André Arnaud de Calavon
As mentioned in my previous blog related to the security development tool, I will have a neat tip for developers (and interested functional people). With help of the Security Development Tool, you can use the AX debugger to debug some scenarios which are not reproducible when you have the system administrator role assigned. With system administration rights the system will behave different compared to users with limited permissions. In this post I will explain you how to use the AX debugger in combination with the Security Development Tool.
Today Microsoft released a new cumulative update for Microsoft Dynamics AX2012 R3, named Cumulative Update 8 (KB2998197). The version number of this release is 6.3.1000.309.
After four posts about the Security Development Tool, I still have some tips to share. This time I will explain how to build a role using the least effort principle. In addition it will be explained how to track menu items which are not directly accessible from the menu but available on forms. I will also write about the usage of the Assign organizations in the Security Development tool.
Tip: Build using least effort principle
When it comes to authorization it is usually best practice to have the least possible privileges for each role or user. This will minimize the risk related to wrong use of the system, fraud or exposure to confidential information. However to have the lease possible privileges, you will have to create a lot of new privileges and duties for fine tuning. This will require a lot of time and the costs for implementation will be higher. If you look at the risk involved if some reports or some forms are available where the user cannot cripple the system, we can consider it as no or low risk. Granting a standard duty for e.g. maintaining vendor master data also includes some other forms like contact persons and reports. If it is not required to be able to print a report but there is no risk, it is easier to use the standard duties or privileges and thus have the report available for this user. Besides… I personally like to have the contacts form available within this duty, so I don’t have to bother too much to loop through all possible menu items. Now back to the system and find the easiest way to add complete duties or privileges. The Security Development Tool offers a way to quickly find related duties and privileges and add them to the role. This is one of the features I like most of this tool. I will explain how… First we need to open the Security Development Tool form. For this blog I created an empty Demo role to start with. I would like to add full access to all journal forms in Microsoft Dynamics AX 2o12.
When we go to e.g. the General Journal, we can right click and choose the menu option Reference duty.
This will open the next forms with all Duties available for this menu item. Note that it also shows duties which are not linked to a security role. When you want to find about the related security objects from the AOT, it will not show duties or privileges which are not attached to a role. So this tool is an enhancement on the AOT option.
You can review all duties and decide which one to take. In this example I will take the selected record. Click the button Add to role and the role will be updated with the duty. Note that refreshing the menu items with the new valid access levels will take some time. When AX has performed this task, you can see in the next picture it has granted access to all menu items (permissions) which were part of the duty.
You will also notice that menu items in other menus are activated by this single action. So by adding available duties you can build up a role very ease and relative fast. You can do the same with privileges. A privilege has mostly only a few menu items in it. Note that when assigning privileges, the functionality for Segregation of Duties will not be triggered, as it only works with duties. So as a best practice you have to use duties as much as possible. When you need to disable some menu items, you can have a look at the tip Duplicate duties and privileges which was described in part 2.
Tip: Discover submenu items
When you want to change the permissions on menu items which are not available in a menu, but on a form, you can use the function Discover submenu items by using the context menu activated with the right mouse button.
This function will build a list of menu items which are used on the form and will also show the current access levels for each menu item. Like the menu items in the main menu, you can start changing the role by discover duties or set entry point permissions. You can even repeat the discovery of menu items to drill down to the next level of menu items related to that form.
Tip: Assign organizations when testing a role
When you want to know if a role will work correctly when it is limited for some legal entities, you can Assign organizations in the Security Development Tool like it is possible when you assign users to the roles. This will be used when you open a security test workspace.
You can click the button Assign organizations and assign one or more organizations to this role. In my example there is no assignment to the standard demonstration company USMF. There is only access for this role to two Consulting companies.
When you did assign the organizations, you can open the security test workspace. The first thing you will notice is that in the company USMF there are no menus available, with the Home menu as exception. So for USMF legal entitiy this is correct.
When you change the legal entity to e.g. USSI which was assigned, the menus and menu items related to the role are available and you can start testing the role. Note that also the System user role is assigned to the security test workspace next to the selected role.
One more tip come…
I do have one more topic to share about the Security Development Framework. It looks like I have already covered all features, but there is one undocumented feature we found out a while ago. In fact it has no direct relation to security… It is a surprise for developers and nice to know for consultants. Curious? Check out my next blog!
That’s all for now. Till next time!
After writing 3 blogs with tips on the Security Development Tool, I do have more tips to share. This time I will talk about the option Mark form controls. I will explain this feature as well as how to get this working in AX 2012 R2 and R3. Also a nice tip is to expand this with other access levels.
This is the third part of a blog series related to the Security Development Tool. This time I will walk through the functionalities related to recording of entry points. Also take a note if you first need to install a hotfix to be able to use the recording option.
This morning I wanted to see if there was a known issue for a problem. Then I noticed that there are new features and content on Issue search from Microsoft Lifecycle services. It was announced earlier that there would be more investments in LCS. There is now content related to several versions of Microsoft Dynamics AX and Microsoft Dynamics NAV.
Within my previous post I started a series about the Security Development Tool for Microsoft Dynamics AX 2012. I got some positive feedback, so that motivated me to continue on part 2. I have seen people using the tool and thought they could they could easily create or modify roles themselves and at the end they got stuck… So this post is about helping you prevent creating spaghetti.
The Security Development Tool is created by Microsoft and provides additional functionality helping you creating and maintaining security artifact like Roles, Duties and Privileges. I have used the tool since the release and noticed some very good features and also some features which could cause unwanted scenarios. To help you getting the most out of this tool and use it in a proper way, I decided to write a series of blogs on this feature. This first post will tell you about the configuration of the menu-items which will start the Security Development Tool and also how to fix the view on User License Type to show the correct CAL type.
The website of the Microsoft Dynamics Community has been completely redesigned. There is a new look, forums are redesigned, it is supporting a mobile-friendly interface, there are monthly leaderboards, and more. The Microsoft Dynamics Community is a website where you can find community contributions, ask questions and interact with Microsoft Dynamics experts.
Last year October I shared a neat utility to convert currency amounts using the exchange rate information available in Microsoft Dynamics AX. This was suitable for the versions AX 2009, AX2012 and AX2012 R2. You can read the blog with the announcement of the utility and how it works here. Recently I got the question if it was also supported within Microsoft Dynamics AX 2012 R3. This post will tell you the answer.