Vendor payments in D365 F&O

In the previous versions of D365 F&O, the usual approach to processing payments for a vendor involves creating a payment journal, and then processing a payment proposal. To provide more automation capabilities, a new feature for payment processing has been introduced lately.

You can create a predefined schedule with a combination of payment proposal criteria to be able to create payment journals automatically.

In our case, I would like to share the preliminary steps before being able to pay vendors and show the standard process to generate a payment file. That post details a little bit more the partnership between Microsoft and Kyriba as well.

Payment methods need to be set up first by selecting the electronic format to be used.

  • Methods of payment

Navigate to Accounts Payable > Payment set up > Methods of payment

The method of payment SEPA credit transfer is configured as follow:  

Those fields drive the creation of the electronic payment file. 

Field Value Type
Method of payment SEPA String 
Payment status Sent Enum
Payment typeElectronic payment Enum
Category purposeSUPP – Supplier payment Drop down list
Charge bearerSLEV – Following service levelDrop down list
Local instrument NA Drop down list
Service level SEPA Drop down list

The checkbox Generic electronic Export format needs to be marked to be able to select a file format. Then, in the Export format configuration field, select the format “ISO20022 Credit transfer (FR)” for France. That electronic reporting format is often adjusted to fit the bank requirements. Don’t forget to take those adjustments into accounts in your deployment project.

The method of payment SEPA intercompany credit transfer is configured as follow:  

Those fields drive the creation of the electronic payment file. 

Field Value Type
Method of payment SEPA INTRA String 
Payment status Sent Enum
Payment typeElectronic payment Enum
Category purposeINTC – Intra company payment  Drop down list
Charge bearerSLEV – Following service levelDrop down list
Local instrument NA Drop down list
Service level SEPA Drop down list

The checkbox Generic electronic Export format needs to be marked to be able to select a file format. Then, in the Export format configuration field, select the format “ISO20022 Credit transfer (FR)” for France.

The method of payment International transfers (Non urgent) is configured as follow:  

Those fields drive the creation of the electronic payment file. 


Field 
Value Type
Method of payment SWIFT NURG String 
Payment status Sent Enum
Payment typeElectronic payment Enum
Category purposeSUPP – Supplier payment Drop down list
Charge bearerSLEV – Following service levelDrop down list
Local instrument IN – Cross border paymentDrop down list
Service level NURG – Non urgent Drop down list

The checkbox Generic electronic Export format needs to be marked to be able to select a file format. Then, in the Export format configuration field, select the format “ISO20022 Credit transfer (FR)” for France.

  • File name in Electronic reporting 

Navigate to the workspace Electronic Reporting, then select Reporting configuration 

Select ISO20022 Credit transfer (FR) for the French format

Click Designer 

Select XMLHeader, then in the Mapping tab, edit the File name 

In the formula, insert “DebtorBankName”-“DateTime”-“JournalNumber” or use the CONATENATE function.

  • Generate a vendor payment in D365 F&O

Navigate to Accounts Payable > Payments > Vendor payment journal, then click New to create a payment journal.    

Select the Journal Name 

Go to Lines > Payment proposal, then click Create payment proposal. 

Select the criteria of the payment proposal 

Review the proposal, then select Create payments

Payment transactions are transferred to the payment journal.

The method of payment is inherited from the invoice transactions by default.

The status of each payment transaction is “None” as no electronic payment file has been generated. 

The user clicks on the Generate payments button on the action pane 

Select the Bank account and the Method of payment 

Note: only one bank account can be selected

Click OK

The Electronic report parameters form pops up  

Mark Print covering letter to generate the remittance advice

Click OK 

The electronic payment file “ISO20022 Credit transfer” is generated by the Electronic reporting feature. The name and the destination of the file need to be setup as previously in this post.

  • Interface with Kyriba

Microsoft and Kyriba, one of the world leader in Treasury Management Systems (TMS) announced a cooperation last year.

It is now a reality and the seamless integration is a time acceleration.

Four interfaces will be built and provided out of the box : 

  • Payments 
  • Cash management
  • GL reconciliation 
  • Risk management 

Payments orders will be transferred and integrated to Kyriba through configuration (Kyriba extension). Digital signatures will still occur in Kyriba.

The technical architecture is based on APIs.

Connect to the Microsoft App source and contact Kyriba for more information.

