new license types can be shown in these formats: One license type: Only the shown base license is required. Several license types with plusses: All shown licenses are required. Use one of the shown licenses as base license and the other shown licenses as attached license. Example: Finance+SCM. Several license types with forward slashes: One of the shown base licenses is required. No attached licenses are required. Example: Finance/SCM/Retail. Any base license: Any of the base licenses is required. It doesn't matter which one. Procedure 1. Click License optimization. 2. Click the Security explorer tile. 3. Click Refresh licenses. 4. Sub-task: Refresh licenses in batch. 5. Expand the Run in the background section. 6. Select Yes in the Batch processing field and fill in the other batch fields as required. 7. Click Recurrence and define the recurrence settings. 8. Click OK. 9. Click OK. Notes The previous D365 FO license types are still shown in the User license type field. The user license type is filled automatically. So, it is not related to Refresh licenses function. How to explore the  security configuration? How to explore the  security configuration? Explore security configuration in Security and compliance studio Explore security configuration in Security and compliance studio You can, for each level in the security configuration, explore the related references. You can use this, for example, to see if you can lower the license type for a user to reduce license cost. For example, for a pinned duty, you can explore: The related roles. The users that are assigned to these roles. The related privileges. The entry points of these privileges. For the pinned level, the references with the highest user license type are highlighted. You can set the highlight color in the Security and compliance studio parameters. The license type of each reference is indicated with a colored dot: Red dot - Operations Orange dot - Activity users Gray dot - None No dot - Team members You can open the Security explorer from several places in the Security and compliance studio: License optimization workspace: Security explorer tile, All users tab, Full users tab, Activity users tab, and Team members tab Security management workspace: Security explorer tile, Roles tab, and Users tab.Security audit workspace: Security explorer tile, Role history tab, and User history tab In this procedure, it is opened from the License optimization workspace, Security explorer tile.  Procedure 1. Click License optimization. 2. Click Security explorer. 3. In the Duties pane explore the available duties. 4. In the list, find and select the desired record. 5. Click Pin duty. 6. In the Roles pane, explore the roles that are related to the pinned duty. 7. In the list, find and select the desired record. 8. In the Users pane, explore the users that are assigned to the selected role. 9. In the Privileges pane, explore the privileges that are part of the pinned duty. 10. In the list, find and select the desired record. 11. In the Entry points pane, explore the entry points that are part of the selected privilege. These entry point types are included: - DataEntity - Menu item action - Menu item display - Menu item output - Source operation - Table 12. Click Reset pins. 13. Click Advanced view. 14. Close the page. Explore security configuration for any Dynamics 365 for Finance and Operations page Explore security configuration for any Dynamics 365 for Finance and Operations page You can explore the security configuration for any page in Dynamics 365 for Finance and Operations. You can use this, for example, to see if you can lower the license type for a user to reduce license cost. Each page can have several securable objects. For a selected securable object of a page, you can explore the related references. For example, if the selected object is of type Duty, you can explore: The related roles. The users that are assigned to these roles. The related privileges. The entry points of these privileges. For the pinned level, the references with the highest user license type are highlighted. You can set the highlight color in the Security and compliance studio parameters. The license type of each reference is indicated with a colored dot: Red dot - Operations Orange dot - Activity users Gray dot - None No dot - Team members You can open the security explorer for any page. In this procedure, it is opened from the Sales order processing and inquiry workspace. Procedure 1. Click Sales order processing and inquiry. 2. On the Action Pane, click Options. 3. Click Security diagnostics. 4. In the list, find and select the desired record. 5. Click Explore and review the related references for the selected securable object. Note: The selected securable object is shown as pinned. 6. Click Advanced view. Analyze security explorer  data in Microsoft Excel? Analyze security explorer  data in Microsoft Excel? Export security explorer data to Microsoft Excel Export security explorer data to Microsoft Excel You can export security explorer data to a Microsoft Excel file for further analysis.You can choose to export:All data of the security explorer.Only the related references of a pinned securable object in the security configuration.For example, for a pinned duty, you can export:The related roles.The users that are assigned to these roles.The related privileges.The entry points of these privileges. Procedure 1. Click License optimization. 2. Click Security explorer. 3. In the Duties pane, in the list, find and select the desired record. 4. Click Pin duty. 5. Click Advanced view. 6. Click Export to Excel. Note: As a result, the data is exported to a Microsoft Excel file. The file is downloaded to your downloads folder from where you can open it. If you pinned a securable object before you exported the data, it is shown in red in the Microsoft Excel file. 7. Close the page. End End View full security configuration View full security configuration You can view the full security configuration. This includes, for example, all: Roles Duties Privileges Entry points Access rights Users For each unique combination of security elements, a separate record is shown on the page. Procedure 1. Go to Security and compliance > Inquiries > Security user role data. 2. To view the security elements without identifiers, click Simple view. 3. To view the security elements with identifiers, click Advanced view. 4. Close the page. Notes You can export the security configuration (or a part of it) to Microsoft Excel. To do so, click Open in Microsoft Office and click the desired options to complete the export. No Yes No Yes Security and  compliance  studio Any page View full  configuration Yes No

