web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Service | Customer Service, Contact Center, Fie... / Security Role for Acce...
Service | Customer Service, Contact Center, Fie...
Answered

Security Role for Access Administrators

(3) ShareShare
ReportReport
Posted on by RA-21031751-0 6

We engaged a third-party service provider to develop a Dynamics 365 application for managing our organization's services, including appointment booking, invoicing, and other features. Their consultant claims that it’s not possible to create a role for security access administrators without granting them read/write access to appointment and invoice entities, among others.

Is this accurate? It’s hard to believe that Microsoft wouldn’t support roles specifically designed for security administrators to manage user permissions without unnecessary access to sensitive data.

Categories:
Dynamics 365 Customer Service
Dynamics 365 Field Service
I have the same question (0)
  • Vahid Ghafarpour Profile Picture
    Vahid Ghafarpour 12,166 Super User 2025 Season 2 on at
    Security roles in Dynamics 365 are highly customizable. You can define privileges at the table level, specifying actions such as Read, Write, Create, Delete, Assign, Share, Append, and Append To:
     
  • Verified answer
    Daivat Vartak (v-9davar) Profile Picture
    Daivat Vartak (v-9d... 7,835 Super User 2025 Season 2 on at
    Hello RA-21031751-0,
     

    You're right to be skeptical. The third-party consultant's claim that a security access administrator role must have read/write access to appointment and invoice entities is incorrect and reflects a misunderstanding of Dynamics 365's security model.

    Dynamics 365 Security Model:

    Dynamics 365 has a very granular and flexible security model that allows you to create roles with highly specific permissions. You can absolutely create a role for security administrators that grants them the necessary privileges to manage users and roles without giving them access to business data like appointments and invoices.

     

    How to Create a Security Administrator Role (Correct Approach):


    1. Create a New Security Role:

      • In Dynamics 365, go to Settings > Security > Security Roles.
      • Click New.
      • Give the role a descriptive name, such as "Security Administrator.' 

    2. Configure Core Security Administration Privileges:

      • Business Management Tab:

        • User: Grant privileges for managing users (Create, Read, Write, Delete, Assign, Share).
        • Security Role: Grant privileges for managing security roles (Create, Read, Write, Delete, Assign, Share).
        • Team: Grant privileges for managing teams (Create, Read, Write, Delete, Assign, Share).
        • Business Unit: Grant privileges for managing business units (Create, Read, Write, Delete, Assign, Share).
        • Hierarchy Security Configuration: Grant privileges for configuring hierarchy security if needed. 

      • Customization Tab:

        • Web Resources: Grant privileges for managing web resources (Read, Write, Create, Delete).
        • Plug-in Assemblies: Grant privileges for managing plug-in assemblies (Read, Write, Create, Delete).
        • SDK Message Processing Steps: Grant privileges for managing SDK message processing steps (Read, Write, Create, Delete).
        • Process: Grant privileges for managing processes.
        • Entity: Grant privileges to customize entities.
        • Attribute: Grant privileges to customize attributes.
        • Relationship: Grant privileges to customize relationships.
        • Form: Grant privileges to customize forms.
        • View: Grant privileges to customize views.
        • Chart: Grant privileges to customize charts.
        • Dashboard: Grant privileges to customize dashboards.
        • Field Security Profile: Grant privileges to manage field security profiles.
        • Model-driven App: Grant privileges to manage model-driven apps.
        • Site Map: Grant privileges to manage site maps. 

      • Service Management Tab:

        • Queue: Grant privileges for managing queues.
        • Routing Rule Set: Grant privileges for managing routing rule sets. 

      • Marketing Tab (if applicable):

        • Marketing List: Grant privileges for managing marketing lists. 

      • Sales Tab (if applicable):

        • Sales Literature: Grant privileges for managing sales literature. 

      • Customer Service Tab (if applicable):

        • Case: Grant privileges for managing cases.
        • Knowledge Article: Grant privileges for managing knowledge articles. 

      • Project Service Tab (if applicable):

        • Project: Grant privileges for managing projects. 

      • Field Service Tab (if applicable):

        • Work Order: Grant privileges for managing work orders.

          •  

    3. Do NOT Grant Access to Business Data Entities:

      • Crucially, do NOT grant any privileges (Read, Write, etc.) to the appointment, invoice, or other business data entities. 

    4. Save and Publish:

      • Save the security role.
      • Publish the customizations. 

    5. Assign the Role to Security Administrators:
       
      • Assign the "Security Administrator" role to the users who will be managing security.

        •  

      6.  

    Why the Consultant Might Be Mistaken:

    • Lack of Dynamics 365 Expertise: The consultant might not have a deep understanding of the Dynamics 365 security model.
    • Default Role Misunderstanding: They might be mistakenly referring to the "System Administrator" role, which does have broad access to all entities.
    • Convenience: They might be taking a shortcut by granting excessive permissions instead of carefully configuring a role with specific privileges.

      •  

    Important Considerations:

    • Principle of Least Privilege: Always follow the principle of least privilege, granting only the necessary permissions.
    • Testing: Thoroughly test the security administrator role to ensure that it works as expected.
    • Auditing: Enable auditing to track changes made by security administrators.

      •  

    Key Recommendation:

    • Insist on a security administrator role that does NOT grant access to business data entities.
    • If necessary, seek a second opinion from a Dynamics 365 security expert.

      •  

    You are absolutely correct in questioning this consultant's approach. It is entirely possible to create a security role that allows for the management of users and roles without granting access to sensitive business data.

     
    If my answer was helpful, please click Like, and if it solved your problem, please mark it as verified to help other community members find more. If you have further questions, please feel free to contact me.
     
    My response was crafted with AI assistance and tailored to provide detailed and actionable guidance for your Microsoft Dynamics 365 query.
     
    Regards,
    Daivat Vartak

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Responsible AI policies

As AI tools become more common, we’re introducing a Responsible AI Use…

Neeraj Kumar – Community Spotlight

We are honored to recognize Neeraj Kumar as our Community Spotlight honoree for…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Service | Customer Service, Contact Center, Field Service, Guides

#1
Tom_Gioielli Profile Picture

Tom_Gioielli 45 Super User 2025 Season 2

#2
Daniyal Khaleel Profile Picture

Daniyal Khaleel 27 Most Valuable Professional

#3
Soundari Profile Picture

Soundari 15

Last 30 days Overall leaderboard

Featured topics

Product updates

Dynamics 365 release plans