How to deal with enums in Electronic Reporting ?

Enum fields cannot be exported as it is in Electronic reporting. We need to use a workaround that is detailed in that post. 

In our case I would like to export the item type stored on a purchase order line.  

In the Model mapping designer, select Enumeration and click Add root 

Type in a Name 

Select the enum in the Enumeration drop down field 

In our case the enum is ItemType

Click OK

In the Data model section, select the node and click Edit 

We need to use the CASE function. 

Select the data method getItemType() in the PurchLine table to retrieve the item type field. 

Then, for each enum value, type in the value you want to display in your report. 

The formula is: 

CASE(@.’purchLine()’.’getItemType()’,

Po_Line_Type.Item, “Stock”,

Po_Line_Type.Service, “Service”)

That’s it you can now export enum fields in Electronic Reporting ! 

Security in D365 F&O (III)

I would like to address briefly the last topic about Security in D365 F&O, i.e. field level access. Granting update access to a limited number of fields or makes a field invisible can be performed in D365 F&O.

In our case, an organisation asks you to give access to raise a sales order but they don’t allow the user to amend the sales price, or the discount amount provided as they are inherited from the sales contracts.

You can of course cover that requirement in D365 F&O. The first step is to identify the menu item and the fields that you need to restrict access to.

Preliminary steps

Navigate to Accounts Receivable > Orders > All sales orders

Open a sales order

Right click on the Unit price field

Click on Form Name: SalesTable

Extend the Administration tab

The menu item is SalesTableDetails in our case

The field to restrict access to is SalesPrice stored in the SalesLine table

Do the same steps for those fields:

  • Discount (LineDisc)
  • Discount percent (LinePercent)
  • Net amount (LineAmount)

Development

Open Visual Studio on your VM and open your project

Navigate to User Interface > Menu items > Display

Select SalesTableDetails

Click Open designer

Right click and select Find references

You can see that this menu item is included in those following privileges:

Select SalesTableDetailsMaintain

Right click and select Find references

You can see that this privilege is included in those following duties:

Select SalesOrderMaintain

Right click and select Find references

You can see that this duty is included in those following roles:

It is a little bit cumbersome to identify this way the security role to adjust.

You can also select the menu item and click Addins > View Related roles

Then, open the excel spreadsheet.

Duplicate in project the role TradeSalesClerk we would like to adjust and remove the standard duty SalesOrderMaintain

Duplicate in project the duty SalesOrderMaintain we would like to adjust and assign the custom duty CustSalesOrderMaintain to the custom security role CustTradeSalesClerk

Remove the standard privilege SalesTableDetailsMaintain from the custom duty CustSalesOrderMaintain

Duplicate in project the privilege SalesTableDetailsMaintain we would like to adjust and assign the custom privilege CustSalesTableDetailsMaintain to the custom duty CustSalesOrderMaintain

Find the entry point SalesTableDetails and add the data source SalesLine 

Then right click on the SalesLine entry and select Add a new data source field for those fields:

  • SalesPrice
  • LineDisc
  • LinePercent
  • LineAmount

 Give a read access to those fields:

Build your project.

Now you can test the new role. You can raise a sales order but if you try to edit the unit price, the field is greyed out.

You can check the first article about security to see how to test your roles.

Another case is a little bit tricky. An organisation asks you to grant update access to credit fields on the customer account.

Perform similar preliminary steps

Add the CustTable to the CustTableListPage menu item

Set the access level of the menu item to Read

Set the access level of the CustTable to Update

It gives update access to all fields on the CustTable. That’s why, we finally need to add new data source fields  (Click add a new data source field) to the CustTable for all fields that need to have read access.

It can be quite cumbersome for big tables like this one.

That’s the last article about Security. I will change topics and focus on Electronic Reporting moving forward. 

Security in D365 F&O (II)

I promised to deep dive into more complex and key security topics, here we go ! That article is part of a series of articles about security in D365 F&0.  I am an internal controller in an organisation and I need to see the log of users who have been logged on to D365 F&O and if they have access to sensitive data for my organisation.

User log report

Navigate to System administration > Inquiries > User log

Go to the Role settings tab

For each security role, you can specify which one gives access to sensitive information. 

