Classifying Data in Dynamics 365
Dynamics 365 includes development features for tagging business data with specific classifications. Specifically, this includes data that is stored in table fields of the database and telemetry data that is emitted from the application.
About Data Classification
Classifying data serves different purposes. It can make data easier and more efficient to locate and retrieve, and also help to add another layer of protection and security for handling private and sensitive data. It can supplement your process for making the application compliant with legislative and regulatory requirements for collecting, storing, and using personal information.
You should consider the data classification features offered in Dynamics 365 as the first layer of classification - done by developers (Dynamics 365 and partners) on customizations, add-ons, and extensions. The second layer is to classify the sensitivity of the data itself. For more information, see Classifying Data Sensitivity. It is also important to consider end-users, and how they handle data they provide and that is made available to them.
What are the different data classifications?
The following table describes the different classifications that you can apply to data:
|CustomerContent||Content directly provided/created by admins and users.||
|EndUserIdentifiableInformation||(EUII) Data that identifies or could be used to identify the user of a Microsoft service. EUII does not contain Customer content.||
|AccountData||Customer billing information and payment instrument information, including administrator contact information, such as tenant administrator’s name, address, or phone number.||
|EndUserPseudonymousIdentifiers||(EUPI) An identifier created by Microsoft tied to the user of a Microsoft service. When EUPI is combined with other information, such as a mapping table, it identifies the end user. EUPI does not contain information uploaded or created by the customer (Customer content or EUII)||
|OrganizationIdentifiableInformation||(OII) Data that can be used to identify a tenant, generally config or usage data. This data is not linkable to a user and does not contain Customer content.||
|SystemMetadata||Data generated while running the service or program that is not linkable to a user or tenant.||
Classifying data in tables and fields
Table objects and field controls include the
DataClassification property that you can use to tag data with one of the classifications previously described.
Dynamics 365 operates with some standard rules for classification:
- When you add a new field to a table, the field is assigned an initial value of ToBeClassified.
- FlowField and FlowFilter fields are automatically set to the SystemMetadata data classification. This cannot be changed.
- Existing tables and fields (except for FlowFields and FlowFilters) in an application that has been upgraded from a Dynamics 365 version without the
DataClassificationproperty, will automatically be assigned the CustomerContent classification.
Microsoft is providing this
DataClassification property as a matter of convenience only. It is your responsibility to classify the data appropriately and comply with any laws and regulations that are applicable to you. Microsoft disclaims all responsibility towards any claims related to your classification of the data.
For more information about this property, see DataClassification Property.
Data classification on upgrade
When you upgrade an application from a Dynamics 365 version that does not contain the
DataClassification property, existing tables and fields (except for FlowFields and FlowFilters) will automatically be assigned the CustomerContent classification. You can then access the
DataClassification property on these tables and fields, and change the classification as needed. FlowFields and FlowFilters will be assigned the SystemMetadata classification automatically.
After upgrade or import of objects, using fob files, that introduce new tables and/or fields, make sure to synchronize new tables and/or fields to enable Data Sensitivity Classification by running SynchAllFields function in Data Classification Mgt. Codeunit (Codeunit 1750). No action is needed when extensions are installed, as installation of extension automatically triggers SynchAllFields function. See example below
Run the script below from Developer Shell:
Invoke-NAVCodeunit -Tenant <TenantID> -CompanyName <CompanyName> -CodeunitID 1750 -MethodNAme ‘SyncAllFields’ -ServerIntance <ServerInstance>
The Field Data Classification report, which is described in the Viewing current field classifications section in this topic, provides an overview of the data classifications for fields. The report also lets you assign data classifications for more than one field. For example, this is useful if you are assigning classifications for the first time, or have changed several fields and want to update their classifications. You can bulk-edit classifications only for fields in CSIDE. The script does not update fields in extensions.
To bulk-edit classifications, export the report to Excel, update the classifications, and then save your changes. Then, in Windows PowerShell, run the following commands to run the Import-Module script and set the classifications on the fields.
To run the script from the default folder on the DVD, run:
To update the
DataClassification property, run the following command. Replace <FilePath> with the full path to the client files. For example, C:\Program Files\Microsoft Dynamics NAV\110\RoleTailored Client.
Set-FieldDataClassificationFromExcelFile -ExcelFilePath "C:\NAV\W1 Fields (Main).xlsx" -SheetName 'Field Data Classification' -RTCFolder "<FilePath>" -DBName Navision_NAV2 -OutputFolder C:\Nav2\Classifications
Viewing current field classifications
To view the data classification on all fields, you can do one of the following:
- From Dynamics NAV Development Environment, in the Tools menu, select Show Field Data Classification.
- From the client, search for and open the Field Data Classification page.
- Create a page that has the virtual table Field (ID 2000000041) as its source, and open the page in the client.
Classifying data in custom telemetry trace events
Custom telemetry trace events are defined by calls to the SENDTRACETAG function/method in the application code. The SENDTRACETAG function/method includes an optional parameter called
DataClassification that you can use to tag the telemetry trace event with a data classification.