Finance | Project Operations, Human Resources, ...

Events when user role assignment changes

(1) Share

Report

Posted on by hca

Hi!

I'm investigating if it's possible to capture an event when a user gets assigned to, or removed from, a role in Finance and Operations. I've been trying to search, but mostly it seems that it's recurring jobs and reports that can be used for this. I'm aware of the "SecurityUserRole" table, but it seems I can't extend it.

Thanks!

Categories:

Dynamics 365 Finance

All responses (22)

Answers (0)

André Arnaud de Cal... 291,391 Super User 2024 Season 2 on at

Like (0)

Report

Events when user role assignment changes

Hi,

In case you have more details and a better understanding of the exact requirements, feel free to update this thread. Then we can check if there are enough details to suggest the best way to go forward.

Instead of developing something yourself, based on the requirements, you can also check out ISV solutions that do support additional logs on security changes.
hca 73 on at

Like (0)

Report

Events when user role assignment changes

@André Arnaud de Calavon, I can't be more specific at this time than I need to know if a user gets assigned to a new role, primarily. Then I also need to know if a role gets new privileges. I'm not sure how duties are going to fit into it. The requirements are not completely clear, and I don't have the full understanding of the security of Finance nor the third party system. I understand your reply to mean that I should use the OData API to ask for the changes, either when an event triggers or regularly. We will probably go this way, or via a batch job. It's not clear yet.
André Arnaud de Cal... 291,391 Super User 2024 Season 2 on at

Like (0)

Report

Events when user role assignment changes

Hi HCA,

I'm not able to suggest the best option as you didn't mention what exact details you need for your export. Anyway, when you have an alert used to start a Power Automate flow, you can use some payload details to get more data using data entities.
Anthony Blake 2,212 Super User 2024 Season 2 on at

Like (1)

Report

Events when user role assignment changes

@hca it sounds like you have a few things to try out, be sure to share how you go along.

For business events in general, where you don't have all the information you need in the payload, consider a pattern where you orchestrate a call to get more data. For example a logic app could consume the business event via a service bus or endpoint, and then call an OData entity to get additional fields.
Suggested answer

NikolajSorensen 1,703 on at

Like (1)

Report

Events when user role assignment changes

You need a license for Sentinel obviously, but you need to understand a bit about the tool that will receive the information, to understand what options you have of delivering the event logs.

Just saying that MS are looking to use database log entries from D365FO as the event logs for their SIEM tool.
hca 73 on at

Like (0)

Report

Events when user role assignment changes

@Anthony Blake, I probably don't need real time, but there is no requirement when it comes to that. I do prefer business events, but I don't think I can get all the info I need through alerts. I guess I can ask the API regularly as you say, but then we need to detect the changes ourselves. We might be able to just push it to the third party and they take care of it, I am not sure at the moment.

@NikolajSorensen, thank you, that sounds interesting, I will investigate. We can't assume that Microsoft Sentinel is available, and at least it's not in my development environment, but it sounds like something that would be useful.
Suggested answer

NikolajSorensen 1,703 on at

Like (0)

Report

Events when user role assignment changes

Your requirement seems to be to enable a SIEM type tool to identify when security related events happen, such as changes to user roles or role configurations.

Microsofts Sentinel solution uses a connector which works with the database log entries in D365FO. I would probably advice you to do something similar if you are not using Sentinel. The database log entries don't rely on alerts or batchjobs to populate.

If you are using Sentinel, then use the connector.

You will need to setup database logging on the relevant tables/fields in D365FO.
Anthony Blake 2,212 Super User 2024 Season 2 on at

Like (0)

Report

Events when user role assignment changes

@hca how close to real time do you need your 3rd party system to be updated?

If its periodically, you can use recurring integrations or the package API, if its immediate, you should implement business events. You can set the frequency of the batch job for events.

Anthony
hca 73 on at

Like (0)

Report

Events when user role assignment changes

Thank you André, yes, it's another rabbit hole I need to jump into soon.

While we are on the subject, how often will the batch job for the alerts run, and am I better off creating my own batch job to export security details? I don't think using alerts will get me everything I need anyway.
André Arnaud de Cal... 291,391 Super User 2024 Season 2 on at

Like (0)

Report

Events when user role assignment changes

To have alerts active, you would need to check the batch job details. It might be the case that the batch job doesn't have any tasks in a demo environment. Recently, I had to recreate a batch job for the change based alerts to make the alerts feature working correctly.