Payment service provider user roles and access
This article describes how to configure user access for payment service provider (PSP) roles in Microsoft Dynamics 365 Fraud Protection.
Payment service providers (PSPs) can grant users of Microsoft Dynamics 365 Fraud Protection various levels of access, based on logical or functional roles. PSPs can include any organization that provides payment services to other organizations (also referred to as "payment gateways," "payment processors," etc.). This article applies to both PSPs and merchants that were onboarded to Fraud Protection by their PSP.
Important
Information in this article is subject to change at any time.
Assign PSP roles
Users are managed through your assigned Microsoft Entra tenant.
Roles can be assigned to either of the following types of users:
- Users inside the organization's Azure tenant
- Users outside the organization's Azure tenant, who will be invited to join the tenant as guest users
Important
Users inside the organization's Azure tenant who are member users can view a list of all other users in the tenant. By contrast, users outside the tenant who join as guest users can view only users who are in the same Fraud Protection environment that they have access to. Assign member or guest roles to users according to your business privacy requirements.
For more information about how to directly add users to your Microsoft Entra tenant as members or nonguest users, see Create a user account in Microsoft Entra ID.
Assign PSP roles to users in Fraud Protection
To assign PSP roles to users in Fraud Protection, follow these steps.
Open the Fraud Protection portal page.
In the left navigation pane, select Settings, and then select User access.
Select Assign role(s).
Enter the name or email address of the person or group that you want to assign a Fraud Protection PSP role to.
Note
In the Azure tenant, suggestions for users will appear while you type. Select a suggestion if it matches the user that you want to assign a user role to. Otherwise, a message informs you that an invitation email is sent to the person or group that you entered, so that the person or group can join the Fraud Protection environment.
In the Roles field, select one or more defined roles that you want to assign to the user.
Select Assign role(s).
Note
Users outside the Azure tenant will join the tenant as guest users and will appear in the User access grid after they accept the invitation that is emailed to them and complete the sign-in/sign-up process.
Edit assigned roles
To edit the role that is assigned to a user in Fraud Protection, select the user in the Member list, and then select Edit.
In this part of the page, roles can be added to or deleted from a user. If you edit your own account (for example, if you delete your own administrative role), your edits might interfere with your ability to use some features of Fraud Protection. If you must restore permissions, you can reset them in the Azure portal.
To learn more about the available PSP roles, see the PSP user roles and access section of this article.
Revoke user access to the environment
To revoke a user's access to the current environment, select the user in the member list, and then select Revoke access.
Important
When you revoke access for a user, the user is removed from the current environment. However, they might still have access to other environments in the hierarchy. To fully remove a user's access to Fraud Protection, delete the user from your Microsoft Entra tenant. In this way, you completely remove the user's access to your tenant and its associated applications or services.
PSP user roles and access
Fraud Protection offers a defined set of user roles, each of which has access to specific features and functions. You can select the features and functions when you assign a user to the system.
Note
If you are shown a different selection of roles than those detailed below, you may be using the standard version of Fraud Protection. Go to Configure user roles and access instead.
Roles
The following roles are available for PSP users:
- PSP Admin – This role is a high-level administrative account that has full access to all PSP-related features. A user in this role can manage Fraud Protection for a PSP and its merchant customers.
- Fraud Manager – This role is an internal role in a PSP. A user in this role is intended to manage Fraud Protection for the PSP's merchant customers.
- Fraud Supervisor – This role provides the highest level of authority in a PSP's merchant customer. A user in this role can access merchant-facing functions that the PSP delegates to them.
- Fraud Analyst – This role is intended for a PSP's merchant customer who runs analysis and reports. A user in this role has read-only access to the merchant customer's data.
- Manual Review Agent – A user in this role is responsible for reviewing individual transactions and approving or declining them. Although manual review agents don't have direct access to the Support Lists page, they can modify the status of an entry in the support list through the Transaction Search page.
- Technical Developer – A user in this role is responsible for managing the technical configurations and integrations of a Fraud Protection instance for a PSP.
- Customer Service Support – A user in this role can view the transaction details and is provided with information that is required to handle customer queries.
- Reporting – This role only provides access to event tracing and activity logs to read activity logs and enable Fraud Protection events and data to be consumed into the PSP's internal reporting infrastructure.
Permissions
The following table shows the specific read/write permissions that users have on each page in the Fraud Protection portal, depending on their roles.
