Security in D365 F&O (II)

I promised to deep dive into more complex and key security topics, here we go ! That article is part of a series of articles about security in D365 F&0.  I am an internal controller in an organisation and I need to see the log of users who have been logged on to D365 F&O and if they have access to sensitive data for my organisation.

User log report

Navigate to System administration > Inquiries > User log

Go to the Role settings tab

For each security role, you can specify which one gives access to sensitive information. 

You just need to tick Access to sensitive data

For instance, let’s do it for Accountant

Then, assign the Accountant role to your user

 Log out and log back in D365 F&O

 Navigate to System administration > Inquiries > User log

 Go to the Overview tab

 You can see an audit log of users who have logged on to D365 F&O. It helps protect the organisation data and shows who has access to sensitive data.

 In the Roles with access to sensitive data column, I can see [Accountant].

In addition, I need to allow the HR department to see vendors and vendor bank accounts related to employees. However, they won’t be able to see the other vendors or vendor bank accounts. 

The Extensible Data Security (XDS) framework is a feature in D365 F&O that enables us to cover that requirement. That’s an extra layer of security to supplement security roles and it allows you to restrict access to tables.

XDS Policy

First we need to identify the constrained and primary tables.


Constrained tables = tables from which data is filtered. In our case, the constrained table is VendBankAccount

Primary tables = used to filter the content of the related constrained table. In our case, the primary table is VendTable


Open Visual Studio

How do we set up the XDS ? You can follow those steps:

1. Create a new query in your VS project

Enter the Name

Click Add

Add the VendTable in the Data Source

Set Dynamic Fields to No

Select VendTable in the Table field (Primary table)

Add the AccountNum field  in the Fields tab not to impact the performance

In our scenario we are limiting the user to only be able to see vendors and vendor bank accounts that have a vendor group of ‘EMPLOYEE’.

In the Ranges tab, add the VendGroup field and type in the value EMPLOYEE.

2. Create the Security policy in your VS projec

Enter the Name

Click Add

We set the following parameters:

Constrained table = Yes

Context type = RoleName

Primary Table = VendTable

Query = AlEmployeeVendBankAccountQuery

Role Name = AlHcmHumanResourceAssistant

Add a constrained table 

We set the following parameters:

Constrained = Yes

Name = VendBankAccount

Table Relation = VendTable

Build your project

If you checked the previous article, I showed you how to test security roles.

Navigate to Dynamics 365 > Addins > View with role set

Select the role associated with the security policy (RoleName parameter)

Click OK

 Navigate to Accounts payable > Vendors > All vendors

I can only see vendors assigned to the EMPLOYEE vendor group and vendor bank accounts associated with vendors assigned to the EMPLOYEE vendor group.

 💬 You can also apply the XDS to a group of security roles.

In the properties of the security policy, update the Context type to RoleProperty and type in the Context string

Finally, go to the security roles, and open the properties.

 Type in the context string

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: