From the blog of Alex Meyer, D365FO and Fastpath product expert:
There are a couple questions I get and issues I see quite often around setting up security in the D365FO user interface, so I figured I would make a post around things to watch out for.
Security is still hierarchy based, and needs to be created in that way
One of the things I’ve seen done quite often is a user trying to set up security where they assign just the access type to an object that a security layer should have (so assigning just Create like in the scenario below).
If this is done, when the user tries to use this access later on they will get a permission error.
The reason for this is that the user only has Create permission but not Read and Update permissions which means they cannot open the form. But if we look to see if this role truly does have Create permission to the object we can test that it does.