You just need to tick Access to sensitive data

For instance, let’s do it for Accountant

Then, assign the Accountant role to your user

 Log out and log back in D365 F&O

 Navigate to System administration > Inquiries > User log

 Go to the Overview tab

 You can see an audit log of users who have logged on to D365 F&O. It helps protect the organisation data and shows who has access to sensitive data.

 In the Roles with access to sensitive data column, I can see [Accountant].

In addition, I need to allow the HR department to see vendors and vendor bank accounts related to employees. However, they won’t be able to see the other vendors or vendor bank accounts. 

The Extensible Data Security (XDS) framework is a feature in D365 F&O that enables us to cover that requirement. That’s an extra layer of security to supplement security roles and it allows you to restrict access to tables.

XDS Policy

First we need to identify the constrained and primary tables.

 ——————————————————————————————————————————-

Constrained tables = tables from which data is filtered. In our case, the constrained table is VendBankAccount

Primary tables = used to filter the content of the related constrained table. In our case, the primary table is VendTable

——————————————————————————————————————————-

Open Visual Studio

How do we set up the XDS ? You can follow those steps:

1. Create a new query in your VS project

Enter the Name

Click Add

Add the VendTable in the Data Source

Set Dynamic Fields to No

Select VendTable in the Table field (Primary table)

Add the AccountNum field  in the Fields tab not to impact the performance

In our scenario we are limiting the user to only be able to see vendors and vendor bank accounts that have a vendor group of ‘EMPLOYEE’.

In the Ranges tab, add the VendGroup field and type in the value EMPLOYEE.

2. Create the Security policy in your VS projec

Enter the Name

Click Add

We set the following parameters:

Constrained table = Yes

Context type = RoleName

Primary Table = VendTable

Query = AlEmployeeVendBankAccountQuery

Role Name = AlHcmHumanResourceAssistant

Add a constrained table 

We set the following parameters:

Constrained = Yes

Name = VendBankAccount

Table Relation = VendTable

Build your project

If you checked the previous article, I showed you how to test security roles.

Navigate to Dynamics 365 > Addins > View with role set

Select the role associated with the security policy (RoleName parameter)

Click OK

 Navigate to Accounts payable > Vendors > All vendors

I can only see vendors assigned to the EMPLOYEE vendor group and vendor bank accounts associated with vendors assigned to the EMPLOYEE vendor group.

 💬 You can also apply the XDS to a group of security roles.

In the properties of the security policy, update the Context type to RoleProperty and type in the Context string

Finally, go to the security roles, and open the properties.

 Type in the context string

Security in D365 F&O (I)

Security in D365 F&O is often not the priority in any ERP implementation. That topic is most of the time tackled after all other major topics and that is a mistake in my opinion. A resource should be assigned to that task and a specific security stream should be created. That article describes shortly how to implement security changes in D365 F&O, how to test them, and how to embed segregation of duties rules in D365 F&O.

*OOB = Out of the box

Migrate security in D365 F&O

 There are two approaches to migrate security from one D365 F&O environment to another :

● Development: make all your adjustments in Visual studio and none through the user interface

● User interface: make all your adjustments in the security interface and export your customizations through the data management framework

I detailed the pros and cons of both solutions

 Development

——————————————————————————————————————–

Pros

      ● Easy to create a deployment package or model that you move between D365 F&O environments
      ● Out of the box Visual studio version control
      ● Option to create several models if specific security changes need to be delivered separately

Cons

      ● Harder to setup for a functional profile and maintenance is more difficult as any modifications is a code change

 User interface (Security configuration)
——————————————————————————————————————–

Pros

      ● The changes are made through the user interface (easier for set up and maintenance)
      ● No technical resources required

Cons

      ● All your changes are stored in a xml file that can be imported in any environment. That means no specific changes can be migrated 
      ● No version control system (just an audit trail as below)
      ● No change in the code, just a delta in the database
      ● Re-import xml after each update

Audit trail

I recommend choosing the development solution for a control purpose. That means you need to enforce a strict governance around security changes.

To develop security, in the AOT, open Visual studio and navigate to the Security tab.

You can view the security elements hereunder: 

  • Why do we have those two approaches in D365 F&O?
    – Because the design time (code development) and runtime (code execution) environments are now separated in D365 F&O which was not the case in Dynamics AX.
  • – The design time is on a virtual machine with Visual Studio.
    – The runtime is a web application running in Azure.
  • The changes that are stored in the security delta will override changes made in the AOT

Security Tools in D365 F&O 

D365 F&O provides several tools to identify the permissions behind a form or business process.

a) How to view permissions?

