I created two dashboards and assigned each one to a different security role. However, users without the roles assigned to the dashboards are seeing both dashboards. What’s going on?

Whenever I come across an unexplainable security test result in Dynamics 365, the first thing I do is check the teams assigned to the users in question. In most cases, the unexpected result is caused by user being a member of a team that has a security role that grants the user access to application components to which their user roles do not.

Recommendations

• Don’t use the same roles for team security and user security.
• Limit the team role permissions to only the privileges needed by the team.
• Consider separating the roles used by users and teams from the roles used to grant access to role based forms and dashboards–this will prevent unintentional sharing of the role based components with users and teams that should not see them.