Microsoft Dynamics 365 for Finance and Operations' security definition is a development task, and the groundwork for the supporting security definition of the custom objects should be done as part of the development process.

In Dynamics 365 for Finance and Operations, role-based security is based on the following key concepts:

• Security roles: The security roles that are assigned to a user determine the duties that the user can perform and the parts of the user interface that the user can view. All users must be assigned to at least one security role in order to access Microsoft Dynamics 365 for Finance and Operations, Enterprise edition.
• Duties: Duties correspond to the parts of a business process. The administrator assigns duties to security roles. A duty can be assigned to more than one role.
• Privilege: In the security model of Microsoft Dynamics 365 for Finance and Operations, Enterprise edition, a privilege specifies the level of access that is required to perform a job, solve a problem, or complete an assignment. Privileges can be assigned directly to roles. However, for easier maintenance, it is recommended that you assign the privileges to duties and duties to roles.
• Permissions: Each function in Microsoft Dynamics 365 for Finance and Operations, Enterprise edition, such as a form or a service, is accessed through an entry point. The menu items, web content items, and service operations are collectively referred to as entry points. In the security model for Microsoft Dynamics 365 for Finance and Operations, Enterprise edition, permissions group the securable objects and the access levels that are required to run a function. This includes any tables, fields, forms, or server-side methods that are accessed through the entry point.
• Policies (Data Security Policy or XDS): These are used to restrict the data that a user can see in a form or a report. With this feature, you can create a query with restrictions. Then, you can create a security policy that can be applied to a security role. For example, if you wanted to limit your accounts-payable clerks from seeing the retail vendors, you could create a query on the vendor group table with a range that limits the retail vendors. You would then create a policy that includes this query and the security role. 

Microsoft provides various addins in Visual Studio for developers where they can get details about specific objects used in any particular role, duty, and so on, which helps them research any security issues.