Question Status

Suggested Answer
JSM asked a question on 25 Mar 2014 11:01 PM

Can someone share their experience in implementing security roles? I already know how to use the Security roles, duty and privileges but don't know where to start. Already installed SDT for testing securities. Client is asking for a template that they can use but i cannot find anything available. Most of the roles that they provide does not exists on OOB or it exists but have different definition.

Hope someone can enlighten me on this.

Thanks in advance.

Reply
Suggested Answer
André Arnaud de Calavon responded on 25 Mar 2014 11:44 PM

Hi JSM,

You can start with e.g. a sheet to know which menu entries should be given acces and if this is full access or read only. With help of the security tool or the function related security roles in the AOT (right click) you can fund out which duties and/or priviliges are used for the menu item. When you grant access to the duty, some related menu items will be granted as well as a privilege can contain more entires and a duty contains more priviliges.

If this approach opens too much options within this role, you can copy e.g. the privilige and/or duty and change the contents of the copy. WIthin the privileges you can delete or disable menu-items. You can replace the old privileges in the duty with the new copies. Also you can delete privileges from the copy.

Note that the SDT does not have support for copying these duties and privileges. You can actually change settings, but that will change the original privileges. As one privilege can be used in multiple roles, you are actually changing more than one role then. So be careful with the SDT.

If a duty has too many permissions, you can also check what the risk would be if someone e.g. has some additional reports or an additional query. If the user can't break anything and can't see anything that is confidential, why doing additional effort to hide one or two reports...

kind regards,

André Arnaud de Calavon  |  Microsoft Dynamics AX Solution architect  |  My blog  |  My company

This post is my own opinion and does not necessarily reflect the opinion or view of my company, Microsoft, both its employees, or other MVPs.

Reply
Martin Dráb responded on 25 Mar 2014 11:46 PM

And what the template should contain? You get AX with many predefined roles and can adjust them or duplicate them and use for other purposes.

Martin "Goshoom" Dráb | Freelancer | Goshoom.NET Dev Blog

Reply
JSM responded on 26 Mar 2014 12:09 AM

The template should contain at least the roles, duties and the ax path (menu entries). For example, they provided a Team Leader role which has a description of,

Final Approver of Documents (e.g. Rate Sheets, Contracts, Concessions),

Final Approver of Budgets, Budget Transfers.

I tried to map it to Budget Approval role but i cannot find the same role on 'Final Approver of Documents (e.g. Rate Sheets, Contracts, Concessions) '. I tried to search for duties and privileges with keyword of 'aprrove' and 'document' and have difficulty to find a related one. I suggest the approach that Andre suggested (list all menu items and let the clients decide which roles has access to it) but my PM discourage me to this. As she saying we start with the OOB first then remove the access which not needed. Also she saying that the client provided already a role list that we need to follow, as given example above.

Can you suggest any template that you use when you implementing this security role?

Reply
Suggested Answer
André Arnaud de Calavon responded on 26 Mar 2014 12:40 AM

Hi JSM,

It is also possible to duplicate a role within the AOT. Then you can take this one as the template and later adjust the desired changes. Make sure the name of the role will be unique after copying. So e.g. when the role "Accounting manager" has been copied, rename the copy to e.g. "Accounting manager ({Contoso}) "

When this is not done, you can have wrong fact boxes on list pages and also the SDT cannot handle duplicate role names.

kind regards,

André Arnaud de Calavon  |  Microsoft Dynamics AX Solution architect  |  My blog  |  My company

This post is my own opinion and does not necessarily reflect the opinion or view of my company, Microsoft, both its employees, or other MVPs.

Reply
Suggested Answer
Patrick Hawker responded on 26 Mar 2014 1:55 AM

Hi,

I put together a security Matrix which looks at the Roles and duties within the roles (I only went to this level as going any further would have required visual studio skill to display the information in a meaningful manor.

Please have a look at my blog on security:

patrickhawker.wordpress.com/.../security-part-1

and then you can also download the matrix at:

onedrive.live.com/redir

Hope that helps!!!  

---------------------------------------------------------------------------------------------------

Please read my blog at: http://patrickhawker.wordpress.com/ 

Follow me on twitter at: https://twitter.com/Patrick_Hawker 

Reply
JSM responded on 26 Mar 2014 2:19 AM

Thanks Patrick this will be very helpful. I check on my database and we have around 1195 duties defined. How can i capture for the new customize forms/reports? Hope you can provide the scripts that you use to generate this excel sheet.

Thanks again.

Reply
Patrick Hawker responded on 26 Mar 2014 2:44 AM

Hi,

Try the link below. This is the job I run (it isn't the fastest job in the world but it does the job!)

http://1drv.ms/1gAXdYp

Regards

---------------------------------------------------------------------------------------------------

Please read my blog at: http://patrickhawker.wordpress.com/ 

Follow me on twitter at: https://twitter.com/Patrick_Hawker 

Reply
Suggested Answer
André Arnaud de Calavon responded on 25 Mar 2014 11:44 PM

Hi JSM,

You can start with e.g. a sheet to know which menu entries should be given acces and if this is full access or read only. With help of the security tool or the function related security roles in the AOT (right click) you can fund out which duties and/or priviliges are used for the menu item. When you grant access to the duty, some related menu items will be granted as well as a privilege can contain more entires and a duty contains more priviliges.

If this approach opens too much options within this role, you can copy e.g. the privilige and/or duty and change the contents of the copy. WIthin the privileges you can delete or disable menu-items. You can replace the old privileges in the duty with the new copies. Also you can delete privileges from the copy.

Note that the SDT does not have support for copying these duties and privileges. You can actually change settings, but that will change the original privileges. As one privilege can be used in multiple roles, you are actually changing more than one role then. So be careful with the SDT.

If a duty has too many permissions, you can also check what the risk would be if someone e.g. has some additional reports or an additional query. If the user can't break anything and can't see anything that is confidential, why doing additional effort to hide one or two reports...

kind regards,

André Arnaud de Calavon  |  Microsoft Dynamics AX Solution architect  |  My blog  |  My company

This post is my own opinion and does not necessarily reflect the opinion or view of my company, Microsoft, both its employees, or other MVPs.

Reply
Suggested Answer
André Arnaud de Calavon responded on 26 Mar 2014 12:40 AM

Hi JSM,

It is also possible to duplicate a role within the AOT. Then you can take this one as the template and later adjust the desired changes. Make sure the name of the role will be unique after copying. So e.g. when the role "Accounting manager" has been copied, rename the copy to e.g. "Accounting manager ({Contoso}) "

When this is not done, you can have wrong fact boxes on list pages and also the SDT cannot handle duplicate role names.

kind regards,

André Arnaud de Calavon  |  Microsoft Dynamics AX Solution architect  |  My blog  |  My company

This post is my own opinion and does not necessarily reflect the opinion or view of my company, Microsoft, both its employees, or other MVPs.

Reply
Suggested Answer
Patrick Hawker responded on 26 Mar 2014 1:55 AM

Hi,

I put together a security Matrix which looks at the Roles and duties within the roles (I only went to this level as going any further would have required visual studio skill to display the information in a meaningful manor.

Please have a look at my blog on security:

patrickhawker.wordpress.com/.../security-part-1

and then you can also download the matrix at:

onedrive.live.com/redir

Hope that helps!!!  

---------------------------------------------------------------------------------------------------

Please read my blog at: http://patrickhawker.wordpress.com/ 

Follow me on twitter at: https://twitter.com/Patrick_Hawker 

Reply