web
You’re offline. This is a read only version of the page.
close
Skip to main content

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Blogs / Hardik’s Dynamics Dojo / Who Can Do What in D365FO? ...

Who Can Do What in D365FO? A Simple Guide to Roles, Duties, and Privileges

Views (10)
HardikPatel523 Profile Picture HardikPatel523 229

Security in D365FO — Not as Scary as It Sounds

When developers first hear Security Architecture in Dynamics 365 Finance & Operations, it can feel like something only security experts or auditors are supposed to understand.
But relax.
At its core, it answers one simple question:
Who is allowed to do what in the system?
That’s it.
No mystery. No hidden magic.
Microsoft solves this using four building blocks:
  • Roles
  • Duties
  • Privileges
  • Menu Items
Once you understand how these connect, everything starts to make sense.
Let’s make it even easier — by relating it to something very familiar:
👉 A developer’s daily life (yes, including debugging at 2 AM)

Step 1 — Menu Items (The Actual Action)

Let’s start from the bottom.
A Menu Item represents the actual action or page in the system.
For example:
  • Open Sales Order form
  • Post Purchase Order
  • Run a report
  • Execute a batch job
Think of a menu item as:
The actual place where something happens 
A menu item is like:
  • Code editor
  • Git repository
  • Deployment pipeline
  • Bug tracking tool
You might want to deploy…
…but if you don’t have access to the deployment pipeline, you’re just a spectator 😄

Step 2 — Privileges (Permission to Perform an Action)

Next comes Privileges.
The word comes from:
- Privus → private
- Lex → law
Meaning: a special permission granted to someone

In D365FO, privileges define what you can do:
  • View
  • Create
  • Edit
  • Delete
A privilege is:
What action you are allowed to perform
For example:
  • Create code
  • Modify code
  • Delete code
  • Trigger deployment
You may have access to the repo…
…but if you only have read access, you’re basically there for moral support 😄

Step 3 — Duties (Grouping Responsibilities)

Now comes Duties.
A Duty represents:
A responsibility or task you perform
In D365FO, duties group multiple privileges together.
Example:
Maintain Sales Orders may include:
  • Create sales order
  • Edit sales order
  • View sales order
A duty is:
What you are responsible for in your job 
For example:
  • Writing code
  • Fixing bugs
  • Reviewing code
  • Deploying changes
Each of these responsibilities includes multiple permissions (privileges).

Step 4 — Roles (Who You Are)

At the top level, we have Roles.
A Role represents:
Who you are in the system

Examples:
  • Sales Manager
  • Accountant
  • Warehouse Worker
  • System Administrator
A role is simply a collection of duties.

A role is:
Your title… and sometimes your fate 😄

For example:
  • Developer
  • Senior Developer
  • Tech Lead
Each role comes with a set of responsibilities (duties).
And sometimes… more meetings.

Putting It All Together

The hierarchy looks like this:
Role → Duties → Privileges → Menu Items

Developer Mapping
- Role → Developer
- Duties → Writing code, fixing bugs, deployments
- Privileges → Create/edit/delete/execute actions
- Menu Items → Tools like editor, repo, pipelines

A developer (Role) performs responsibilities (Duties), which require permissions (Privileges), on actual tools/actions (Menu Items).

Why Microsoft Designed It This Way

Imagine assigning access like this:
  • Every user
  • Every action
  • Every screen
It would become chaos in large organizations.
Instead:
  • Developers define privileges
  • Functional teams organize duties
  • Security admins assign roles
This makes the system:
  • Scalable
  • Reusable
  • Easy to manage

Final Thoughts

The D365FO security model might look complex at first, but it’s actually very structured:
- Menu Items → where action happens
- Privileges → what action is allowed
- Duties → what responsibility you have
- Roles → who you are
Or simply:
Roles define who you are, duties define what you do, privileges define what you're allowed to do, and menu items are where it happens.

And just like in development…
Giving the wrong access doesn’t just cause confusion…
👉 It might let someone deploy to production on Friday evening
…and we all know how that story ends 😄

Let’s See This in Action (UI Walkthrough with a Bit of Reality 😄)

So far everything sounds clean and well-structured.
But let’s be honest…
Until you see it in the UI, it still feels a bit “theoretical”😄
Let’s fix that.

Where to Start in the UI

First, navigate to:
👉 System administration → Security → Security configuration

What is this page?



Think of this page as:
The control room of “who can do what” in D365FO
 
This is where you can:
  • View Roles, Duties, Privileges
  • Modify access
  • Add/remove permissions
  • Basically… control how much power each user gets 😄

Step 1 — Find a Role

Now let’s follow a real example.
1. Go to Roles
2. Filter for:
👉 Sales Manager



Now you’re looking at a Role
(aka: who the person is in the system)

Step 2 — Go to Duties

Click on Duties
You’ll now see all responsibilities assigned to this role.
Let’s pick one:
👉 Enable customer process



At this point:
You’re basically asking:
“What does this Sales Manager actually do?”

Step 3 — Drill Down to Privileges

Now click on Privileges
You’ll see a list of privileges under that duty.
Pick one:
👉 Maintain customer groups

---

Now things get interesting 👀

Step 4 — Explore Menu Items

Click on Display menu items
💡 Wherever you see a “+” icon, it means:
“Go ahead, click me… there’s more inside” 😄

Expand it and you’ll find:
👉 CustGroup (Menu Item)
This is the actual form/action in the system.


Step 5 — See (and Change) Permissions

Now click on CustGroup
Here you’ll see:
  • Read
  • Update
  • Create
  • Delete
👉 These are your actual permissions



And yes…
You can change them right here 😄

Important Insight (Very Important 👇)

- All this structure (roles, duties, privileges) is defined in code
- But at the same time…
👉 You can configure and modify it from the UI

From this page, you can:

  • Add/remove roles
  • Assign duties
  • Modify privileges
  • Add sub-roles
  • Adjust permissions directly
Basically…
You don’t always need a developer for changes
(but please still inform them 😄) 

Why This Page Matters

Imagine this scenario:
  • A user says: “I can’t access this form”
  • Another says: “Why can I delete this??”
This page is where you:
👉 Investigate
👉 Fix
👉 Prevent future chaos

Don’t Forget This Step (Seriously)

After making any changes:
👉 Click Publish



If you don’t…
You’ll spend the next 30 minutes wondering
“Why is nothing working?”😄

Creating & Understanding Security (The Easy Way)

If you’re wondering:
“How do I create roles, duties, privileges properly?
Good news 👇
👉 It’s actually quite simple once you explore existing ones.
Microsoft has solid documentation here:

Pro Tip

The best way to learn security in D365FO is:
  • Open the UI
  • Click around
  • Expand everything with a “+”
  • And reverse-engineer how things are connected

Final Reality Check

D365FO security is not hard.
It just looks like:
“A lot of layers created by someone who really loved structure”
 
But once you walk through it:
Role → Duties → Privileges → Menu Items
It becomes very predictable.

And remember:
With great access… comes great responsibility 😄 
Especially when “Delete” permission is involved.

Comments