The Dynamics 365 Finance and SCM security model
How role-based security works in Dynamics 365 Finance and SCM — duties, privileges, roles, segregation of duties, and extensible data security.
Dynamics 365 Finance and Supply Chain use a layered, role-based security model derived from AX 2012. It's powerful, expressive, and considerably more complex than Business Central or the CRM apps. Understanding the hierarchy is essential.
The four layers.
-
Privileges — the lowest level. A privilege grants access (read, create, update, delete, perform action) on one or more securable objects — menu items, fields, tables, services, reports. Privileges are the building blocks; Microsoft ships hundreds.
-
Duties — a logical group of privileges that together let a user perform a job task: Maintain customer invoices, Approve vendor payments, Inquire into ledger balances. Duties are how you express "this job does these things".
-
Roles — a job role assembled from duties: Accounts Payable Manager contains Maintain vendor master, Approve vendor invoices, Inquire into AP, etc. Users are assigned to roles.
-
Process cycles — the highest level, grouping duties by business process for documentation purposes. Process cycles don't affect runtime security.
Why the layers. This structure lets Microsoft ship roles and customers compose them without rewriting privileges. A customer rarely creates privileges; they assemble duties, occasionally extend roles, and assign users.
Segregation of duties (SoD). F&O has a built-in SoD framework. Administrators declare which pairs of duties are conflicting (e.g. Maintain vendor master + Approve vendor payments) and the system blocks any role assignment that would violate them, surfacing the conflict for resolution.
Extensible Data Security (XDS). Beyond menu/object security, XDS restricts data at the row level — e.g. "salespeople see only customers in their region". XDS policies are defined as queries on the underlying tables and apply automatically wherever those tables are queried, including in custom reports.
Organisation hierarchy. Most security ties back to the organisation hierarchy — legal entities, operating units, departments, cost centres. Roles can be scoped to one or many entities; a user assigned to a role across multiple entities sees consolidated lists where appropriate.
Effective access tool. F&O provides an effective-access tool that, given a user, shows every securable object they can reach and the role chain that granted it. Use it to debug "why can I see/not see this?".
Practical advice. Start from Microsoft's shipped roles, copy them, edit the copies. Define SoD policies early. Don't grant the System Administrator role to anyone in production except true admins — it bypasses all security.
Related guides
- Dynamics 365 Finance environments and Lifecycle ServicesHow environments work in Dynamics 365 Finance and Supply Chain — Tier 1 through Tier 5, the role of Lifecycle Services, and the move to managed environments.
- Financial dimensions in Dynamics 365 FinanceHow financial dimensions work in Dynamics 365 Finance — global dimensions, account structures, default dimensions, and the design choices that decide reporting flexibility.
- Number sequences in Dynamics 365 Finance and SCMHow number sequences work in Dynamics 365 Finance and SCM — scope, continuous vs non-continuous, manual override, and statutory gap-free requirements.
- Parallel currencies in Dynamics 365 FinanceHow Dynamics 365 Finance handles parallel reporting currencies — accounting currency, reporting currency, and tax currency, with the consolidation implications.
- Reporting tools in Dynamics 365 FinanceThe reporting stack in Dynamics 365 Finance — Financial Reporting, electronic reporting, Power BI, and where each one fits.