Navigate to System administration > Security > Security configuration, then select a role and choose View Permissions

You can follow this process to get the same information at a duty and privilege level.
You also see the license associated with that security role (New in 10.0.15).
You also get that information when you assign roles to a user.

b) How to view the breakdown of the roles, duties, and privileges that give access to a particular page/form in D365 F&O ?

Go to Options -> In the Page Options group -> Security Diagnostics

c) How to get Form information in D365 F&O?

Right click on the form, then select Form information

d) How to run Security diagnostics for task recording in D365 F&O?  

Run the task recorder for a process you would like to perform in D365 F&O and save the axtr file. 
Navigate to System administration > Security > Security diagnostics for task recordings

Pick the file generated from task recorder and see menu item during process

You can also run it against user access to see if the user has access to that object

e) Table permission framework

It provides an additional layer of security to your highly critical data (VAT number, social security numbers…). It is also an additional check that requires that users have been granted correct rights to the table field.  The property that enables this feature is called AosAuthorization. When it is turned on, it activates the table permission framework.  

When you need to give access to a form, you should perform those tasks:

You should start from standard roles and duplicate them in your project. Then, you can remove the duties you want and deep dive in them if needed.

You need to modify a duty, follow the same steps, and remove the privileges you want and assign the custom duty to your custom role.

💬: I recommend strongly to keep the standard security hierarchy when you develop new roles. I ‘ve noticed that some clients assign many privileges directly to the security role. You will not be able to use the SOD framework described in that article.

Test security changes

You developed security roles and you would like to test them. There is a nice tool for that!

Install an add-on in Visual studio

In my VM, the path is: E: AppRing3 > 10.0.169.XXXXX > retail > Services > DevToolsService > Scripts

Click on the highlighted addon InternalDevTools

Then, open Visual studio as administrator

Go to Dynamics 365 > Add ins

Select View with role set

Drop your developed roles to the assigned roles box

Click OK

It opens a web application where you can test your combination of roles. 

Yes, that is right you can even test a combination of security roles. What a game changer!

💬: the name of the role is the technical name

Segregation of duties (SOD)

SOD is a key element of an effective control environment. There needs to be an adequate division of responsibilities. It is often managed outside the
ERP in an Excel spreadsheet and that’s why Microsoft introduced a simple feature described hereunder.   

Navigate to System administration > Security > Segregation of duties > Segregation of duty rules

Segregation of duties are done at the duty level. So, if a user has access to duty 1 and duty 2, that would be considered a SOD conflict.

The SOD conflicts report is done at the user level and mitigations are documented manually. When a conflict pops up, it is saved in the Segregation of
conflicts unresolved conflicts form.

You can allow or deny the assignment of those conflicting roles. 

It is not perfect but that is a first step, but I am sure there are more to come from Microsoft.

Goods in Transit (Upfront invoices)

1 Business scenario
The vendor sends the invoice before the goods are delivered to us. We would like to book the invoice before receiving in the goods. However, the invoice is approved after the goods are received in our warehouse and after our quality control. As a result, payment runs must exclude those invoices.

2 Process flow

A purchase order has been created for 59,50 EUR· Create a new Invoice register journal under Account Payable > Journals -> Invoice Register

· Enter the line details by selecting Invoice register lines for the same vendor from the purchase order. The value of the register line should be the purchase total amount (tax included)

Tip: The purchase order number(s) can be populated at that stage before posting in the Purchase order field. For multiple purchase orders, separate them with a semicolon.
· Post the Journal, then you can see those messages. That indicates that the invoice is in a pool that can be selected and matched with the purchase order that is received.

We can access the invoice pool under Account Payable > Inquiries > Invoice Pool. ·

That event triggers those following accounting entries :

————————————————————————————————————————Debit Purchases in transit

Debit Sales tax

Credit Account Payable (Unapproved Invoices)

————————————————————————————————————————

These accounts are configured under the vendor posting profile as « Arrival » and « Offset account ».


