Now Reading: Dataverse Security fixes for Finance and SCM Users
-
01
Dataverse Security fixes for Finance and SCM Users
More and more Finance & Operations (F&O) features are being moved or at least being dependent on Dataverse. We are in a transition phase, and some things that are launched are not working all the way yet and need a little bit of extra touch. My latest work on this topic has mainly focused on the Dataverse security roles. When working with dual-platform scenarios, users are usually required to have a security role in both F&O and Dataverse/Power Platform. On the Dataverse side of these scenarios, it’s still a bit immature.
In this post, I will cover two dual security role scenarios:
- Electronic Reporting — Dataverse repository
- Inventory Visibility App
Electronic Reporting — Dataverse repository
If you go to the Electronic Reporting Workspace and Press Repositories
You will find a Repository Called Dataverse
To open this repository, you need to have the right security roles in Dataverse. Or else you will get this message:
Request to Dataverse failed.
Check that solution is installed and application user has access to Dataverse tables.
Error code: 51e642a2 Timestamp: 2025-03-28 14:57:19 Correlation Id: 3fe59534-44cf-4add-a3e0-6de1c450cb92 Exception thrown: System.ServiceModel.FaultException:
An error occurred when processing the security tokens in the message:CallerObjectIdShouldMapToValidUser
Server stack trace:at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc) at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation) at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message) Exception rethrown at [0]: at Microsoft.Xrm.Tooling.Connector.CrmServiceClient.Execute(OrganizationRequest request) at Microsoft.Dynamics365.LocalizationFramework.Extensions.OrganizationServiceFileDownloadExtensions.DownloadFilesFromAllRows(IOrganizationService service, String entityName, String fileAttributeName, Guid requestId) in D:dbselfmqnSourceFrameworksElectronicReportingLocalizationFrameworkForAxExtensionsOrganizationServiceFileDownloadExtensions.cs:line 108 at Microsoft.Dynamics365.LocalizationFramework.Repositories.Dataverse.OrganizationServiceIndexedFilesProvider.GetIndexFilesWithInfo() in D:dbselfmqnSourceFrameworksElectronicReportingLocalizationFrameworkForAxRepositoriesDataverseOrganizationServiceIndexedFilesProvider.cs:line 89
My first thought was that the out-of-the-box “Finance and Operations Basic User” would handle this, but it did not. When doing a deep dive into Microsoft learn, I found no out-of-the-box security role for this, but the page defined precisely what was needed in the security:
Import features from the repository – Finance | Dynamics 365
The solution is to create a new security role in Dataverse or pick up an existing role and add the right privileges for the following tables:
- Electronic Reporting Configuration File
- Electronic Reporting Configurations Index File
- Globalization Feature File
- Globalization Features Index File
I also uploaded my “Dynamics F&O — Electronic Reporting” role in a solution to GitHub if you wish to use it instead, you can find it here
Note:
This role should be used together with the “Base User” and the “Finance and Operations Basic User” roles.
Once the security is in place and added to your user, you should be able to press “Open” in the Dataverse repository and download any of the Financial reports that exist there.
This fix solves all Electronic Reporting needs even if you access it from other places in the system, like when downloading the Intrastat Reports.
It is worth mentioning that only the user who downloads the reports to F&O needs this access. Once downloaded, you do not need the role to use the report. It is, of course, also an option to let the system administrator download the reports, but that requires the Finance leads to know exactly what reports they are seeking, and that’s not always the case, they usually want to try around a bit by themselves.
Inventory visibility App
The Inventory Visibility App is a Model driven Power App and comes with a Dataverse role called: “Dynamics Inventory Service Role”. All users that should consume the app must have it together with proper security roles within F&O.
In order to start using the Inventory Visibility App, each user needs to fill out a popup the first time they access the app asking you for things like:
- Client id
- Tenant id
- Client Secret
(You need to set up an app registration in Azure for this and connect it to F&O)
If you just assign a user the “Dynamics Inventory Service Role” and perhaps even the “Finance and Operations Basic User,” the user won’t get the popup and, due to this, will be blocked from doing anything in the app. To get the popup, you need to assign the user the “Base User” role. (I still have not figured out what privilege that’s required for the popup to show…)
Once the popup is filled in, the “Dynamics Inventory Service Role” role has all the needed privileges to access the tables, but unfortunately, the app forms for all the configuration tables are not configured with the Dynamics Inventory Service Role.
Each Configuration table has two main forms, in most cases called “Information” and “IV UI V” View” (for some tables, the second form is named something else than “IV UI V” View”, but the features are alike)
The “Information” forms are empty (without any fields/parameters) but are set to be available for everyone. The “IV UI V2 View” forms have all the fields and parameters required to perform the setup, but they are only available for the “System Administrator” and the “System Customizer” (in some cases not even for them) and not the “Dynamics Inventory Service Role”.
The effect of this is that the users with the “Dynamics Inventory Service Role” have the right to all the setup needed on the database level, but they don’t have the UI to do it since all configurations they want to do look like this:
The solution for this issue is to go into each of the tables and change the “IV UI V2 View” forms security settings to either “Everyone” or add the “Dynamics Inventory Service Role” to the security role list for the form.
And then it works!
To not get any trouble you might also want to set the “IV UI V2 form” at the top of the form order
Make sure you only have the “IV UI V2 form” as fallback form
And uncheck all security roles from the Information forms:
These are the tables I found so far that needed this fix in order to run the app are:
- Allocation feature settings entity
- Calculated Measure Detail V2
- Calculated Measure Metadata V2
- Dimension Mapping
- Entity Version
- Inventory Summary feature settings entity
- Inventory System Configuration
- Job Status
- OnHand Change Schedule Configuration V2
- Physical Measure V2
- Reservation Mapping V2
- Schedule Feature Entity
- Soft reservation feature
- Transaction Feature Entity
- Transaction Fno Synchronization Configuration
- Transaction Logging Feature Entity
If you want to do it the quick and easy way, I also published a fix solution for this on my GitHub that you can download here
Note:
This Solution requires that the Inventory visibility app is already installed to the environment
If you want to learn more about the Microsoft Team here at Capgemini, take a look at our open roles and consider joining the team!
Dataverse Security fixes for Finance and SCM Users was originally published in Capgemini Microsoft Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.
