Limitation of XDS Security policy in Ax2012.

This question is answered

Hi,

I have started working on data security policy in AX2012.

The requirement I have is to add the range value of XDS query dynamically.

The requirement is when user logs into AX I need to pickup the position the user is assigned to and show the workers only assigned to the position on workers form.

Hence for the XDS query I need to pass the value dynamically on the runtime.

I have tried writing the code in the init and run method of the query to default the range value, but doesn't seems to be working.

 

My question is does AX execute the code written in the AOT queries or the range value has to be hardcoded which means static.

 

Please share your thoughts.

 

Thanks,

Ismail.

Verified Answer
  • Hi Ismael,

    Unluckely we had this same problem at a customer today. Last week we had no problems. A new kernel update was installed and caused the behaviour as you described above.

    So today I had a look and found out that indeed the table used for query the data was a constrainted table as well. Note that the software was not updated, only the kernel.

    In the AOT I created a view based on the table. Changed the XDS method and it works again.

    Have you managed to get it work for your scenario?

    kind regards,

    André Arnaud de Calavon  |  Microsoft Dynamics AX Solution architect  |  My blog  |  My company

    This post is my own opinion and does not necessarily reflect the opinion or view of my company, Microsoft, both its employees, or other MVPs.

All Replies
  • Hi Ismail,

    It is possible to create a temporary table (type TempDB) and use this table within the query for your security policy. On the temporary tabel you can add a method called 'XDS' to dynamically fill this table. Depending on a call (RefreshFrequency) you can cache this table per usersession.

    Take a look at the table "MyLegalEntitiesForXDS" for an example of this method.

    kind regards,

    André Arnaud de Calavon  |  Microsoft Dynamics AX Solution architect  |  My blog  |  My company

    This post is my own opinion and does not necessarily reflect the opinion or view of my company, Microsoft, both its employees, or other MVPs.

  • Hi Andre,

    I have tried the solution suggested by you, but it doesn't seems to be working in my scenario.

    The requirement I have is to get the workerId from logged in userid and then get the primary position of the worker so that I can get all the position reporting to logged in user position.

    Once I know the positions then I need to get the workers assigned to these positions.

    To get the WokerId i am using static method on table HCMWorker.. But since HCMWorker is part of the XDS policy as a constraint table this static method returned 0 as the recid.

    I believe since HCMWorker table is part of XDS policy, I can not use X++ select statement on the tables that are part of XDS polciy.

    Could you please suggest your thoughts on the Issue i am facing.

    Or if there is any other solution you would recommend me on this.

    Thanks,

    Ismail.

  • Hi Ismail,

    The only way I found to disable the xds at run time is to set the property ContextType of security policy to ContextString and then at runtime use xdsServices.setXDSContext(0, ''); to disable it. The downside is that the policy has to be applied manually on the objects unlike role based context where the policy is applied automatically.

    There is another 'dirty' solution to the problem. You can query the database directly by using Connection class. Not recommended but it works as well.

    Thanks

    Navid

  • Hi Ismail,

    You can use a 'view' containing the HCM worker table. Then the policy is not applied to the HCM worker table as the view is a different one for XSD policies.

    kind regards,

    André Arnaud de Calavon  |  Microsoft Dynamics AX Solution architect  |  My blog  |  My company

    This post is my own opinion and does not necessarily reflect the opinion or view of my company, Microsoft, both its employees, or other MVPs.

  • Hi Ismael,

    Unluckely we had this same problem at a customer today. Last week we had no problems. A new kernel update was installed and caused the behaviour as you described above.

    So today I had a look and found out that indeed the table used for query the data was a constrainted table as well. Note that the software was not updated, only the kernel.

    In the AOT I created a view based on the table. Changed the XDS method and it works again.

    Have you managed to get it work for your scenario?

    kind regards,

    André Arnaud de Calavon  |  Microsoft Dynamics AX Solution architect  |  My blog  |  My company

    This post is my own opinion and does not necessarily reflect the opinion or view of my company, Microsoft, both its employees, or other MVPs.

  • I don't know if you still need a solution, but you can create a static method in the SysQueryRangeUtil class and use the return value for the range in your query.

    In the AOT, the range value property would be:

    (myMethod())

    There's an example in this whitepaper: www.microsoft.com/.../details.aspx

    Hope that helps you.

    Leandro H.

  • Hi Andre,

    Sorry for replying very late on this.

    Yes based on your suggestion I did the same by creating views for the tables that were involved in security policy. Then changed the XDS method it started working.

    Thanks a lot for your suggestion.

    Learnt some thing new.

    Thanks,

    Ismail.

  • HI Leandro,

    Thanks for the reply.

    Yes I was able to achieve through the solution suggested by Andre above.

    Thanks for the suggestion I believe this would be another way to achieve it and go to know that you can secure the data based on financial dimension too.

    Thanks,

    Ismail.

  • Hi Andre,

    I am using a securtiy XDS policy with a role which is used to filter the workers (like if we login with this xds role then the user can see only the workers under him/her). This information is stored in the DirPerson table and we are inserting the data to a temp table based on the dirperosn table.

    The query which is used for this has the datasource DirPerson and the temp table.

    Now this role is working fine when only this role is assigned.

    Now there is a situation where a user uses another role related to projects along with the above role.

    When these both roles are active at a time then on the projects list page  screen some data is missing which is coming form the dirperson data (project manager, sales manager..) as here persons data is getting filtered by the first role. These fields show "Unknown" on the screen.

    I have tried disabling the XDS policy through code in the project list page interaction class but it didnt help

    I have tried XDSServices.setXDSState(0) and setXDSContext(0, " ")

    Can you please let me know if you have any idea how to solve this.

                              Thanks in Advance

    Regards,

    Gangadhar

  • Hi Gangadhar,

    This is a nasty one... As mentioned earlier in this thread adding another role without XDS policies is not overriding this.

    The use of coding will not help as the Project table itself is not constrained. The DirPerson and HcmWorker are being filtered.

    What is the reason that people are only allowed to see some workers? You can also consider restricting some details of the workers, like address and private information.

    For a quick look at their team, it is possible to create a query and have this applied on a new list page, or they can add the menu item to their favorites and link a query to restrict the number of records to their team.

    You used a temporary table. I assume this is done with an XSD method. You can also create a switch and determine if the user  needs to see more because of other roles. Then the result set will be extended.

    If you have further questions, please create a new thread.

    kind regards,

    André Arnaud de Calavon  |  Microsoft Dynamics AX Solution architect  |  My blog  |  My company

    This post is my own opinion and does not necessarily reflect the opinion or view of my company, Microsoft, both its employees, or other MVPs.