Setup guide: Configure role-based Purchase Order filtering

This guide explains how to enable Dr Dynamics – My Purchase Order Security Pack for users in Dynamics 365 Finance & Operations.

When configured, users with the selected role will only see purchase orders where they are the Requestor or Orderer.

Before you start

You need:

1. A user with the Security administrator role
2. Dr Dynamics – My Purchase Order Security Pack deployed to the environment
3. The security roles you want to restrict identified in advance

Important recommendation

We recommend that you create copies of standard roles such as Buying agent or Purchasing agent before applying the security policy context.

This gives you two options:

1. an unrestricted role for users who should still see all purchase orders
2. a restricted role for users who should only see their own purchase orders

Example:

1. Buying agent → standard unrestricted role
2. Buying agent – My PO Security → restricted role with POMyWorker

Step-by-step setup

Step 1: Open Security configuration

1. Go to System administration.
2. Select Security.
3. Open Security configuration.

Step 2: Choose the role to restrict

On the Roles tab, select the role you want to use for restricted access.

Examples:

1. Buying agent
2. Purchasing agent

If you are following best practice, select your copied custom role rather than the original Microsoft standard role.

Step 3: Create a copy of the role (recommended)

If you want to preserve the original unrestricted role:

1. Select the existing role, for example Buying agent.
2. Click Copy.
3. Enter a clear name for the new role.

Recommended naming examples:

1. Buying agent – My PO Security
2. Purchasing agent – Restricted PO Visibility

1. Save the copied role.
2. Select the new copied role.

Step 4: Enter the security policy context string

With the target role selected, locate the field called Security policy context string.

Enter the following value exactly:

POMyWorker

Make sure:

1. the value is entered exactly as shown
2. there are no extra spaces before or after the text
3. the value uses the same capitalization

This context string activates the purchase order filtering behavior for that role.

Step 5: Publish the changes

After updating the role:

1. Click Publish or complete the security configuration publishing step used in your environment.
2. Wait for the security changes to finish publishing.

Do not skip this step. The change will not take effect until the updated security configuration has been published.

Step 6: Assign the role to users

Assign the restricted role to the users who should only see their own purchase orders.

If you kept the original role and created a restricted copy, make sure users are assigned to the correct role.

Typical approach:

1. assign the restricted copied role to general purchasing users
2. keep the original unrestricted role for managers, supervisors, or shared-service users who need broader visibility

Step 7: Test the setup

Sign in as a test user who has the restricted role assigned.

Then:

1. Open All purchase orders.
2. Review the visible records.
3. Confirm the user only sees purchase orders where they are the Requestor or Orderer.

You should also test with:

1. a user who should have restricted visibility
2. a user who should retain full visibility
3. at least one purchase order that belongs to another user

This helps confirm the role design is working as intended.

Expected result

After setup is complete, users assigned to a role with the Security policy context string set to POMyWorker will only see purchase orders relevant to them.

This helps enforce least-privilege access and reduce unnecessary visibility across purchasing and finance teams.

Recommended role design

For most customers, the best setup is:

1. keep standard roles unchanged
2. create copied restricted roles for affected user groups
3. assign restricted roles only where limited purchase order visibility is required

This approach is safer and easier to support because it preserves an unrestricted fallback role if broader access is needed later.

Troubleshooting

Users can still see all purchase orders

Check the following:

1. the role assigned to the user contains POMyWorker in Security policy context string
2. security changes were published
3. the user is assigned to the correct role
4. the user does not also have another unrestricted role that grants broader access

Users cannot see expected purchase orders

Check whether the user is actually the Requestor or Orderer on those purchase orders.

Also confirm:

1. the correct role was assigned
2. the test was performed after publishing security changes
3. the user session was refreshed after the update

Changes do not appear immediately

Security changes may require:

1. publishing to complete
2. user sign-out/sign-in
3. browser refresh

Best practices

1. Use copied roles rather than editing standard roles directly
2. Test in a non-production environment first
3. Validate both restricted and unrestricted access scenarios
4. Keep a small number of test users for ongoing regression testing
5. Document which roles use POMyWorker

Example configuration

Role: Buying agent – My PO Security

Security policy context string:

POMyWorker

Result: Users assigned to this role only see purchase orders where they are the Requestor or Orderer.

Support

If you need help configuring the solution, contact:

support@drdynamics.co.uk

Support hours: Mon–Fri, 09:00–17:00 UK time

Initial response target: 1 business day