Read access to tables with compiled assemblies

The described License to Role Mapping Risks can lead to broad access for newly created users in environments.

In one of our tests, we found that users with the automatically assigned "Company Base Default" role had "Read" permissions set to "Organization" on multiple tables. This included the table pluginassembly. This table contains all compiled D365 plugins.

Read permissions allowed all users to read data in this table and therefore list compiled assemblies.

Afterwards, with endpoint /api/data/v9.2/pluginassemblies(:assembly-id)?$select=name,content, these assemblies could be downloaded as Base64 encoded blob.

Once the user has downloaded the assemblies, they could try to decompile and search for secrets directly in the code.