Now Reading: How Does the Deny Permission Impact User Licensing in D365FSC?
-
01
How Does the Deny Permission Impact User Licensing in D365FSC?
The ‘Deny’ permission can be an extremely powerful tool to ensure compliance within D365FSC, but what impact does it have on licensing?
I wrote about this topic a few years ago but figured it was time to revisit this with the new licensing methodology within D365FSC.
Testing Scenarios
For my testing I wanted to find an object which required a higher level license when assigned at a ‘write’ level (Update, Create, Delete) and a Team Member license at a Read level. In my testing I found the BankAccountStatement menu item display fit these requirements.
So I started setting up a couple different scenarios to test:
1) I created an ‘AA Test’ role and ‘AA Test Priv’ privilege which Granted Read, Update, Create, and Delete permission to the ‘BankAccountsStatement’ object
2) I created a ‘AA Test Deny’ role which was assigned the ‘AA Test Priv’ privilege along with a ‘ AA Test Priv Deny’ privilege which denied access to the BankAccountStatement object at a Update, Create, Delete, Correct, and Invoke levels. Effectively this makes the access to the BankAccountStatement object at a Read level.
3) I created an ‘AA Test Deny All’ role which is assigned the ‘AA Test Priv’ privilege along with a ‘AA Test Priv Deny All’ privilege which fully denies access to the BankAccountStatement object and grants read access to the Account_BR object. This effectively makes it so the ‘BankAccountStatement’ object should not be assigned to the ‘AA Test Deny All’ role and only the ‘Accountant_BR’ object should be assigned to the role.
License Usage Summary Output
1) In the first scenario, the ‘AA Test’ role is correctly identified as requiring a Finance license showing the ‘BankAccountStatement’ menu item display as having ‘Write’ access:
2) In the second scenario, the ‘AA Test Deny’ role incorrectly shows that the ‘BankAccountStatement’ object is still being analyzed at a ‘Write’ access level, which in turn is showing as requiring a Finance license still. The effective access to this object is ‘Read’ based on our security setup and should require a ‘Team Member’ license:
3) In the final scenario, the ‘AA Test Deny All’ role is also incorrectly showing that the role is assigned 2 objects and requiring a Finance license. The effective access in this case should be that the ‘BankAccountStatement’ object is not an object assigned to the ‘AA Test Deny All’ role and the only object that should be analyzed for licensing is the ‘Accountant_BR’ object:
Conclusion
Based on the findings above, it looks like the license analysis logic is only looking at objects being granted and is not considering the deny permission at all when determining the effective access user / role has which in turn makes the license analysis incorrect as well.
This is definitely something to keep in mind when developing and implementing your security framework for your organization, especially when using the Deny permission.
One Final Thought…
I wanted to quickly showcase the Fastpath Assure solution which does correctly handle deny permissions when calculating effective access to the user / role, which in turn ensures our licensing reporting is correct as well:
The post How Does the Deny Permission Impact User Licensing in D365FSC? appeared first on Alex Meyer.
Original Post https://alexdmeyer.com/2026/06/15/how-does-the-deny-permission-impact-user-licensing-in-d365fsc/