Note: The invoice is not approved yet which means the invoice is not fetched by Dynamics AX in the payment proposal and cannot be paid.
· The goods are received by the warehouse team. They post thus an item arrival journal. That event triggers those following accounting entries :

————————————————————————————————————————Debit Goods Received not invoiced (GRNI)

Credit Purchase accrual

————————————————————————————————————————

Now that the goods have been received, the next step is to match the purchase order and the invoice together. To do so, we will need to first retrieve the invoice that has been booked from the pool and match it with the purchase order/receipt.


Note: Either the warehouse team communicates to the AP team or the AP team exports the GRNI report (Purchase accrual) and check the invoice pool to compare.
Here is how we do it : Create a new invoice approval journal under Account Payable > Journals > Invoice approval journal.

Go to Lines, then find the invoice from the pool by selecting Find vouchers.

Select the invoice, then click Select. After the invoice is fetched, the next step is to match the invoice with a purchase order(s) that’s been received.Select Functions > Purchase order

Afterwards, the standard vendor invoice form opens and shows the product receipt posted by the warehouse team.

Click Post. That event triggers those following accounting entries :

————————————————————————————————————————Debit Purchase accrual

Debit Account Payable (Unapproved invoices)

Debit Inventory

Credit Goods Received not invoiced (GRNI)

Credit Purchases in transit

Credit Account Payable (Vendor liability)

————————————————————————————————————————

Once posted, the invoice disappears from the invoice pool under Account Payable > Inquiries > Invoice pool

Void payments in AX 2012 R3

Cheque payments: (No review process)

Navigate to Cash and bank management > Common > Cheques.Select the cheque to reverse.Click Payment reversal.Enter a date and a reason for reversal (The reason is mandatory).Select OK to post the reversal.

Other vendor payments (Ex: Electronic payments)

Navigate to Purchase ledger > Suppliers > All suppliers.

Select the vendor that you would like to post the cancel payment against.  

Select Closed transaction editing in the Settle group of the Invoice tab. 

Find the payment you would like to cancel and tick the Mark checkbox. The corresponding invoice voucher will be marked as well.

Select Reverse on the action pane. The payment and invoice vouchers will disappear from this form.

Close the form.


Select Settle Open Transactions in the Settle group of the Invoice tab.  The two precedent reversed vouchers (Payment and corresponding invoice) are now visible in this form.Close the Settle Open Transactions form.


Select Payment journal in the New group of the Invoice tab.   

Select PAY in the Name field.Click on Lines to open the journal voucher details.Enter the Vendor account in the Account field.  

Select Functions, then Settlement. Tick the Mark checkbox for the payment voucher you are cancelling.Close the form, then a credit amount (Credit field) and a bank offset account will be automatically generated. It corresponds to the payment amount made and the bank account selected during that process.Post the journal.

Navigate to Purchase ledger > Suppliers > All suppliers.Select the vendor.In the Closed Transaction Editing form, you can see the original payment voucher and the credit payment voucher. The two vouchers are settled and the payment is fully voided.

Other Customer payments (Ex: Electronic payments)

Navigate to Sales ledger > Customers > All customers.Select the customer that you would like to post the cancel payment against.  


Select Closed transaction editing in the Settle group of the Collect tab. Find the payment you would like to cancel and tick the Mark checkbox. The corresponding invoice voucher will be marked as well.Select Reverse on the action pane. The payment and invoice vouchers will disappear from this form.

Close the form.

Select Settle Open Transactions in the Settle group of the Collect tab.   The two precedent reversed vouchers (Payment and corresponding invoice) are now visible in this form.Close the Settle Open Transactions form.


Select Payment journal in the New group of the Collect tab.  Select PAY in the Name field.Click on Lines to open the journal voucher details.Enter the Customer account in the Account field. 

Select Functions, then Settlement.Tick the Mark checkbox for the payment voucher you are cancelling.Close the form, then a debit amount (Debit field) and a bank offset account will be automatically generated. It corresponds to the payment amount made and the bank account selected during that process.

Post the journal.

Navigate to Sales ledger > Customers > All customers.

Select the customer.In the Closed Transaction Editing form, you can see the original payment voucher and the debit payment voucher. The two vouchers are settled and the payment is fully voided.

Check the allocated invoices

Navigate to Cash and bank management > Common > bank accounts

Select Transactions in the Transactions group of the Bank account tab.

Filter the list of bank transactions (Ctrl + G) by date to find the payment. 

Select Invoices on the top ribbon to view the invoices paid by the selected payment.