Security Role Assignments in Dynamics 365 Finance and Operations

SECURITY ROLE ASSIGNMENTS IN DYNAMICS 365 FINANCE AND OPERATIONS

This article provides detailed information about the user security role assignment methods available in Dynamics 365 Finance and Operations. These methods are essential for managing user access and ensuring secure system operations.

Let's get started.

CONTENT Introduction Role assignment levels Role assignment methods - auto Role assignment methods - manual Demo Conclusion

INTRODUCTION

Role assignments can be automated through query-based rules or handled manually using data management tools or direct assignments at various levels, including global, organizational hierarchy, and company-specific scopes.

By exploring these methods, you can gain a better understanding of how to effectively manage security roles to align with organizational policies and compliance requirements.

Let’s explore these details. 

In Microsoft Dynamics AX and Dynamics 365 Finance and Operations (D365FO), security roles are always assigned to users, as every user has a different function in maintaining a Segregation of Duties (SOD)-compliant environment. This critical function underlines why security roles are often referred to as role-based security roles, emphasizing their alignment with user responsibilities and access needs.

ROLE ASSIGNMENT LEVELS

Security roles can be assigned to users manually at different levels, depending on the scope of their responsibilities and the organization's structure.

Global

At the global level, role assignments apply across all legal entities in the system. This method is straightforward and requires minimal maintenance. Once a user is assigned to a role globally, they gain access to all legal entities within Dynamics 365 Finance and Operations (D365FO) permitted by their role. Users can seamlessly navigate and interact across all entities, as long as their assigned role grants the necessary permissions.

Organization Hierarchy

This level of assignment is ideal for environments with many legal entities, as it leverages the organizational hierarchy to streamline role management. By assigning a user to a role at a higher node within the hierarchy (e.g., a main branch), the role is automatically inherited by all subordinate nodes. This approach significantly reduces administrative effort while ensuring consistency across organizational levels.

Company

At the company level, role assignments are specific to individual legal entities. This allows for precise control over user permissions within a particular entity but comes with a higher maintenance overhead. This method is beneficial when users require distinct roles or access restrictions tailored to specific legal entities.

ROLE ASSIGNMENT METHODS - AUTO

This feature uses query-based rules to automatically assign security roles to users based on specific criteria.

Navigate to System administration >> Security >> Assign users to roles

The screen is used for both automatic and manual security role assignments for users. Let's talk about automatic role assignments first.

Click Add rules.

This blog serves as a trusted resource and provides additional information on various topics. In line with this purpose, please find the query details listed below:

FMDynamicRoleAssignmentWorkerPosition

• Purpose: Assigns roles to users based on their worker position.
• Primary Table Used: HcmPosition and related worker position records in HcmWorker.
• Use Case: Automatically assign a specific role to users in a defined position (e.g., HR Manager, Procurement Specialist).

FMDynamicRoleAssignmentWorkerTitle

• Purpose: Assigns roles to users based on their worker title.
• Primary Table Used: HcmTitle and HcmWorker.
• Use Case: Automatically assign roles based on titles such as "Senior Accountant" or "Operations Manager" to enforce position-based security.

LedgerJournalPostControl

• Purpose: Assigns roles to users responsible for posting ledger journals.
• Primary Table Used: LedgerJournalTable and related configurations.
• Use Case: Ensures users who are part of a posting process receive appropriate permissions, like "Ledger Clerk" or "General Accountant."

Select All Users

• Purpose: A query that selects all users in the system.
• Primary Table Used: SysUserInfo.
• Use Case: Assigns roles universally to every user in the system, often used for roles like "Employee Self-Service" where access is granted to all employees.

SysUserInfoDataset

• Purpose: Provides user information for queries.
• Primary Table Used: UserInfo.
• Use Case: Assign roles based on specific user attributes, such as email, user ID, or company association.

SysUserSecurity

• Purpose: Assigns roles based on existing user security setup.
• Primary Table Used: UserInfo or similar security configuration tables.
• Use Case: Dynamically assign roles based on users' existing security roles or privileges.

TrvExpMobileMasterDataQuery

• Purpose: Assigns roles to users based on travel and expense management data.
• Primary Table Used: TrvExpTable or related travel and expense data tables.
• Use Case: Automatically assign roles like "Expense Approver" or "Expense Submitter" for users involved in expense workflows.

UserInfoPartitions

• Purpose: Assigns roles to users based on their data partition association.
• Primary Table Used: UserInfo and partition configurations.
• Use Case: Helps manage access across partitions in multi-tenant environments by assigning roles specific to a data partition.

