web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Microsoft Dynamics AX (Archived) / AX 2012 Roles (Securit...
Microsoft Dynamics AX (Archived)

AX 2012 Roles (Security Model)

(0) ShareShare
ReportReport
Posted on by AXT 1,699

Can somebody already share his experience with setting up Roles in AX 2012?

  • Have the standard AX 2012 Roles been used?
  • Is it better or more efficient to crate own Roles?
  • Is there an efficient way to assign Users to a Role?
  • How can you be roughly sure, that the assigned role contains the right privileges? 
    • A Role has several duties
    • Duties may have several Privileges
    • A Privilege may have several MenuItems
    • In total over 10'000 MenuItems
  • How do you know which Roles contains which User CAL (Enterprise, Functional, etc.)

*This post is locked for comments

I have the same question (0)
  • Verified answer
    Mark Simmerman Profile Picture
    Mark Simmerman 1,325 on at

    I can give you one perspective from a food company using AX 2012.  

    1) The standard roles are a big help as a starting point.  I would not attempt an ERP migration without them.  

    2) Creating your own roles to cover about 20% of your needs is likely an inevitability.  For example, we have finance analysis positions that need specific but not global access of a role like CFO; we have EDI analysts who have cross functional (Cust Svc, Shipping, Products, & AR) needs that is 95% view and 5% add/edit.  

    3) We did Active Directory cleanup, created a few security groups, and imported users into AX 2012 using the AD import function in the Sys Admin\Common\Users\Users.  We added roles to users during the first import based on our best guess, and then did substantial changes since AX 2012 roles were very different from our old ERP system.  We had to perform a business analysis at the privilege level with transactional testing to verify.  No short cuts here.  

    4) Consider FastPath software for Separation of Duties checking and financial auditing beyond what AX 2012 provides out of the box.  Duty descriptions are fair and get you in the ballpark.  FastPath checks down to the privilege and table permission level.  I highly recommend that if you build custom roles or augment OOTB roles that you follow the best practice of attaching Duties to Roles and Priveleges to Duties, not attaching Privileges to Roles if you can help it.  FastPath should help you from a SOX standpoint, but only testing will tell you if the role assignments are operationally sound.  

    5) I can forward a spreadsheet with the Role to User CAL mapping if you like; the list is too long for a post here.  Reply to this post if you are interested.  

    I hope that helps.  

    Kind Regards,

    Mark Simmerman

  • AXT Profile Picture
    AXT 1,699 on at

    Mark, sorry for my late response. I have been busy with AXUG last week.

    Your answer helped me a lot. Can you tell me a little bit more about the business analysis you performed at the privilege level with transactional testing. Have you done this together with the users before going-live? Is there a tool for security recording? Have you used FastPath?

    I would appreciate if you could forward me the Role/User CAL mapping.

  • Mark Simmerman Profile Picture
    Mark Simmerman 1,325 on at

    To be clear Martin, we are still not live, but are close.  

    We own FastPath and there are three parts to it: Assure (SOD and security analysis), Audit, and ADConfig (Non AX user IT management of AX users and roles).  The last we find useless since our IT uses other aspects of AX and we don't save a license.  Audit provides enhanced auditing that is helpful if you are having to be or working toward SOX compliance.  Assure allows you to examine single roles or role combinations and evaluate them based on OOTB rules or custom rules that you create.  FastPath for AX2012 is still little raw, but the developers are responsive and pushing through issues in the change of architecture from AX 2009 to 2012.  

    If by security recording you mean auditing, then yes.  It is not a question of capability now, but of managability.  You can audit too much and drown someone in information.  We are working with a consulting group other than our ERP VAR to guide us through SOX-like issues.  They are helpful in asking the tough questions about authorized versus unauthorized conflicts (user wanting access that makes it easier but introduces audit risk).  

