web
You’re offline. This is a read only version of the page.
close
Skip to main content
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Finance | Project Operations, Human Resources, ... / How to restrict access...
Finance | Project Operations, Human Resources, ...
Suggested answer

How to restrict access to Data Entities for users

(0) ShareShare
ReportReport
Posted on by HBrook 40

hi

We need to make all Data Entities readonly for all users and allow write access to some users and some entiries. Is this something possible out of the box or with minimum customization?

The only thing I can think of is create a table that will contain a list of roles and allowed dataentities. In DMFWriter class hopefully there will be a hook were we can throw error if the user role - entity does not exist for the new table.

I have the same question (0)
  • Suggested answer
    André Arnaud de Calavon Profile Picture
    André Arnaud de Cal... 300,293 Super User 2025 Season 2 on at
    RE: How to restrict access to Data Entities for users

    Hi Harry,

    This can be achieved with security permission settings. For each data entity, there are two privileges: Maintain .... data entity and View .... data entity. You can create a duty with all privileges containing the View permissions. In addition, you can create specific duties and link the desired maintain privileges for specific roles.

    If it would be too hard to find all related view privileges for the data entities, you can also create one new privilege and add all entities with read-only permissions.

    Related blog post: What are the options for securing data projects - Dynamicspedia

  • HBrook Profile Picture
    HBrook 40 on at
    RE: How to restrict access to Data Entities for users

    Sorry should have mentioned earlier. We looked at creating new privilege however that is too much of a task. We will need to do a validation after each upgrade/quality update. Another issue is we will need to add this 'deny' privilege to each role and this privilege needs to work with highest level. For e.g. Say a user has role 1 and role 2. Role 1 has the access and Role2 it is denied using our new privilege then User will need to have the access. This will not work using the security framework.

  • André Arnaud de Calavon Profile Picture
    André Arnaud de Cal... 300,293 Super User 2025 Season 2 on at
    RE: How to restrict access to Data Entities for users

    Hi Harry,

    I'm not able to understand your reply. Why are you mentioning 'deny' privilege? This is not required when you are using read only permissions on entities via privileges. Deny has the priority over granting access. So, indeed if you are using this, users will never get write access if they have another role with 'deny'.

    You now add a variable called 'validation after update'. This is what you would need to do anyway. Without adding permissions for new entities, the users will not have access. What is the business reason to provide a user read permissions to all data entities?

    I would recommend using the standard security options as I mentioned in my previous reply and not try to hook in on the DMFWriter class with custom coding.

  • HBrook Profile Picture
    HBrook 40 on at
    RE: How to restrict access to Data Entities for users

    Let us say a user has accountant role and purchase order maintainance role (just making up example). Accountant role allows write access to an entity but all other roles will only have read access.

    In this case if we use standard framework then accountant will lose write access. (because the user has PO maintainance role which has read only access).

    There are also other concerns that I raised above.

  • Suggested answer
    André Arnaud de Calavon Profile Picture
    André Arnaud de Cal... 300,293 Super User 2025 Season 2 on at
    RE: How to restrict access to Data Entities for users

    Hi Harry,

    Your understanding is incorrect. Let me try to explain it in a different way. When adding an entity to a privilege, you can set access permissions for Read, Create, Update and Delete separately. For each access type, you can have access as: Unset, Grant and Deny. They are listed in priority. Unset would mean that there is no decision taken. Then another security object might have the permissions for access type.

    If you have a "view" privilege, you would need to have set Grant for Read and all others should be Unset, not Deny.

    For a 'maintain' privilege, you can then set them all to Grant. When a user then as both privileges via the same or different roles, the maximum will be applied which is in case of maintain Grant for all access types.

    Only when you would have a security object with Deny permissions, then indeed this has the highest priority and this will ensure that a user will never have the permissions, even when Grant was used. 

    For your scenario, in this case, you should only work with Unset and Grant.

  • HBrook Profile Picture
    HBrook 40 on at
    How to restrict access to Data Entities for users
    Unfortunately, we need to set it to deny for some users. Each upgrade comes with new set of entities and users are getting access to the entity :(
     
    We are going ahead with a customization but that is proving to be a challange as well.

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Responsible AI policies

As AI tools become more common, we’re introducing a Responsible AI Use…

Pallavi Phade – Community Spotlight

We are honored to recognize Pallavi Phade as our Community Spotlight honoree for…

Congratulations to the October Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Finance | Project Operations, Human Resources, AX, GP, SL

#1
Martin Dráb Profile Picture

Martin Dráb 667 Most Valuable Professional

#2
CU05031448-0 Profile Picture

CU05031448-0 584

#3
André Arnaud de Calavon Profile Picture

André Arnaud de Cal... 554 Super User 2025 Season 2

Last 30 days Overall leaderboard

Featured topics

End-of-life Announcement for Microsoft Dynamics GP

Product updates

Dynamics 365 release plans