Privileged User Management in Dynamics 365 Finance and Supply Chain Management (D365F&SCM)

PRIVILEGED USER MANAGEMENT IN DYNAMICS 365 FINANCE AND SUPPLY CHAIN MANAGEMENT (D365F&SCM)

CONTENT Introduction Importance of time-bound security role assignment Enabling time-bound security role assignment Configuring time-bound security role assignment Temporary Role Management Privileged User Management Demo Conclusion

INTRODUCTION 

Managing privileged access is one of the most critical aspects of ERP security. In many organizations, users occasionally require elevated permissions—for example, to troubleshoot, perform testing, or complete month-end tasks. The problem arises when these elevated permissions remain active longer than necessary, creating security risks, compliance issues, and audit findings.

To address this challenge, Dynamics 365 Finance & Supply Chain Management (D365F&SCM) introduces time-bound role assignments as part of the User Security Governance module. 

• This feature allows administrators to grant elevated roles to users only for a defined period via Temporary role management form.  Once the time expires, the system automatically revokes access.

• At the same time, all activities performed under temporary access are tracked and logged, giving organizations the transparency needed for compliance and governance via Privileged user management.

In this article, we will cover why time-bound assignments matter, how to set them up, walk through a demo scenario, and explore how to monitor and audit their usage.

IMPORTANCE OF TIME-BOUND ROLE ASSIGNMENTS

Time-bound assignments are a practical answer to the problem of “standing” privileged access. Here’s why they are so important:

1. Compliance and Auditability: Regulations such as SOX and internal ITGC frameworks require organizations to demonstrate that elevated access is both controlled and temporary. Permanent administrator rights are a common audit finding because they create opportunities for inappropriate or undocumented activity.

Time-bound roles directly support compliance by ensuring access is limited to a defined window, automatically revoked afterward, and fully logged. This provides auditors with clear evidence that access management controls are designed and operating effectively.

From a segregation of duties (SOD) perspective, temporary assignments can also help organizations prove that conflicts are managed. If a role temporarily grants a user conflicting capabilities (e.g., vendor setup and payment release), the short validity period and audit trail demonstrate that the risk was identified, limited, and monitored.

2. Reduced Risk: Long-term administrator or finance manager roles create opportunities for fraud or unauthorized changes. Temporary assignments reduce this risk by limiting access to the minimum necessary time.

3. Operational Flexibility: Users can still be granted elevated roles to complete tasks without waiting for lengthy manual processes. The system handles the removal automatically.

4. Transparency: Security teams and auditors can easily review who had privileged access, for how long, and what actions they performed. This closes the loop between granting access and proving it was used responsibly.

ENABLING TIME-BOUND SECURITY ROLE ASSIGNMENT

Before you can use this functionality, ensure that the User Security Governance feature is enabled:

1. Go to System administration > Workspaces > Feature management.

2. Search for User security governance.

3. Select Enable now.

Once enabled, the feature is available under:

System administration > Security > Security governance > Temporary role management

and

System administration > Security > Security governance > Privileged user management

CONFIGURING TIME-BOUND SECURITY ROLE ASSIGNMENT

A complete solution consists of two configuration components:

• Assigning temporary security roles to users through the Temporary Role Management form.
• Monitoring and tracking their system activities using Privileged User Management.

Temporary Role Management

Temporary role management lets system administrators assign temporary roles to a specific user account for a specific amount of time (known as a session). This feature is useful when a user in a company is away from work for a period, or if a role must temporarily be divided among multiple users. When the session ends, the user account returns to its original roles.

Note: Do not forget to add System user, otherwise below error will appear

Privileged User Management

Privileged user management lets system administrators schedule a session for selected user accounts. All user interactions are recorded in Dynamics 365 finance and operations apps during that session, if the user decides to continue using Dynamics 365 finance and operations after reading the consent on the landing page. This feature is useful when some elevated privileged accounts are used for auditing purposes. It helps ensure that users aren't performing any unauthorized activities in the system and keeps a recording of it, in case it's later needed for audit or compliance reviews.

System administrators can choose to enable or disable the given user account once the session begins. As soon as the session ends, the account returns to its original state.

DEMO

Scenario

A specific user (Dogan) requires the Accountant role for 30 minutes to perform troubleshooting.

To maintain compliance, the System administrator will temporarily assign this role and record the user’s activities to ensure that no configuration changes are made that could create material impact

Solution Overview

The solution requires two configurations:

• Assign the role temporarily via the Temporary role management form.
• Record user activities via the Privileged user management form.

Assigning the Accountant Role Temporarily

Navigate to System administration > Security > Security governance > Temporary role management

1. Create a new entry and assign the User ID.

2. Choose whether the temporary role will be merged with existing roles or replace them.

3. Enter the start and end time of the assignment. 

In this scenario, the role is assigned for 30 minutes (4:00 - 4:30)

4. Select the temporary roles to be assigned (Accountant and System user).

5. Change the entry's status to Planned so that batch job can process it.

Note: Original roles can be viewed in the Original roles fast tab.

Required setup is as shown below:

The next step is to configure a recurring batch job that processes pending temporary role assignments:

• This setup is a one-time task.
• Once scheduled, the batch job will periodically run and update assignments based on entries in the Temporary role management form.

When processed, the entry status will be updated to Active.

The role assignment will then appear as shown:

Privileged User Management

Navigate to System administration > Security > Security governance > Privileged user management

1. Create a new line and assign the User ID.

2. Enter the start and end time for task recording. In this scenario, recording runs for 25 minutes (4:05 - 4:30).

3. Change the entry's status to Approved so that batch job can process it.

4a. Setup the batch job if there isn't one working actively.

4b. No need to setup a batch job if there is one working actively.

Note that batch job runs and updates entry status to Approved.

At this point, the user receives a notification that their session is being recorded.

When the temporary role assignment  expires, the entry status becomes Finished.

When task recording expires, privileged user management entry's status becomes Ended.

Reviewing Recorded Activities

Recorded file can now be downloaded.

Downloaded recording file can now be uploaded into Security diagnostics for task recording form.

Navigate to System administration > Security > Security diagnostics for task recordings

Select Open from this PC.

Click Browse.

Select downloaded recording file.

After upload completes, the system displays all recorded security entry points and the screens visited by the user.

At this point, the demonstration is complete: the user was granted temporary access, their session was recorded, and the resulting file was analyzed for transparency. This end-to-end process illustrates how D365FO provides both operational flexibility and the necessary audit trail to support compliance requirements.

Conclusion

Temporary role assignments and privileged user activity recordings provide organizations with a structured way to balance operational needs and compliance requirements. By enabling short-term access to sensitive roles and automatically tracking the resulting activities, D365FO helps ensure that users can perform troubleshooting or exception handling without creating long-term segregation of duties risks. From a SOX and internal controls perspective, this capability is critical because it demonstrates that access is both time-bound and monitored, reducing the likelihood of unauthorized configuration changes or material misstatements. Establishing this governance framework not only strengthens audit readiness but also promotes a culture of accountability and transparency across the organization.