3
Restrict ability to update other's personal settings/option for out of the box roles; In technical terms Basic level of Access for User Setting privilege in Security Role.

Currently, option to set "Basic" level of access for "User Setting" privilege in any custom or out of the box Security role is not present. Current options are None, Local(BU level), Deep( Parent Child BU) or Global (Organization). And for most of the out of the security roles default privilege is set to Local(BU level).

Local(BU level) access level technically allows an users to change personal options/setting for other users using D365 SDK or community tools. Currently there are no means to block an user to update setting for other users if we would like to keep personal option setting enabled. This is a security issue/gap and here is the abuse case -
It is critical to keep Personal Options enabled for other out of the box features and Outlook Email Tracking using server side sync is enabled for user A and User B. In current out of the box behavior (when user setting privilege is set to Local as there is no option for Basic), User A can change the "Email Filtering” settings to "All email messages" for User B who would like to keep the setting as Email messages in response to Dynamics 365 email".
Category: Platform
STATUS DETAILS
Needs Votes