Workflow security in Dynamics 365

Some organizations require that some of the business processes are approved by a user different than a person who has actually entered the given record. Are there some additional security privileges that you could use then? What should you do in this situation? In such a case, you would require manual approval or workflow approval for these workflow processes.

But let’s define workflow first. A workflow is an automated process thanks to which you get Dynamics 365 to perform a task that you need. The benefit of this is that you avoid any issues with having to perform such a task manually, every time it is necessary.

Each workflow process is associated with a single entity. And entity is defined by its ability to function independently from any accounts, forms, contacts, leads, etc.

When defining the first workflow, you need to take into consideration the following factors:

1. The activation triggers
2. The mode of execution (will it be in real time or rather in the background?)
3. The actions to be performed
4. The automation criteria

Before you start creating a new workflow, it is a recommended practice in Dynamics 365 to check if any of out-of-the-box workflows in D365 Finance and Operations app can be used instead. Then, you do not have to start working on a new workflow from scratch but rather create a new version of the existing workflow. You can modify it so that it precisely addresses the customer’s business requirements.

However, if there is no workflow in Dynamics 365 F&O that fits a specific requirement and there are no out-of-the-box workflows available that would address your specific requirement, then the development team can create a new automatic workflow templates.

Let’s differentiate between real-time and background workflow. Real-time workflows will be launched immediately which means that they are synchronous. On the contrary, an automatic workflow which you choose to run in the background is asynchronous. There is a benefit to background workflows. You can set these up with wait conditions that will trigger a specific processing delay (schedule it for a given time). A real-time automatic workflow does not allow for this configuration.

The workflow configuration is based on a workflow type. For each workflow type, you can create multiple workflow configurations.

In Dynamics 365, workflow types are available for different modules. The below is an example for creating workflow for General Ledger.

Unfortunately, some of Dynamics 365 modules do not offer any workflow type to address certain business requirements. If this is the case, with the help of Visual Studio developers can create new workflow type in D365 Finance and Operations.

What does the automatic workflow scope indicate? You can choose between the options such as “User”, “Organization” or “Business Unit”. And for reports, what is the difference between “Individual and “Organization” workflow settings for “Viewable By”?

Let’s deal with reports first. The “Viewable By” Section determines which user can see the report. “Organization” is pretty straightforward: it means that anyone in the organization can view a given report. “Individual” option, however, is quite misleading. It indicates that the access to the report depends on each users’ security roles (and their security privileges).

Let’s say that that you set the automatic workflow scope to “Individual” and you belong to business unit “Procurement”. All users within that unit with Read security privileges are able to view the reports for their business unit. However, anyone within the business unit “Sales” would not be able to view the reports as they have different security privileges assigned.

If we are talking about workflows, the “Scope” limits the records on which the workflow can be used. Let’s say the Scope is set to “User”. In this case, the workflow will only run on records owned by the user who has triggered the workflow. However, the situation changes if you ser the Scope to “Organization” Then, the automatic workflow can run on records owned by any users within Dynamics 365 F&O. The important thing to remember is that once the scope has been set, it cannot be amended afterwards so make sure that you choose the correct one. There are also options for “Business Unit” and “Parent: Child Business Unit”. These two refer to the records that the automatic workflow will run on in reference to the person who has triggered the workflow.

Let’s see what types of workflows are available in D365 application:

• General ledger workflow types
• Accounts payable workflow types
• Accounts receivable workflow types
• Budgeting workflow types
• Cash and bank management workflow types
• Expense management workflow types
• Fixed asset management workflow types
• Human resources workflow types
• Organization workflow types
• Procurement and sourcing workflow types
• Project management and accounting workflow types
• Inventory management workflow types
• Commerce workflow types
• Sales and marketing workflow types
• Time and attendance workflow types

Let’s now take a look at one of the case studies. The client wanted to prevent certain users from opening certain opportunity (a status field) in their Dynamics 365. Unfortunately, due to the default security roles config, they were unable to do so as this granular security is not available via security roles.

However, you can solve this problem with real time workflows. All you need to do is add a checkbox to the user record so that the automatic workflow checks if the user is allowed to perform this action. If the field was set to “no”, then you can have the workflow cancel the status change and come up with an alert/ error message.

In order to check if the user is the one who was opening the opportunity or not, the workflow needs to run before the change of the status. You can use any field for the workflow to update a hidden field. In this way, the field “Modify By” is set to the user trying to make the changes. The next step in the workflow is to check if the user is allowed to reopen the status field. If yes, then the status would change to “Open.