SBX - Search With Button

SBX - Forum Post Title

AX2012 - Financial dimensions security issue

Microsoft Dynamics AX Forum

Question Status

Verified

Hi all,

In one of the roles at an implementation we need view rights on the form Financial dimensions. we added the duty LedgerChartsOfAccountsInquire.

This duty contains the privileges for this form: DimensionDetailsView and DimensionValueDetailsView.

What is the issue? When opening this form within the role it is possible to edit the records. The permission only has view as access level.

It is not possible to add or delete dimensions, which is OK.

When opening the dimension values the same issue occurs.

I checked the privileges, duties, forms on the permissions. Really everything is view permission only.

I also tried to create a role with only the two privileges as mentioned above in AX2012 CU5 (standard, no customization). The user got only this role. So the only menu item was 'Financial dimension'.

Also here the same issue: It is possible to edit the records where the security sais it should be read-only.

Anyone some other ideas?

Reply
Kartik Kurup responded on 1 May 2013 3:22 PM
My Badges
Verified Answer

Hey André,

Here's my two cents:

1) The duties that you are assigning may contain a privilege that are over-riding the other privileges that only have the View functionality.

2) The Financial Dimension main table under GL > Setup > Financial Dimensions, should only be accessed by either admins or people with some authority like managers or Controllers.

"It is not possible to add or delete dimensions, which is OK." - I'm assuming that this means that they ARE able to edit the Financial Dimensions. Which is NOT OK. Right?

Suggestion: Practically, FinDims are most of the times maintained by some higher authority. You do not have to specifically add a duty or a privilege to enable the View. My understanding is that if you're unable to add or delete a FinDim, then you shouldn't be able to EDIT it as well.

There is no specific duty or privilege that allows a user to only VIEW the FinDims. If you come across a potential solution, please do share.

Thanks.

Kartik

Reply

Hi Kartik,

Thanks for your reply.

At the end I created a role with only the privileges DimensionDetailsView and DimensionValueDetailsView (these are standard in AX2012 and have only view rights). No other roles/duties/privileges were involved.

So your two cents are not valid in this case.

It is really strange that you expect a read only form and it is possible to edit the fields.

Tomorrow I will look into the deeper parts of the form design and perhaps some coding.

Reply
Verified Answer

OK. I found it.

All users gets the role System User and the one they really need to perform their daily tasks.

Within the role System User update access is granted on the dimension tables. I still have to figure out why these tables do have permissions from this System user role. Next task will be to exclude these tables by overriding permissions, but we then have to test if anything else can go wrong... can take weeks. :-(

Some kernel versions do not show this behavious as I understood. So if you do or don't have this problem it is due to the kernel version.

Be aware that also create access is granted for main accounts from the system user role! So every single user can modify and create new main accounts if they have access to the Main account details form (also via View Details). If they can use the office addin, also by use of Excel they can corrupt the chart of accounts.

Reply
WilliamChan responded on 13 Jun 2013 7:19 AM
My Badges

Hi Andre,

I'm also puzzling with the security rights in ax2012. I've also created a role with only those 2 privileges (DimensionDetailsView and DimensionValueDetailsView).

Can you create a new dimension using a shortcut for example Ctrl+N or via file command?

One of our issue is that an user can create new dimensions using shortcuts despite the fact the the buttons (new/delete) are gone.

Kind regards,

William Chan

Reply

Hi William,

In our case the problem was caused by the System User role. A privilege called 'DimensionEssentials' also contains table permissions. Some tables have the value set too high. We still wonder why, but we changed the settings from accesslevel create down to read for the dimension table and values. Please note that also the Main Accounts have a permission too high.

Until today we did not have noticed problems with this approach.

Reply
WilliamChan responded on 17 Jun 2013 1:24 AM
My Badges

Hi André,

Thanks for your input, I've downgraded the privilege DimensionEssentials into read only and it has solved my issue.

kind regards,

William Chan

Reply
Mohsin Syed responded on 18 Nov 2013 9:13 AM

Hi Andre,

I am having a similar issue in AX2012. I have checked the 'System User' security role, the 'DimensionEssentials' privilege is set as 'View', (see screenshot below) but still Financial dimension fields are editable.

 

Any help would be greatly appreciated.

 

 

Regards,

Mohsin

Reply

Hi Mohsin,

With help of the override permissions button on the System User role, you can see the actual permissions per table. You ccan then see which table(s) have a higher permission than 'view'. Some are correct, but some not. Review which tables belong to the dimensions.

Otherwise share a printscreen where the dimensions are editable.

Reply
Mohsin Syed responded on 4 Dec 2013 7:18 AM

Hi André,

Thank you

The issue has been resolved, I downgraded the table permissions from  'Override permissions'.

Kind Regards,

Mohsin

Reply
Marta Schaferova responded on 19 Feb 2015 3:04 AM

Hi André and thanks for the valuable insights!

I've solved a similar issue by setting the neededPermission values on form to manual and then per rol defining the access level via Override Permissions.

I have another question related to the System User role though. It is indeed strange that many of the table permissions on the DimensionEssentials privilege allow create or delete level. I was thinking of downgrading the permissions to tables on that privilege to read level but I wouldn't know which 'Dimension....' and 'MainAccount...' table privileges to downgrade.

I'm afraid that setting all of them to read might have a large impact (there must be a reason why Microsoft has allowed some of those permissions to higher than read..?).

Do you perhaps have a suggestion as to which should definitely be set to read in general or how you went about it?

Greetings,

Marta

Reply

Hi Marta,

Indeed restricting all tables can cause issues. These tables were downgraded and works OK until now:

- DimensionAttributeValue

- DimensionAttributeValueCostAccounting

- DimensionAttributeValueFinancialStmt

- DimensionFinancialTag

- MainAccount

They have read access now on the system user role.

Reply
Kartik Kurup responded on 1 May 2013 3:22 PM
My Badges
Verified Answer

Hey André,

Here's my two cents:

1) The duties that you are assigning may contain a privilege that are over-riding the other privileges that only have the View functionality.

2) The Financial Dimension main table under GL > Setup > Financial Dimensions, should only be accessed by either admins or people with some authority like managers or Controllers.

"It is not possible to add or delete dimensions, which is OK." - I'm assuming that this means that they ARE able to edit the Financial Dimensions. Which is NOT OK. Right?

Suggestion: Practically, FinDims are most of the times maintained by some higher authority. You do not have to specifically add a duty or a privilege to enable the View. My understanding is that if you're unable to add or delete a FinDim, then you shouldn't be able to EDIT it as well.

There is no specific duty or privilege that allows a user to only VIEW the FinDims. If you come across a potential solution, please do share.

Thanks.

Kartik

Reply
Verified Answer

OK. I found it.

All users gets the role System User and the one they really need to perform their daily tasks.

Within the role System User update access is granted on the dimension tables. I still have to figure out why these tables do have permissions from this System user role. Next task will be to exclude these tables by overriding permissions, but we then have to test if anything else can go wrong... can take weeks. :-(

Some kernel versions do not show this behavious as I understood. So if you do or don't have this problem it is due to the kernel version.

Be aware that also create access is granted for main accounts from the system user role! So every single user can modify and create new main accounts if they have access to the Main account details form (also via View Details). If they can use the office addin, also by use of Excel they can corrupt the chart of accounts.

Reply

SBX - Two Col Forum

SBX - Migrated JS