Activities

Name Responsible Description

Create snapshot

Security administrator

You create snapshots to be able to use Security and compliance studio functions, for example:

  • Security explorer
  • Match roles
  • Compare snapshots
  • Security role wizard

Snapshot

A snapshot is an image of the security configuration at a specific date and time. A snapshot consists of:
  • All securable objects: roles, duties, privileges, and entry points, with the related license type and access level.
  • The associations between the securable objects: user-role, role-duty, role-privilege, duty-privilege, and privilege-entry point.

Snapshot creation

You create a snapshot in these cases:

  • The first time you want to explore the security configuration or match roles.
  • Changes are made to the security configuration. So, these changes become available for the security explorer or match roles function.
  • You want to compare the current security configuration with a previous security configuration.

You are advised to create snapshots:

  • In batch, if you frequently make changes to the security configuration.
  • In the background, because the creation of a snapshot can take quite some time.

Dynamic snapshot

In the Security and compliance studio parameters, you can use the 'Enable dynamic snapshots' field to enable automatic updates of security configuration changes to the latest snapshot. So, no new snapshot is required each time you change the security configuration.

Automatic updates of security configuration changes to the latest snapshot are done when you, for example:

  • Publish changes.
  • Approve security requests.
  • Update or create a role with the wizard.
  • Import security configurations.
  • Assign users to roles.

Note: If yo use dynamic snapshots, you are advised to create a snapshot regularly. You do so to ensure that no security inconsistencies occur and to create a safety net,

Refresh licenses

Security administrator

The licensing model of D365 F&SCM has changed. Previously, for D365 F&SCM, these license types were available:

  • Operations
  • Activity user
  • Team member
Currently, the previous Operations license type is split into these base license types:
  • Commerce
  • Finance
  • Human resources
  • Project operations
  • SCM
Each full user must have a base license. And if required, for each user, you can add these attach licenses:
  • Commerce
  • Finance
  • Human resources
  • Project operations
  • SCM
To show the latest license usage data, first, refresh the licenses on the Security explorer. The license usage data is refreshed based on the latest snapshot of the security configuration.
On the All users tab and Full users tab, the New license type field is shown next to the User license field. The new license types can be shown in these formats:
  • One license type: Only the shown base license is required.
  • Several license types with plusses: All shown licenses are required. Use one of the shown licenses as base license and the other shown licenses as attached license. Example: Finance+SCM.
  • Several license types with forward slashes: One of the shown base licenses is required. No attached licenses are required. Example: Finance/SCM/Retail.
  • Any base license: Any of the base licenses is required. It doesn't matter which one.
To show the required new license types in Security and compliance studio, refresh the new license type information. The new license types are refreshed based on the latest snapshot of the security configuration.
As a result, the applicable new license types are retrieved and shown in the Security explorer for each of these securable objects:
  • Users
  • Roles
  • Duties
  • Privileges
  • Entry points
Also, on other forms, the new license types are filled after refreshing the licenses. The New license type field is shown on each form where the User license field is shown.
The new license types can be shown in these formats:
  • One license type: Only the shown base license is required.
  • Several license types with plusses: All shown licenses are required. Use one of the shown licenses as base license and the other shown licenses as attached license. Example: Finance+SCM.
  • Several license types with forward slashes: One of the shown base licenses is required. No attached licenses are required. Example: Finance/SCM/Retail.
  • Any base license: Any of the base licenses is required. It doesn't matter which one.