VendVendorPortalUsers

• Purpose: Assigns roles to vendor portal users.
• Primary Table Used: VendUserSetup or VendTable for vendor records.
• Use Case: Automatically grants roles like "Vendor Portal User" or "Vendor Approver" to users associated with vendor accounts.

ROLE ASSIGNMENT METHODS - MANUAL

Security roles can be manually assigned to users using two different ways.

• Data management
• Manual assignment 

Data management: Data management method gives you ability to import user & role assignments in bulk. This approach allows  for assigning roles to users at all levels, including global, organizational hierarchy, and company levels.

Manual assignment: This is the most commonly used method for assigning security roles. You can navigate to the specific user record and assign a security role directly at all levels (global, organizational hierarchy, and company levels).

Now, let's discuss the combination of role assignment levels and role assignment methods.

DEMO: User & Security role assignment at organizational hierarchy level - Manual assignment

The following example demonstrates how to a assign security role at the organizational hierarchy level.

Navigate to System administration >> Users >> Users and select a user and assign a role to the user.

The next step is to assign this role to an organizational hierarchy.

Highlight the role and click Assign organizations.

This screen shows that current selection is valid for all legal entities. 

Click 'Grant access to specific organizations individually' to assign access to a specific legal entity or an organization hierarchy. 

This selection gives you two options in the Select organization hierarchy field:

(All legal entities): If this option is selected, the role chosen on the previous screen can be assigned to specific legal entities here. There is no need to select an organization hierarchy. Simply select the legal entity or entities where the role will apply.

• (All legal entities): If this option is selected, the role chosen on the previous screen can be assigned to specific legal entities here. There is no need to select an organization hierarchy. Simply select the legal entity or entities where the role will apply.
• The list of Organization hierarchies. In our case, there is only one: Security hierarchy.

Select the organization hierarchy that is Security hierarchy.

Note that 'Available organization nodes' now shows selected hierarchy's components.

Select the main Retail node, Contoso Retail and click Grant.

The role assignment should have been valid only for Contoso Retail GLRT since I didn't select Grant with children.

Is that really the case?

Actually, it's not. The selected user was able to perform all (RSM) Accountant role duties in any of the retail companies.

I conducted further investigation and realized that selected hierarchy node, along with all its subordinate levels, had been assigned to the same role.

As result, it really doesn't matter whether you click Grant or Grant with children. The system will behave the same way: Assigning selected hierarchy node, along with all its subordinate levels.

CONCLUSION

Managing security roles in Dynamics 365 Finance and Operations doesn't have to be a complicated or time-consuming process. Among all the methods available, assigning roles at the organizational hierarchy level stands out for its efficiency. It not only saves a lot of time by automatically applying roles to all subordinate nodes but also makes ongoing maintenance much simpler. Instead of juggling multiple assignments at the company or global level, you can rely on the hierarchy to handle most of the heavy lifting.

Vendor Reconciliation in Dynamics 365 Finance and Operations

RECONCILIATIONS IN DYNAMICS 365 FINANCE AND OPERATIONS

Reconciliation is essential to ensure the financial impact of transactions is accurate. This article provides a detailed overview of the different types of reconciliations available in Dynamics 365 Finance and Operations.

Let's get started.

CONTENT Introduction Reconciliation types Demo - vendor reconciliation Conclusion

INTRODUCTION

In Dynamics 365 Finance and Operations, reconciliations help verify that transactions are recorded correctly across the General Ledger (GL), subledgers, and external systems, such as bank statements. By ensuring consistency and alignment, reconciliation plays a key role in financial reporting, compliance, and operational efficiency. This article explores the various reconciliation types available in D365FO, providing insights into their purpose, processes, and practical applications.

RECONCILIATION TYPES

INTERNAL RECON

Internal recon: Ensures ERP's consistency and validates subledger and ledger consistency. These are D365 Finance reports.

• Vendor to ledger recon
• Customer to ledger recon
• Bank to ledger recon
• Potential conflicts - inventory and general ledger

The main objective is to ensure that no ledger accounts used in posting profiles are directly impacted by journal entries. In other words, there should be no discrepancies between the subledger and the general ledger. If differences arise, it indicates that General Journal entries were posted to main accounts linked to subledgers. To mitigate this issue, an ITAC control can be implemented by enabling the "Do not allow manual entry" field in the Chart of Accounts.

General ledger >> Chart of accounts >> Accounts >> Main accounts

EXTERNAL RECON

External recon: Ensures ERP and external system's consistency and assist reconciliation of ERP and external parties.

