The presentation discusses how to automate security role assignments in Microsoft Dynamics 365 for Finance and Operations using Azure Active Directory groups. It covers importing Azure AD groups, defining rules for automatic role assignment based on group membership, and using advanced queries to customize the rules. Custom queries can extend the role assignments to additional data sources beyond the default user information. The automated assignments help ensure users have the correct permissions and organizations assigned based on their attributes in Azure AD and other systems.
1. Slide 1 of 3224/11/2019
How to automate
security role assignments
Microsoft Dynamics 365 for Finance and Operations
(Microsoft Dynamics AX 2012)
2. Slide 2 of 3224/11/2019
Meet your presenter
▪ André Arnaud de Calavon
▪ Microsoft MVP Business applications
▪ Product Manager at To-Increase
▪ 1996-2001 Navision Financials
Microsoft Dynamics 365 Business Central
▪ 2001-2019 Damgaard Axapta
Microsoft Dynamics 365 for Finance and Operations
https://dynamicspedia.com
3. Slide 3 of 3224/11/2019
Session agenda
▪ Introduction
▪ Azure Active Directory groups
▪ Automatic role assignment
▪ How the basics works
▪ Advanced rules
▪ Extend with custom queries
▪ Simulate user groups concept from previous AX versions
4. Slide 4 of 3224/11/2019
Introduction
▪ Easy maintenance of user permissions
▪ Prevent incorrect role/organization assignments
▪ Azure Active Directory groups
▪ Automatic role assignment
5. Slide 5 of 3224/11/2019
Azure AD administration
▪ 3 administration portals
▪ AAD user authentication
▪ License assignment
▪ User group assignment
6. Slide 6 of 3224/11/2019
Dynamics 365 administration
▪ Automatic or manual creating user
▪ Configuration key Active Directory security group
▪ Groups setup
▪ Import from Azure AD
▪ Assign security roles
7. Slide 7 of 3224/11/2019
How AD groups works (1/2)
▪ Import groups
▪ User preferences
▪ Startup company
▪ Enabled
8. Slide 8 of 3224/11/2019
How AD groups works (2/2)
▪ Assign roles
▪ Assign organizations
▪ User preferences
▪ Language
▪ Time zone
▪ Calendar
10. Slide 10 of 3224/11/2019
Azure AD challenges in MSDyn365
▪ Naming convention user ID
▪ Segregation of Duties
▪ Workflow assignment
▪ Security reports
11. Slide 11 of 3224/11/2019
What is automatic role assignment?
▪ Define rules
▪ Role assignment automatically updated
▪ Frequency
▪ Periodically using batch framework
▪ Manually for incidental execution
▪ Batch framework
▪ Batch job created part of your installation
▪ Set to ‘Withhold’ in demo environment > Change to ‘Waiting’
12. Slide 12 of 3224/11/2019
How the basics works (1/4)
▪ Create rule
13. Slide 13 of 3224/11/2019
How the basics works (2/4)
▪ Define query
14. Slide 14 of 3224/11/2019
How the basics works (3/4)
▪ Assign organizations
16. Slide 16 of 3224/11/2019
How the basics works (4/4)
▪ Automatic
▪ Manual
▪ Exclude
17. Slide 17 of 3224/11/2019
Advanced rules
▪ Advanced query editor
▪ Example: person setup as timesheet user
Project periods
18. Slide 18 of 3224/11/2019
Advanced queries - initial concept
Permission
ObjectPermission
Privilege
SecurityRole
User
Operation
«Privilege»
Duty
Hierarchy
Hierarchy
«Privilege»
Privilege
Hierarchy
«Party»
Person
Job
Job Function
Duty
Responsibility
Position
«Query»
SecurityRoleAssignmentRule
«Party»
Department
HR and Organization ModelsSecurity ModelSecurity Framework
«Privilege»
Process
Task
Service
Party
Activity
SecurableObject «Permission»
Permission
«SecurityRole»
Role
20. Slide 20 of 3224/11/2019
Extend with custom queries
▪ Base table
▪ UserInfo
▪ Other data sources
▪ No restrictions
▪ Relations
▪ Choose
▪ Define own
21. Slide 21 of 3224/11/2019
Extend with custom queries
▪ Example
22. Slide 22 of 3224/11/2019
Extend with custom queries
▪ How to do it?
UserInfo
idPK
DirPersonUser
RecIdPK
User
PersonParty
ValidFrom
HcmWorker
RecIdPK
Person
PersonnelNumber
ValidTo
HcmPositionWorkerAssign
ment
RecIdPK
Position
Worker
HcmPositionHierarchy
RecIdPK
ParentPosition
Position
HcmPosition
RecIdPK
PositionId
ValidFrom
ValidTo
PositionHierarchyType
ValidFrom
ValidFrom
HcmPositionHierarchyType
RecIdPK
HierarchyType
24. Slide 24 of 3224/11/2019
Previous architecture and current
▪ Previous versions ▪ Current versions
25. Slide 25 of 3224/11/2019
Group assignments needed?
▪ Pains
▪ Many users with same profile time consuming
▪ Assigning organizations can be forgotten
▪ Options for grouping users
26. Slide 26 of 3224/11/2019
Team assignment option
▪ Advantages
▪ Date effective assignment
▪ Address book security
28. Slide 28 of 3224/11/2019
Enhancements/customizations
▪ User group
assignment
on user
▪ Team
assignment
on user
▪ Run role
assignment
manually
for user
31. Slide 31 of 3224/11/2019
Related blog posts
▪ Standard batch jobs
▪ https://dynamicspedia.com/2014/01/standard-batch-jobs-ax2012/
▪ Automatic role assignment
▪ https://dynamicspedia.com/2014/01/automatic-role-assignment-in-
ax2012-part-1/
▪ https://dynamicspedia.com/2014/01/automatic-role-assignment-in-
ax2012-part-2/
▪ Active directory
▪ https://dynamicspedia.com/2019/09/how-to-use-azure-active-
directory-for-managing-users-and-security-in-dynamics-365-for-
finance-and-operations/