Explore security configuration in Security and compliance studio

Security administrator
You can, for each level in the security configuration, explore the related references. You can use this, for example, to see if you can lower the license type for a user to reduce license cost.

For example, for a pinned duty, you can explore:
  • The related roles.
  • The users that are assigned to these roles.
  • The related privileges.
  • The entry points of these privileges.
For the pinned level, the references with the highest user license type are highlighted. You can set the highlight color in the Security and compliance studio parameters.

The license type of each reference is indicated with a colored dot:
  • Red dot - Operations
  • Orange dot - Activity users
  • Gray dot - None
  • No dot - Team members
You can open the Security explorer from several places in the Security and compliance studio:
  • License optimization workspace: Security explorer tile, All users tab, Full users tab, Activity users tab, and Team members tab
  • Security management workspace: Security explorer tile, Roles tab, and Users tab.
  • Security audit workspace: Security explorer tile, Role history tab, and User history tab
In this procedure, it is opened from the License optimization workspace, Security explorer tile. 

Explore security configuration for any Dynamics 365 for Finance and Operations page

Security administrator

 		You can explore the security configuration for any page in Dynamics 365 for Finance and Operations. You can use this, for example, to see if you can lower the license type for a user to reduce license cost.

Each page can have several securable objects. For a selected securable object of a page, you can explore the related references. For example, if the selected object is of type Duty, you can explore:
  • The related roles.
  • The users that are assigned to these roles.
  • The related privileges.
  • The entry points of these privileges.
For the pinned level, the references with the highest user license type are highlighted. You can set the highlight color in the Security and compliance studio parameters.

The license type of each reference is indicated with a colored dot:
  • Red dot - Operations
  • Orange dot - Activity users
  • Gray dot - None
  • No dot - Team members
You can open the security explorer for any page. In this procedure, it is opened from the Sales order processing and inquiry workspace.

Export security explorer data to Microsoft Excel

Security administrator

 		You can export security explorer data to a Microsoft Excel file for further analysis.
You can choose to export:
  • All data of the security explorer.
  • Only the related references of a pinned securable object in the security configuration.
For example, for a pinned duty, you can export:
  • The related roles.
  • The users that are assigned to these roles.
  • The related privileges.
  • The entry points of these privileges.

View full security configuration

Security administrator

You can view the full security configuration.

This includes, for example, all:

  • Roles
  • Duties
  • Privileges
  • Entry points
  • Access rights
  • Users

For each unique combination of security elements, a separate record is shown on the page.

Activities

Name Responsible Description

Create snapshot

Security administrator

You create snapshots to be able to use Security and compliance studio functions, for example:

  • Security explorer
  • Match roles
  • Compare snapshots
  • Security role wizard

Snapshot

A snapshot is an image of the security configuration at a specific date and time. A snapshot consists of:
  • All securable objects: roles, duties, privileges, and entry points, with the related license type and access level.
  • The associations between the securable objects: user-role, role-duty, role-privilege, duty-privilege, and privilege-entry point.

Snapshot creation

You create a snapshot in these cases:

  • The first time you want to explore the security configuration or match roles.
  • Changes are made to the security configuration. So, these changes become available for the security explorer or match roles function.
  • You want to compare the current security configuration with a previous security configuration.

You are advised to create snapshots:

  • In batch, if you frequently make changes to the security configuration.
  • In the background, because the creation of a snapshot can take quite some time.

Dynamic snapshot

In the Security and compliance studio parameters, you can use the 'Enable dynamic snapshots' field to enable automatic updates of security configuration changes to the latest snapshot. So, no new snapshot is required each time you change the security configuration.

Automatic updates of security configuration changes to the latest snapshot are done when you, for example:

  • Publish changes.
  • Approve security requests.
  • Update or create a role with the wizard.
  • Import security configurations.
  • Assign users to roles.

