Security Customization - System support role without access to financial reports

(0) Share

Report

Posted on by Christine Wheeler

Hi everyone,

I have received a request for a customized security role that mimics the standard AX system admin role to a certain extent. The client is looking to have a system support role that can check things like security, batch jobs, staging tables, master records, etc., but cannot run financial reports such as Trial Balance. It seems to me that they want a modified system admin role to protect their financials and/or prevent unauthorized use of financial reports.

Has anyone had this request from a client before? If so, how was the task approached? I am assuming some level of development work may be needed or a significant amount of configuration for a new custom security role with duties and privileges added manually to the role. I have explained to the client how the system admin role works in AX and they still wish to pursue this enhancement.

Any guidance would be greatly appreciated. Thanks in advance!

Christine

*This post is locked for comments

I have the same question (0)

All responses (4)

Answers (0)

Suggested answer

Vilmos Kintera 46,149 on at

Like (0)

Report

You need to create a new security role, add all roles except the ones you want to exclude access for. That way they can do everything, but open the Developer workspace, or access parts of the system that you want to hide. The AOT does require System administrator role, which in return gives full access to the system. AX is not corporate-friendly in this sense from a security auditing perspective unfortunately.

Was this reply helpful? Yes No
Christine Wheeler on at

Like (0)

Report

Hi Vilmos, thank you very much for the reply.

The client is currently using custom roles for their general users rather than the out-of-box Microsoft roles (ex. instead of using the MS Accountant security role, they have their own version of the accountant role). There are also several staging tables that they would need to check and I believe these do not have menu items available to non-system admins (could potentially be changed but would require a release to their production environment). Any further thoughts from your perspective? Is the option you have described still viable to some degree?

The other issue is that they'll need a portion of one role's access, which means adding the duties and privileges individually instead of adding the full role. I understand that the manual work may be necessary to achieve this goal - was just hoping that someone else has done this for another client before and knew of any time-savers.

Your answer will definitely be helpful when going back to the client and explaining the workload required, thank you!

Thanks,

Christine

Was this reply helpful? Yes No
Vilmos Kintera 46,149 on at

Like (0)

Report

I am afraid it involves manual work to separate out to which you want to provide access for and what is forbidden, like you said by creating additional privileges, duties and roles for both standard and custom functionality depending on your situation. Since AX works in a way that you cannot have a "no access" defined, because another allowing role overtakes it, adding new security objects is the only way for you I am afraid.

Was this reply helpful? Yes No
André Arnaud de Cal... 301,088 Super User 2025 Season 2 on at

Like (0)

Report

Hi Christine,

For a customer I created an administrator role where the requirement was to have no access to the AOT and some other functionality like creating users. You can actually first select all privileges and drag/drop them on a new role in the AOT. Then you have to find out which privileges are used for the financial reports. The Security development tool or the AOT built in inquiry to view which role, duty or privilege is used for a certain menu item can give the information which privileges should be removed then.

Can you also explain what you mean with the staging tables?

Was this reply helpful? Yes No