• Vendor recon: This recon is between you and your vendors to make sure that outstanding balance in the system is correct.
• Customer recon: Similarly, this recon is between you and your customers/clients to make sure that outstanding balance in the system is correct.
• Bank recon: This recon is between you and your bank to make sure that bank balance in the system is correct.

RECON METHODS

Recon methods: You can use different approaches to ease your reconciliation process.

• Manual reconciliation: Requires manually pulling data from D365FO and processing it on Excel. This approach requires deep understanding of which reports and transactions to analyze. This approach is tie consuming and open to human error.
• Automation within D365: This approach contains built-in reports and inquiries. It's a quick and easy method to identify mismatches between GL and subledgers. This approach reduces manual effort.
• Autonomous via Agent: A new capability that automates the comparison of financial transactions. D365FO identifies differences and highlights mismatches for review.

TOOLS

Selecting the right tools for reconciliation is essential, as different tools offer distinct capabilities to support accuracy, completeness, and efficiency. If standard D365 Finance reports confirm no discrepancies between the ledger and subledger, no further action may be required. However, if additional investigation is needed to validate report completeness and accuracy, supplementary tools can enhance the reconciliation process.

• D365 Finance Reports: Provides built-in validation for ledger and subledger consistency.
• Excel: Allows for custom analysis and detailed reconciliation outside the system.
• Excel + Autonomous Agents: Enhances reconciliation efficiency by automating data extraction and comparison.

Organizations should evaluate the most appropriate tools on their reconciliation complexity, reporting needs, and available automation capabilities.

Let's deep delve into vendor reconciliation.

DEMO - VENDOR RECONCILIATION

This section focuses on vendor reconciliation within Dynamics 365 Finance and Operations (D365FO).

The objective is to verify whether vendor transactions align with ledger transactions and identify any manual journal interventions that may have affected vendor transactions.

The reconciliation logic ensures that vendor transactions and ledger transactions remain consistent.

Step 1: Retrieve Vendor Transactions

Let's take a look at the vendor transactions first.

Navigate to Accounts payable >> Inquiries and reports >> Vendor transactions report

Apply the required filters, including a specific date range.

Run the report and review the output.

Report output as shown below. The next step is to convert this output to a workable format for further calculations.

Export the report to Excel for further analysis.

Analyzing Vendor Transactions

Open the exported excel file.

Scroll to the bottom of the report to locate the total debit and credit amounts for all vendors within the selected date range.

Calculate the total vendor balance.

For this example, the total vendor balance is $85,670.78.

Let's take a look at the ledger transactions now.

Step 2: Retrieve Ledger Transactions

Navigate to General ledger >> Inquiries and reports >> Voucher transactions

On next page, apply the required filters, including the relevant/targeted ledger accounts to be included in the report.

How to Identify the Relevant Ledger Accounts? 

The accounts to be included are all ledger accounts used in the Vendor posting profiles. These accounts determine how vendor transactions are posted to the general ledger.

Run the report and review the output. Report is as shown below. Export the report to Excel for further analysis.

Analyzing Ledger Transactions

Open the exported Excel file.

Summarize the Amount column to calculate the total ledger balance.

For this example, the total ledger balance is $85,670.78.

Step 3: Validate the Reconciliation

Since the total vendor balance ($85,670.78) matches the total ledger transactions balance ($85,670.78) for the selected date range, the reconciliation is successful. This confirms that vendor transactions are accurately reflected in the ledger without any discrepancies caused by manual interventions.

Simplified Reconciliation: Vendor to Ledger Reconciliation Report

Is there a more efficient way to perform vendor reconciliation without manually comparing reports? Yes!

D365FO provides a built-in report that directly compares vendor balances against ledger balances, eliminating the need for manual calculations.

Generating the Vendor to Ledger Reconciliation Report: Navigate to Accounts payable >> Periodic tasks >> Vendor to ledger reconciliation report.

Apply the required filters, including a specific date range.

Run the report and review the output.

The report provides a direct comparison of total vendor balances and corresponding ledger balances. 

In this example, the total vendor balance matches the total ledger balance at $85,670.78, confirming that there are no discrepancies. Since the balances align, this verifies that vendor transactions are accurately recorded in the ledger and no manual journal interventions have caused inconsistencies.  This method provides a faster and more efficient way to verify vendor reconciliation without manually exporting and analyzing multiple reports.

CONCLUSION

Effective reconciliation is essential for maintaining financial accuracy and ensuring compliance in Dynamics 365 Finance and Operations. This article demonstrated the vendor reconciliation process, emphasizing both manual and automated approaches. While traditional reconciliation methods require exporting and validating reports, D365FO’s built-in Vendor to Ledger Reconciliation Report streamlines the process, providing a direct comparison of vendor and ledger balances.