Note: If yo use dynamic snapshots, you are advised to create a snapshot regularly. You do so to ensure that no security inconsistencies occur and to create a safety net,

Refresh licenses

Security administrator

The licensing model of D365 F&SCM has changed. Previously, for D365 F&SCM, these license types were available:

  • Operations
  • Activity user
  • Team member
Currently, the previous Operations license type is split into these base license types:
  • Commerce
  • Finance
  • Human resources
  • Project operations
  • SCM
Each full user must have a base license. And if required, for each user, you can add these attach licenses:
  • Commerce
  • Finance
  • Human resources
  • Project operations
  • SCM
To show the latest license usage data, first, refresh the licenses on the Security explorer. The license usage data is refreshed based on the latest snapshot of the security configuration.
On the All users tab and Full users tab, the New license type field is shown next to the User license field. The new license types can be shown in these formats:
  • One license type: Only the shown base license is required.
  • Several license types with plusses: All shown licenses are required. Use one of the shown licenses as base license and the other shown licenses as attached license. Example: Finance+SCM.
  • Several license types with forward slashes: One of the shown base licenses is required. No attached licenses are required. Example: Finance/SCM/Retail.
  • Any base license: Any of the base licenses is required. It doesn't matter which one.
To show the required new license types in Security and compliance studio, refresh the new license type information. The new license types are refreshed based on the latest snapshot of the security configuration.
As a result, the applicable new license types are retrieved and shown in the Security explorer for each of these securable objects:
  • Users
  • Roles
  • Duties
  • Privileges
  • Entry points
Also, on other forms, the new license types are filled after refreshing the licenses. The New license type field is shown on each form where the User license field is shown.
The new license types can be shown in these formats:
  • One license type: Only the shown base license is required.
  • Several license types with plusses: All shown licenses are required. Use one of the shown licenses as base license and the other shown licenses as attached license. Example: Finance+SCM.
  • Several license types with forward slashes: One of the shown base licenses is required. No attached licenses are required. Example: Finance/SCM/Retail.
  • Any base license: Any of the base licenses is required. It doesn't matter which one.

Explore security configuration in Security and compliance studio

Security administrator
You can, for each level in the security configuration, explore the related references. You can use this, for example, to see if you can lower the license type for a user to reduce license cost.

For example, for a pinned duty, you can explore:
  • The related roles.
  • The users that are assigned to these roles.
  • The related privileges.
  • The entry points of these privileges.
For the pinned level, the references with the highest user license type are highlighted. You can set the highlight color in the Security and compliance studio parameters.

The license type of each reference is indicated with a colored dot:
  • Red dot - Operations
  • Orange dot - Activity users
  • Gray dot - None
  • No dot - Team members
You can open the Security explorer from several places in the Security and compliance studio:
  • License optimization workspace: Security explorer tile, All users tab, Full users tab, Activity users tab, and Team members tab
  • Security management workspace: Security explorer tile, Roles tab, and Users tab.
  • Security audit workspace: Security explorer tile, Role history tab, and User history tab
In this procedure, it is opened from the License optimization workspace, Security explorer tile. 

Explore security configuration for any Dynamics 365 for Finance and Operations page

Security administrator

 		You can explore the security configuration for any page in Dynamics 365 for Finance and Operations. You can use this, for example, to see if you can lower the license type for a user to reduce license cost.

Each page can have several securable objects. For a selected securable object of a page, you can explore the related references. For example, if the selected object is of type Duty, you can explore:
  • The related roles.
  • The users that are assigned to these roles.
  • The related privileges.
  • The entry points of these privileges.
For the pinned level, the references with the highest user license type are highlighted. You can set the highlight color in the Security and compliance studio parameters.

The license type of each reference is indicated with a colored dot:
  • Red dot - Operations
  • Orange dot - Activity users
  • Gray dot - None
  • No dot - Team members
You can open the security explorer for any page. In this procedure, it is opened from the Sales order processing and inquiry workspace.

Export security explorer data to Microsoft Excel

Security administrator

 		You can export security explorer data to a Microsoft Excel file for further analysis.
You can choose to export:
  • All data of the security explorer.
  • Only the related references of a pinned securable object in the security configuration.
For example, for a pinned duty, you can export:
  • The related roles.
  • The users that are assigned to these roles.
  • The related privileges.
  • The entry points of these privileges.

View full security configuration

Security administrator

You can view the full security configuration.

This includes, for example, all:

  • Roles
  • Duties
  • Privileges
  • Entry points
  • Access rights
  • Users

For each unique combination of security elements, a separate record is shown on the page.
Related to Notes

Monitor license usage per license type

 		 

Explore security configuration

 		 

Provide feedback