This topic will give the overview of Security Architecture in Dynamics 365 HR. It is same architecture like Dynamics 365 F&O.
By default, only authenticated users who have user rights can establish a connection.
Microsoft Azure Active Directory (AAD) is a primary identity provider. To access the system, users must be provisioned into a HR instance and should have a valid AAD account in an authorized tenant.
Authorization is the control of access to HR applications. Security permissions are used to control access to individual elements of the program: menus, menu items, action and command buttons, reports, service operations, web URL menu items, web controls, and fields in the Finance and Operations client.
Authorization is used to grant access to elements of the program. By contrast, data security is used to deny access to tables, fields, and rows in the database.
Use the extensible data security framework to supplement role-based security by restricting access to table records based on security policies. A security permission, as part of a user role, increases the access a user has to data, while a security policy decreases access to data.
In the security model duties are below security roles and security roles are made up of one or many duties. Duties are a collection of security privileges and typically represent a specific part or piece of a business process. You will see duties like “Maintain Employees data”, “Inquire about Employees data”, or “Generate Employee sickness reports”. Adding or removing duties is the most common way to grant or revoke access to certain parts of a business process.
A security privilege is the lowest level in the Dynamics 365 HR security model. The security privilege contains the Create, Read, Update, Delete (CRUD) level permissions that can be toggled to meet very granular security requirements. Although security privileges can be added directly to a security role to meet a specific security requirement, it is best practice to assign it to a duty. Security privileges are the gateway to all access to any securable object in the application.
Here is the document for Security concepts.