Section | Subpage (tab) | PSP Admin | Fraud Manager | Fraud Supervisor | Fraud Analyst | Manual Review Agent | Technical Developer | Customer Service Support | Reporting |
---|---|---|---|---|---|---|---|---|---|
Virtual fraud analyst | Summary | Read only | Read only | Read only | Read only | No access | No access | No access | No access |
Rule analyst | Read only | Read only | Read only | Read only | No access | No access | No access | No access | |
Threat analyst | Read only | Read only | Read only | Read only | No access | No access | No access | No access | |
Score analyst | Read only | Read only | No access | No access | No access | No access | No access | No access | |
Monitoring | Read only | Read only | Read only | Read only | No access | No access | No access | No access | |
Search | Read only | Read only | Read only | Read only | Read only | No access | Read only | No access | |
Event Details | Read/Write | Read/Write | Read/Write | Read only | Read/Write1 | No access | Read only | No access | |
Rules | Performance | Read only | Read only | No access | No access | No access | No access | No access | No access |
Rule management | Read/Write | Read/Write | Read only | Read only | No access | No access | No access | No access | |
Velocities | Read/Write | Read/Write | Read only | Read only | No access | No access | No access | No access | |
Functions | Read/Write | Read/Write | Read only | Read only | No access | No access | No access | No access | |
Lists | Custom | Read/Write | Read/Write | Read/Write | Read only | No access | No access | No access | No access |
Support | Read/Write | Read/Write | Read/Write | Read only | Read/Write1 | No access | Read only | No access | |
External calls | Read/Write | No access | No access | No access | No access | Read/Write | No access | No access | |
Case management | Queues | Read/Write | Read/Write | Read/Write | Read only | Read/Write2 | No access | No access | No access |
Report | Read only | Read only | Read only | No access | No access | No access | No access | No access | |
Routing rules | Read/Write | Read/Write | Read/Write | Read only | No access | No access | No access | No access | |
API Management | API requests | Read only | No access | No access | No access | No access | Read only | No access | No access |
Errors | Read only | No access | No access | No access | No access | Read only | No access | No access | |
Ontology | Read only | Read only | Read only | Read only | No access | Read only | No access | No access | |
Templates * | Environment | Read/Write | No access | No access | No access | No access | No access | No access | No access |
Assessment | Read/Write | Read/Write | No access | No access | No access | No access | No access | No access | |
Rule | Read/Write | Read/Write | No access | No access | No access | No access | No access | No access | |
Integration | Dashboard | Read only | No access | No access | No access | No access | Read only | No access | No access |
Microsoft Entra Apps3 | Read/Write | No access | No access | No access | No access | Read/Write | No access | No access | |
Device Fingerprinting | Read/Write | No access | No access | No access | No access | Read/Write | No access | No access | |
Event tracing | Read/Write | No access | No access | No access | No access | Read/Write | No access | Read/Write | |
Subscription | Summary | Read only | No access | No access | No access | No access | No access | No access | No access |
Details | Read only | No access | No access | No access | No access | No access | No access | No access | |
User access | Read/Write | Read/Write | Read/Write | No access | No access | No access | No access | No access | |
Subject requests | Search | Read/Write | No access | No access | No access | No access | No access | No access | No access |
Requests | Read/Write | No access | No access | No access | No access | No access | No access | No access | |
Transaction acceptance booster | Opt in | Read/Write | No access | No access | No access | No access | No access | No access | No access |
Report | Read only | No access | No access | No access | No access | No access | No access | No access | |
Activity logs | Read only | No access | No access | No access | No access | No access | No access | Read only |
- Users with the Manual Review Agent role can remove items from Support lists (for example, Safe, Block, and Watch) via the Event Details page, or add items to those lists. However, they can't read or edit the full Support lists page.
- Users with the Manual Review Agent role can make decisions (for example, Approve, Reject, or Send back to queue) about cases in queues. However, they can't modify higher-level queue settings.
- To create a Microsoft Entra application, the user must also be assigned the Application Administrator, Cloud Application Administrator, or Global Administrator role in your Azure tenant.
- To create a template from a resource, the user must have both read permission on the resource and write permission on templates page. To create a resource using a template, the user needs to have both write permission on the resource and read permission on template page.
Member access
Members can access Fraud Protection by visiting https://dfp.microsoft.com/ and using a Microsoft account to sign in.
Guest user access
Guest users can access Fraud Protection after they accept an email invitation and sign up (or sign in).
To accept an invitation to Fraud Protection, follow these steps.
- Check your email inbox for an email that has the subject line "<Name> invited you to access applications within their organization."
- Select Accept invitation.
- If an existing Microsoft account or related account uses your email address, you're prompted to use that account to sign in. Otherwise, follow the setup process to sign up for a new account. After you're fully signed in, you should have access to Fraud Protection.
- Return to the invitation email, and write down or bookmark the exact link that appears after the text "If you accept this invitation, you will be sent to...." This link is in the format
https://dfp.microsoft.com/.../...
. Each time that you access Fraud Protection, you must use this exact link. - For future access, go to https://dfp.microsoft.com/ and sign in with the guest user account.
Switch between tenants
You can use the tenant picker to select which tenant you want to be in, provided you have multiple tenants with Fraud Protection provisioned.
The tenant picker can be found by selecting the profile symbol on the top right of the dashboard, and then selecting Switch tenant. The tenant picker gives you a set of options to pick from. The options are only tenants that you, as a guest or administrator, have access to. To change to a different tenant, select the tenant name you want to be in to be redirected.
If you receive an error that says global administrator privileges are required, select Switch tenant at the bottom of the screen. The tenant picker opens and you can select the proper tenant.
Additional resources
フィードバック
https://aka.ms/ContentUserFeedback」を参照してください。
以下は間もなく提供いたします。2024 年を通じて、コンテンツのフィードバック メカニズムとして GitHub の issue を段階的に廃止し、新しいフィードバック システムに置き換えます。 詳細については、「フィードバックの送信と表示