André Arnaud de Calavon
The Microsoft Dynamics AX HCM team is investigating to enable payroll functionality for companies worldwide. Microsoft created a survey to find out which processes are performed within your organization or outsourced. Also they would like to know for what countries companies are considering having the functionality in house or still outsourced.
Sometimes people have troubles with their Management Reporter and a data mart database based on Microsoft Dynamics AX. Also I did encounter some problems in the past. If the synchronization is not working or not correctly, it could be related to data issues in your Microsoft Dynamics AX environment. In this post I will share some ways to find and some problems.
As announced earlier, Microsoft released the CU8 cumulative update for Microsoft Dynamics AX 2012 R2 (KB3042171). The version number of this release is 6.2.2000.14. So there is a cumulative update 8 for both AX 2012 R2 and AX 2012 R3 available. Due to the differences between R2 and R3 also the cumulative update 8 has differences between these versions.
Some time ago I encountered an issue where users in AX 2012 were able to modify records even when the security role should have read rights only. More people have experienced this issue and others will do in future. This post will tell you about the cause and how to solve it in your environment.
Since the initial beta release of the Data Import/Export Framework, I was very pleased with the tool. During the years Microsoft did some great additional investments on this framework to help us import, export and migrate data using Microsoft Dynamics AX 2012. In this post I will inform you on a change that I experienced recently. Continue reading
Recently I was surprised by an error which I did never encounter before. A feature was working all the years I have worked with the Microsoft Dynamics AX product. Now when using the feature to show all fields from one record in a form, AX gave me an error. This post will tell you about the error and the solution.
Microsoft released Cumulative update 11 for Management Reporter yesterday. This time I was waiting on this release for a reason. At a customer with a large number of companies and chart of accounts we encountered some problems with database growth where the disks were running out of space. This release seems to have the problem with the extreme database growth fixed.
As mentioned in my previous blog related to the security development tool, I will have a neat tip for developers (and interested functional people). With help of the Security Development Tool, you can use the AX debugger to debug some scenarios which are not reproducible when you have the system administrator role assigned. With system administration rights the system will behave different compared to users with limited permissions. In this post I will explain you how to use the AX debugger in combination with the Security Development Tool.
Today Microsoft released a new cumulative update for Microsoft Dynamics AX2012 R3, named Cumulative Update 8 (KB2998197). The version number of this release is 6.3.1000.309.
After four posts about the Security Development Tool, I still have some tips to share. This time I will explain how to build a role using the least effort principle. In addition it will be explained how to track menu items which are not directly accessible from the menu but available on forms. I will also write about the usage of the Assign organizations in the Security Development tool.
Tip: Build using least effort principle
When it comes to authorization it is usually best practice to have the least possible privileges for each role or user. This will minimize the risk related to wrong use of the system, fraud or exposure to confidential information. However to have the lease possible privileges, you will have to create a lot of new privileges and duties for fine tuning. This will require a lot of time and the costs for implementation will be higher. If you look at the risk involved if some reports or some forms are available where the user cannot cripple the system, we can consider it as no or low risk. Granting a standard duty for e.g. maintaining vendor master data also includes some other forms like contact persons and reports. If it is not required to be able to print a report but there is no risk, it is easier to use the standard duties or privileges and thus have the report available for this user. Besides… I personally like to have the contacts form available within this duty, so I don’t have to bother too much to loop through all possible menu items. Now back to the system and find the easiest way to add complete duties or privileges. The Security Development Tool offers a way to quickly find related duties and privileges and add them to the role. This is one of the features I like most of this tool. I will explain how… First we need to open the Security Development Tool form. For this blog I created an empty Demo role to start with. I would like to add full access to all journal forms in Microsoft Dynamics AX 2o12.
When we go to e.g. the General Journal, we can right click and choose the menu option Reference duty.
This will open the next forms with all Duties available for this menu item. Note that it also shows duties which are not linked to a security role. When you want to find about the related security objects from the AOT, it will not show duties or privileges which are not attached to a role. So this tool is an enhancement on the AOT option.
You can review all duties and decide which one to take. In this example I will take the selected record. Click the button Add to role and the role will be updated with the duty. Note that refreshing the menu items with the new valid access levels will take some time. When AX has performed this task, you can see in the next picture it has granted access to all menu items (permissions) which were part of the duty.
You will also notice that menu items in other menus are activated by this single action. So by adding available duties you can build up a role very ease and relative fast. You can do the same with privileges. A privilege has mostly only a few menu items in it. Note that when assigning privileges, the functionality for Segregation of Duties will not be triggered, as it only works with duties. So as a best practice you have to use duties as much as possible. When you need to disable some menu items, you can have a look at the tip Duplicate duties and privileges which was described in part 2.
Tip: Discover submenu items
When you want to change the permissions on menu items which are not available in a menu, but on a form, you can use the function Discover submenu items by using the context menu activated with the right mouse button.
This function will build a list of menu items which are used on the form and will also show the current access levels for each menu item. Like the menu items in the main menu, you can start changing the role by discover duties or set entry point permissions. You can even repeat the discovery of menu items to drill down to the next level of menu items related to that form.
Tip: Assign organizations when testing a role
When you want to know if a role will work correctly when it is limited for some legal entities, you can Assign organizations in the Security Development Tool like it is possible when you assign users to the roles. This will be used when you open a security test workspace.
You can click the button Assign organizations and assign one or more organizations to this role. In my example there is no assignment to the standard demonstration company USMF. There is only access for this role to two Consulting companies.
When you did assign the organizations, you can open the security test workspace. The first thing you will notice is that in the company USMF there are no menus available, with the Home menu as exception. So for USMF legal entitiy this is correct.
When you change the legal entity to e.g. USSI which was assigned, the menus and menu items related to the role are available and you can start testing the role. Note that also the System user role is assigned to the security test workspace next to the selected role.
One more tip come…
I do have one more topic to share about the Security Development Framework. It looks like I have already covered all features, but there is one undocumented feature we found out a while ago. In fact it has no direct relation to security… It is a surprise for developers and nice to know for consultants. Curious? Check out my next blog!
That’s all for now. Till next time!