Try Microsoft Edge
A fast and secure browser that's designed for Windows 10
In one of the roles at an implementation we need view rights on the form Financial dimensions. we added the duty LedgerChartsOfAccountsInquire.
This duty contains the privileges for this form: DimensionDetailsView and DimensionValueDetailsView.
What is the issue? When opening this form within the role it is possible to edit the records. The permission only has view as access level.
It is not possible to add or delete dimensions, which is OK.
When opening the dimension values the same issue occurs.
I checked the privileges, duties, forms on the permissions. Really everything is view permission only.
I also tried to create a role with only the two privileges as mentioned above in AX2012 CU5 (standard, no customization). The user got only this role. So the only menu item was 'Financial dimension'.
Also here the same issue: It is possible to edit the records where the security sais it should be read-only.
Anyone some other ideas?
Here's my two cents:
1) The duties that you are assigning may contain a privilege that are over-riding the other privileges that only have the View functionality.
2) The Financial Dimension main table under GL > Setup > Financial Dimensions, should only be accessed by either admins or people with some authority like managers or Controllers.
"It is not possible to add or delete dimensions, which is OK." - I'm assuming that this means that they ARE able to edit the Financial Dimensions. Which is NOT OK. Right?
Suggestion: Practically, FinDims are most of the times maintained by some higher authority. You do not have to specifically add a duty or a privilege to enable the View. My understanding is that if you're unable to add or delete a FinDim, then you shouldn't be able to EDIT it as well.
There is no specific duty or privilege that allows a user to only VIEW the FinDims. If you come across a potential solution, please do share.
Thanks for your reply.
At the end I created a role with only the privileges DimensionDetailsView and DimensionValueDetailsView (these are standard in AX2012 and have only view rights). No other roles/duties/privileges were involved.
So your two cents are not valid in this case.
It is really strange that you expect a read only form and it is possible to edit the fields.
Tomorrow I will look into the deeper parts of the form design and perhaps some coding.
OK. I found it.
All users gets the role System User and the one they really need to perform their daily tasks.
Within the role System User update access is granted on the dimension tables. I still have to figure out why these tables do have permissions from this System user role. Next task will be to exclude these tables by overriding permissions, but we then have to test if anything else can go wrong... can take weeks. :-(
Some kernel versions do not show this behavious as I understood. So if you do or don't have this problem it is due to the kernel version.
Be aware that also create access is granted for main accounts from the system user role! So every single user can modify and create new main accounts if they have access to the Main account details form (also via View Details). If they can use the office addin, also by use of Excel they can corrupt the chart of accounts.
I'm also puzzling with the security rights in ax2012. I've also created a role with only those 2 privileges (DimensionDetailsView and DimensionValueDetailsView).
Can you create a new dimension using a shortcut for example Ctrl+N or via file command?
One of our issue is that an user can create new dimensions using shortcuts despite the fact the the buttons (new/delete) are gone.
In our case the problem was caused by the System User role. A privilege called 'DimensionEssentials' also contains table permissions. Some tables have the value set too high. We still wonder why, but we changed the settings from accesslevel create down to read for the dimension table and values. Please note that also the Main Accounts have a permission too high.
Until today we did not have noticed problems with this approach.
Thanks for your input, I've downgraded the privilege DimensionEssentials into read only and it has solved my issue.
I am having a similar issue in AX2012. I have checked the 'System User' security role, the 'DimensionEssentials' privilege is set as 'View', (see screenshot below) but still Financial dimension fields are editable.
Any help would be greatly appreciated.
With help of the override permissions button on the System User role, you can see the actual permissions per table. You ccan then see which table(s) have a higher permission than 'view'. Some are correct, but some not. Review which tables belong to the dimensions.
Otherwise share a printscreen where the dimensions are editable.
The issue has been resolved, I downgraded the table permissions from 'Override permissions'.
Hi André and thanks for the valuable insights!
I've solved a similar issue by setting the neededPermission values on form to manual and then per rol defining the access level via Override Permissions.
I have another question related to the System User role though. It is indeed strange that many of the table permissions on the DimensionEssentials privilege allow create or delete level. I was thinking of downgrading the permissions to tables on that privilege to read level but I wouldn't know which 'Dimension....' and 'MainAccount...' table privileges to downgrade.
I'm afraid that setting all of them to read might have a large impact (there must be a reason why Microsoft has allowed some of those permissions to higher than read..?).
Do you perhaps have a suggestion as to which should definitely be set to read in general or how you went about it?
Indeed restricting all tables can cause issues. These tables were downgraded and works OK until now:
They have read access now on the system user role.
Business Applications communities