I would like to understand for your implementation of AX 2012, how long did it take to refine the user security roles/privileges to a usage point? I realize the answer is different for every implementation and it's iterative but a general timeframe would be extremely helpful for me.
In two implementations I had to deal with security. I think we spend about 400-500 hours on the largest implementation. And we are not ready yet... This one is very complex due to the size of the company and some nasty customizations.
The other one is about 240-280 hours. We had to create and customize about 20 roles in this case.
André Arnaud de Calavon | Microsoft Dynamics AX Solution architect | My blog | My company
This post is my own opinion and does not necessarily reflect the opinion or view of my company, Microsoft, both its employees, or other MVPs.
From my experience, security is a different beast in 2012. Having said that, if your company has a lot of different and specific roles, then it'll be tough. Requirement gathering would probably take about 250+ hours. i.e. a month at least. Building custom roles is easy using either the AOT or the Security Development Tool (SDT). Depending on the amount of custom roles, it'll vary. I've created 7-10 roles in about two days, which included preliminary testing from a requirement perspective. Then you have the business to do the testing, which can vary depending on how much time they have on their hands to do testing (keep in mind that no ones likes security testing but it has to be done). I've created about 60+ custom roles and that took less than a month including preliminary testing. My end to end process took about 3+ months. Overall, from no custom roles to completely customized roles, you're looking at anything between 1-4 months at the least.
Hope that helps.
As a follow up question. Once you've developed a security strategy how have you gone about documenting that strategy and enforcing it so we're not down the road in 2 months wondering what roles have what privileges? Is there a security export feature? Do most use Excel or a template? Thanks so much!
This depends on the implementation and documentation requirements. At one site we used a word document to describe every single role and workflow. Another implementation required to have a better insight and we created a excel file with multiple sheets. One with a matrix on users and roles and one with a matrix on duties/privileges and roles. In both cases we created them manually.
Once I created a query on the security tables and managed to use this query via the Excel add-in. After an unmanaged action, someone deleted it... :-(
Now I would like to have an Export button in AX where the Excel file with the sheets as descrived above.
Maybe someone already has created this, otherwise it's on my wishlist...
We modified existing roles to fit our requirements and it took a total of about 2-3 months to fully implement.
We used a manual excel matrix to track our roles/duties/users. Once the setup/dev work was completed and the roles were applied to the users, we created custom reports that dig into the security tables and export duties per user, and object access per user.
I don't believe there's anything out of the box reporting that will help with that, unfortunately.
Thanks for your response Kyle. If I may, what size company are you working within - small, medium, large? Also, would you say in your opinion that your security implementation stayed pretty close to the vanilla roles/privileges delivered OOTB or you did heavy customization within the 2-3 months? Thanks in advance.
We have around 100 active users with about 15 different active roles. None of the roles we use were OOTB, but they are a good base to start from.
We ended up copying some of the base roles and then modifying the new ones to fit our business. Some of these had to be heavily modified (AP) while others were mostly untouched (GL).
In the end we created a "Parent role" for each combination of sub-roles, as well. We only assign 1 "parent role" per user in our production environment. Creating these was sort of a time sink, but helps the security admin with maintaining the user security.