Manage users and security
Users are internal employees of your organization, or external customers and vendors, who require access to the system to perform their jobs. It is not recommended that you add users from outside your company to your organization. Partners and other users who aren’t part of your organization should be invited only to projects.
Administrators can't remove automatically assigned roles from users. Users can be excluded from roles by the administrator.
When a user is excluded from a role, the role assignment for that user is no longer controlled automatically. Excluded users are listed in the role membership when the rules for automatic role assignment are run, or when an Active Directory group is assigned to a role. However, they are marked as excluded. The role's associated access is not granted to the excluded users. Users who are excluded from the role can't be assigned to the role again until the administrator removes the exclusion.
Here is an overview of creating new users, assigning security roles and linking records.
Create new users- Before you can access finance and operations apps, you must first be added to the Users page in System administration > Users. Users include internal employees of your organization, or external customers and vendors. Users can be imported or added manually. All users must be correctly licensed for compliant use.
Add an external user in Microsoft Entra ID and assign a license - External users must be represented in your tenant- directory (Microsoft Entra ID) so that they can be assigned licenses. Those external users should be added to the tenant in Microsoft Entra ID as guest users and then assigned the appropriate licenses. A requirement for finance and operations apps is that the guest user's company must use Microsoft Entra ID.
Manage users and security roles - To use anything other than common capabilities in finance and operations apps, users must be assigned to security roles. You can assign users to roles automatically, based on rules and business data, exclude users from automatic role assignment, or add users to roles manually.
Automatically assign users to roles - Based on business data, system administrators can automatically assign users to roles.
Exclude users from automatic role assignment - When you remove an exclusion by resetting the user's status, the user's role is assigned automatically. However, the user is not immediately assigned to the role or excluded from the role when you reset the status. Instead, the user is either assigned to the role or removed from the role the next time that the rules for automatic role assignment are run.
Manually assign users to roles - Users who are manually assigned to security roles must also be manually removed by the administrator. These users aren't removed from roles by rules for automatic role assignment.
Manually remove users from roles - Users who are manually assigned to security roles must also be manually removed by the administrator. These users aren't removed from roles by rules for automatic role assignment.
Batch job manager security role
By assigning a user to the Batch job manager security role, the user has permissions to copy batch jobs. They can change who can run jobs, and specify the time ranges during which jobs can execute. The Batch maintain security privilege is part of the Batch job manager security role. It allows a user to create an unplanned batch job and grant privileges to other users.
To be able to manage batch jobs, you should assign the user to the batch job manager security role, and not to the system admin or IT admin security.