Skip to main content

Notifications

Announcements

🌸 Community Spring Festival 2025 Challenge & Updates🌸
News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Service | Customer Service, Contact Center, Fie... / Security Role for Acce...
Service | Customer Service, Contact Center, Fie...
Suggested answer

Security Role for Access Administrators

(2) ShareShare
ReportReport
Posted on by RA-21031751-0 4

We engaged a third-party service provider to develop a Dynamics 365 application for managing our organization's services, including appointment booking, invoicing, and other features. Their consultant claims that it’s not possible to create a role for security access administrators without granting them read/write access to appointment and invoice entities, among others.

Is this accurate? It’s hard to believe that Microsoft wouldn’t support roles specifically designed for security administrators to manage user permissions without unnecessary access to sensitive data.

Categories:
Dynamics 365 Customer Service
Dynamics 365 Field Service
  • Suggested answer
    Daivat Vartak (v-9davar) Profile Picture
    Daivat Vartak (v-9d... 6,051 Super User 2025 Season 1 on at
    Security Role for Access Administrators
    Hello RA-21031751-0,
     

    You're right to be skeptical. The third-party consultant's claim that a security access administrator role must have read/write access to appointment and invoice entities is incorrect and reflects a misunderstanding of Dynamics 365's security model.

    Dynamics 365 Security Model:

    Dynamics 365 has a very granular and flexible security model that allows you to create roles with highly specific permissions. You can absolutely create a role for security administrators that grants them the necessary privileges to manage users and roles without giving them access to business data like appointments and invoices.

     

    How to Create a Security Administrator Role (Correct Approach):


    1. Create a New Security Role:

      • In Dynamics 365, go to Settings > Security > Security Roles.
      • Click New.
      • Give the role a descriptive name, such as "Security Administrator.' 

    2. Configure Core Security Administration Privileges:

      • Business Management Tab:

        • User: Grant privileges for managing users (Create, Read, Write, Delete, Assign, Share).
        • Security Role: Grant privileges for managing security roles (Create, Read, Write, Delete, Assign, Share).
        • Team: Grant privileges for managing teams (Create, Read, Write, Delete, Assign, Share).
        • Business Unit: Grant privileges for managing business units (Create, Read, Write, Delete, Assign, Share).
        • Hierarchy Security Configuration: Grant privileges for configuring hierarchy security if needed. 

      • Customization Tab:

        • Web Resources: Grant privileges for managing web resources (Read, Write, Create, Delete).
        • Plug-in Assemblies: Grant privileges for managing plug-in assemblies (Read, Write, Create, Delete).
        • SDK Message Processing Steps: Grant privileges for managing SDK message processing steps (Read, Write, Create, Delete).
        • Process: Grant privileges for managing processes.
        • Entity: Grant privileges to customize entities.
        • Attribute: Grant privileges to customize attributes.
        • Relationship: Grant privileges to customize relationships.
        • Form: Grant privileges to customize forms.
        • View: Grant privileges to customize views.
        • Chart: Grant privileges to customize charts.
        • Dashboard: Grant privileges to customize dashboards.
        • Field Security Profile: Grant privileges to manage field security profiles.
        • Model-driven App: Grant privileges to manage model-driven apps.
        • Site Map: Grant privileges to manage site maps. 

      • Service Management Tab:

        • Queue: Grant privileges for managing queues.
        • Routing Rule Set: Grant privileges for managing routing rule sets. 

      • Marketing Tab (if applicable):

        • Marketing List: Grant privileges for managing marketing lists. 

      • Sales Tab (if applicable):

        • Sales Literature: Grant privileges for managing sales literature. 

      • Customer Service Tab (if applicable):

        • Case: Grant privileges for managing cases.
        • Knowledge Article: Grant privileges for managing knowledge articles. 

      • Project Service Tab (if applicable):

        • Project: Grant privileges for managing projects. 

      • Field Service Tab (if applicable):

        • Work Order: Grant privileges for managing work orders.

          •  

    3. Do NOT Grant Access to Business Data Entities:

      • Crucially, do NOT grant any privileges (Read, Write, etc.) to the appointment, invoice, or other business data entities. 

    4. Save and Publish:

      • Save the security role.
      • Publish the customizations. 

    5. Assign the Role to Security Administrators:
       
      • Assign the "Security Administrator" role to the users who will be managing security.

        •  

      6.  

    Why the Consultant Might Be Mistaken:

    • Lack of Dynamics 365 Expertise: The consultant might not have a deep understanding of the Dynamics 365 security model.
    • Default Role Misunderstanding: They might be mistakenly referring to the "System Administrator" role, which does have broad access to all entities.
    • Convenience: They might be taking a shortcut by granting excessive permissions instead of carefully configuring a role with specific privileges.

      •  

    Important Considerations:

    • Principle of Least Privilege: Always follow the principle of least privilege, granting only the necessary permissions.
    • Testing: Thoroughly test the security administrator role to ensure that it works as expected.
    • Auditing: Enable auditing to track changes made by security administrators.

      •  

    Key Recommendation:

    • Insist on a security administrator role that does NOT grant access to business data entities.
    • If necessary, seek a second opinion from a Dynamics 365 security expert.

      •  

    You are absolutely correct in questioning this consultant's approach. It is entirely possible to create a security role that allows for the management of users and roles without granting access to sensitive business data.

     
    If my answer was helpful, please click Like, and if it solved your problem, please mark it as verified to help other community members find more. If you have further questions, please feel free to contact me.
     
    My response was crafted with AI assistance and tailored to provide detailed and actionable guidance for your Microsoft Dynamics 365 query.
     
    Regards,
    Daivat Vartak
  • Vahid Ghafarpour Profile Picture
    Vahid Ghafarpour 9,706 Super User 2025 Season 1 on at
    Security Role for Access Administrators
    Security roles in Dynamics 365 are highly customizable. You can define privileges at the table level, specifying actions such as Read, Write, Create, Delete, Assign, Share, Append, and Append To:
     

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

🌸 Community Spring Festival 2025 Challenge & Updates🌸

Quick Links

🌸 Community Spring Festival 2025 Challenge 🌸

WIN Power Platform Community Conference 2025 tickets!

Jonas ”Jones” Melgaard – Community Spotlight

We are honored to recognize Jonas "Jones" Melgaard as our April 2025…

Kudos to the March Top 10 Community Stars!

Thanks for all your good work in the Community!

Leaderboard

#1
André Arnaud de Calavon Profile Picture

André Arnaud de Cal... 294,125 Super User 2025 Season 1

#2
Martin Dráb Profile Picture

Martin Dráb 232,871 Most Valuable Professional

#3
nmaenpaa Profile Picture

nmaenpaa 101,158 Moderator

Leaderboard

Featured topics

Product updates

Dynamics 365 release plans