Back to Blog Index

A security “gotcha!” in Microsoft Dynamics 365 and how an extension can help manage it

Author: Arbela Security and Compliance Team

Perhaps one of the most challenging aspects of security in Microsoft Dynamics 365 Finance and  Supply Chain Management is simply managing it internally: which users have which permission levels and what should be done—and where and when and how—in the event of, say, an enterprise restructure or an employee changing roles or leaving the business.

There may not be a more critical task than managing who has accesses and permissions in approving and posting items — as the more people are using your system, the higher the risk for mistakes, or even worse…

One of our developers recently discovered a “gotcha” in Dynamics 365 and — better yet — identified a tool to help address it, Arbela’s Audit & Security Manager (AASM) for Dynamics.

Here’s what he told us:

“Most [approving and posting items] can be found as menu items in the UI. However, the Approve posting with matching discrepancies is a ‘gotcha’ when investigating security through the UI.”

“But when I was looking in the Security configuration form, I realized that identifying who has access to edit or view this form is neither an adequate nor a precise identification of exactly who has access to the check box to turn on or off an Approval. So, I dug into the AOT [application object tree] and saw that the needed permission for the radio button is set to Manual.”

“I saw that a direct form control assignment of security is required. Fortunately, I work for Arbela and knew that our Audit & Security Manager extension for Dynamics would help quickly and easily identify who has the access to turn on or off this approval, as it has the capability to identify access to form control objects.”

A big thank you to our development team for spotting both the problem and the solution!