web
You’re offline. This is a read only version of the page.
close
Skip to main content

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Supply chain | Supply Chain Management, Commerce / D365 F&O Security Conf...
Supply chain | Supply Chain Management, Commerce
Suggested Answer

D365 F&O Security Configuration Lost After Customer Package Update

(3) ShareShare
ReportReport
Posted on by FR-22121547-0 20
Hi experts,
we are experiencing an issue in Dynamics 365 Finance & Operations (PU45) related to security configuration.
 
After applying the customer’s package updates in the Production environment, the system silently modifies the security configurations of custom roles that were created directly in D365 F&O. These roles are not linked to objects developed in AOT or deployed through packages. The changes are not triggered by any user action and are logged under the SYSTEM user ID in the audit trail.
 
This behavior is not consistent, but it occurs frequently enough that we must manually correct the configuration each time.
 
Looking at the audit trail, it appears that something (associated with the SYSTEM user) happens at the end of the package update process, likely during database synchronization.
 
Has anyone experienced something similar? 
 
Do you have any suggestions about what process might be causing the security configuration to be lost?
 
Thank you
Categories:
Dynamics 365 Supply Chain Management
I have the same question (3)
  • Suggested answer
    Navneeth Nagrajan Profile Picture
    Navneeth Nagrajan 2,538 Super User 2026 Season 1 on at
     
    A few questions:
    1. Had you published the privileges, roles and duties from the front end and linked them through the application?
     
    Suggestions:
    If the answer is yes, to the above mentioned question then a package shouldn't disrupt these privileges, roles and duties being published. However, if you are synchronising system user related objects as a part of the package then these published objects changes will be altered. Experienced this typically with database refreshes from higher to lower environments (Which is definitely the case) and with ISV based solutions or with packages that have related roles, privileges and duties associated with the published security related components from the front end. 
     
    Hope this helps. Happy to answer questions, if any.
     
  • FR-22121547-0 Profile Picture
    FR-22121547-0 20 on at
    Hi Navneeth Nagrajan
    thank you for your suggestion, but if I understood your question correctly, this is not the case.
     
    The strange thing is that this behavior occurs randomly, and it happens in all cloud environments (Prod, UAT, and Preprod) except TEST.

    The only difference is that the TEST environment contains the base configuration, which was set up manually, whereas the other environments were configured
    by migrating the settings via an XML file using the standard “Security configuration / Data / Export - Import” functionality.
     
    Thank you.
  • Suggested answer
    André Arnaud de Calavon Profile Picture
    André Arnaud de Cal... 303,706 Super User 2026 Season 1 on at
    Hi,
     
     
    Can you tell if the custom configured roles contains duties and/or privileges maintained in Visual Studio (provided out of the box)? If so, in case standard elements are changed, it will also update custom roles as a dependency update. This is intended behavior. 

    In case you only used configured privileges and duties, it should not impact them.
  • FR-22121547-0 Profile Picture
    FR-22121547-0 20 on at
    HI @André Arnaud de Calavon, thank you for your suggestion.

    The issue seems to occur with custom security objects (privileges and roles) that exist in the AOT but have been further customized using the standard functionality tool. It appears that when a new package is applied, the configuration made through the standard tool is lost, and the system reverts to the configuration stored in the AOT. This behavior makes sense and is understandable.
     
    However, the strange part is that this situation happens in all cloud environments (UAT, Preprod, Production) but never in the TEST environment. The only difference is that the TEST environment hosts the base security configuration created manually, whereas in the other environments, the configuration is imported via XML using the standard export/import security configuration function.
     
    Additionally, my impression is that the configuration imported via XML does not seem to be fully consistent with the configuration created manually, which may explain why the system updates the configuration during deployable package installation.
  • André Arnaud de Calavon Profile Picture
    André Arnaud de Cal... 303,706 Super User 2026 Season 1 on at
    Hi,

    You have an interesting observation. Can you elaborate on what elements of the roles are not consistent with the configuration? What exact tool or function are you using to move roles from one to another environment?
  • FR-22121547-0 Profile Picture
    FR-22121547-0 20 on at
    Hi,
    the elements that seem to be inconsistent, and therefore replaced after the package deployment, are custom privileges and roles.
     
    This issue does not appear to occur with standard objects of the same type.
     
    Regarding the tool used to export and import the configuration, we use the function available under System administration → Security configuration.
    In this form, under the Data tab, there are two functionalities: Export and Import. We use these to export the base configuration from the TEST SAT environment and import it into the other environments (from UAT to Production).
     
    Thank you
  • André Arnaud de Calavon Profile Picture
    André Arnaud de Cal... 303,706 Super User 2026 Season 1 on at
    Hi,

    I would like to learn more about what custom objects are causing what inconsistencies. In case you can share a reproducible scenario, I like to dive into it. 
  • FR-22121547-0 Profile Picture
    FR-22121547-0 20 on at

    Hi Andrè,  thank you again for your interest in this topic.

    I’m not able to reproduce the exact scenario, especially on a DEV machine, but I can share the final result observed at the end of the package installation. This comparison is between:

    • TEST environment – where the base configuration is hosted (Screen1)
    • Golden environment – where the security configuration was imported via an XML file exported from TEST and used for Production package validation (Screen2)
    In the screenshot1 (TEST environment), there are multiple display menu items. Except for the first menu item, all others are standard display menu items. This is the right configuration.
    In the screenshot2 (Golden environment), after package deployment, all the standard menu items disappears, and only one display menu item remains (the custom menu item).
     
    Additionally, I can confirm that the role XXXX_Store Manager has been completely created and managed using the standard D365F&O tool. In the AOT, this role does not exist as a custom object.
     
    Any suggestion would be greatly appreciated.
     
    Thank you
    Screen1_TEST.png
    Screen2_GOLDEN.png
  • André Arnaud de Calavon Profile Picture
    André Arnaud de Cal... 303,706 Super User 2026 Season 1 on at
    Hi,
     
    The privilege on the screenshot seems to be created in the AOT and possibly changed via the Security configuration form. Can you confirm if the privilege has only one display menu item in the AOT and that all other menu items are added in the UI?
  • FR-22121547-0 Profile Picture
    FR-22121547-0 20 on at
    Hi Andrè,
    yes, I confirm that the security privilege has only one display menu item as its entry point object.
     
    I’ve also uploaded a screenshot showing the security privilege structure in the AOT for your reference.
     
    As I mentioned before, the strange thing is that this issue occurs randomly across all cloud environments, except for the TEST environments that host the base configuration.
     
    Thank you
    AOT_PrivilegeStruct.png

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Introducing the 2026 Season 1 community Super Users

Congratulations to our 2026 Super Stars!

Congratulations to our 2025 Community Spotlights

Thanks to all of our 2025 Community Spotlight stars!

Congratulations to the February Top 10 Community Leaders

These are the community rock stars!

Leaderboard > Supply chain | Supply Chain Management, Commerce

#1
Mallesh Deshapaga Profile Picture

Mallesh Deshapaga 254

#2
Laurens vd Tang Profile Picture

Laurens vd Tang 192 Super User 2026 Season 1

#3
Syed Haris Shah Profile Picture

Syed Haris Shah 137 Super User 2026 Season 1

Last 30 days Overall leaderboard

Featured topics

Quality order uses default receipt location instead of actual physical receipt location

Product updates

Dynamics 365 release plans