    I recommend that you use some kind of Dev to Test to QA (UAT) to Prod flow.  The QA/UAT in our case is 95% educating staff of new processes and rules and only 5% gap discovery and redesign.  We started with reviewing roles one by one (we eliminated 25 from the start as not applciable) by attaching just that role and looking at menu availability and function.  We found some OOTB role decisions that had to be changed at once (Purchasing Manager with edit access to GL parameter screen).  

    Check out Microsoft Sure Step scripts as a starting point for your transactional testing scripts.  

    Good luck and share your success and challenges.

    Mark Simmerman

  • Navneeth Nagrajan Profile Picture
    Navneeth Nagrajan 2,432 Super User 2025 Season 2 on at

    Mark,

    I was checking about an issue that I was facing while setting up Security Roles in AX 2012 and happened to come across this thread. This is good information that you have provided, Mark and this thread did help me in resolving my issue. Can you share the spreadsheet that you mentioned in your first thread, which maps the  Roles to User CAL mapping on my email id? Can you share the Roles to USER CAL mapping part? 

    Regards,

    Navneeth Nagrajan.

  • Community Member Profile Picture
    Community Member on at

    Mark,

    We are in the midst of a project to implement Dynamics AX 2012 and I have been tasked with implementing security roles.   Your response has tremendously affirmed that we are on the right track.

    Unfortunately, the one thing that eludes me is performing the business analysis at the privilege level.  From what I have been able to gather, it's going to be a very tedious task.  Would you have a recommendation on where to start with the analysis?

    Best Regards,

    Jason Morse

  • Suggested answer
    Mark Simmerman Profile Picture
    Mark Simmerman 1,325 on at

    Hi Jason,

    Sorry for the late reply.  Unless you have gnarly developer skills and have done a Marianas Trench dive into AX 2012 security, I recommend the very latest version of GRC Studio/Fastpath for AX 2012.  There are two things you will need to focus on, entry points and table permissions.  Of the entry points, menu items will probably be your main focus unless you are doing EP development or using Services extensively.  

    Fastpath will tell you which tables a user or a role (attached to a user) has certain levels of access to and vice versa.  If your primary concern is SOX compliance (who can change something or circumvent a control), then with View or None access to a sensitive tables you are probably compliant.  Menu items will ultimately boil down to what table access someone has.  

    If you want to go beyond analysis you need developer assistance.  

    One problematic role out of the box is Employee.  True story: we have an outside warehouse and shipping (3PL) that services our company with mostly non-employees except one.  We gave them all Materials Manager, which gave all but one person view-only access to released products.  One had the delete button lit up and we had a painful time finding out why; they were also given the role Employee.  It wasn't until we installed Fastpath that it became easy to see why.  Microsoft gave the Employee role the highest access (Delete) to several important tables, but no path (Menu Item) to use that permission (unless through some method that we are ignorant of).  Combine the two roles, and you have the problem.  Fastpath also assisted us in finding how to turn it off.  

    Caveat Emptor - make role changes at your own risk and with competent assistance.  I recommend copying the role, disabling the Microsoft original, and changing your version.  Keep in mind that you can introduce a problem that will take months to surface if you downgrade a table permission that a feature you want later needs.  This area requires a lot of research for the most experienced in the field so I recommend caution, getting help, and thorough testing.  

    Microsoft also has some native tools that you can use in the AOT in a practice or development environment.  If you follow a privilege to a menu item, then you can right click  go to addins   go to security tools  and review at the role or object level.  You can also use Microsoft’s Developer Security Tool that is designed to create new roles, duties, and privileges.  It has limitations on analysis though, since it seems to be intended for efficient creation for security objects.  

    Sorry for the long post, but I hope that helps.  

    KR,

    Mark

  • Suggested answer
    Scott Pochron Profile Picture
    Scott Pochron 35 on at

    If you have not tried it, Microsoft provides a Security Development tool for AX 2012 that I have found to be invaluable. You can access it on informationsource.dynamics.com. Read more about it here: technet.microsoft.com/.../hh859729.aspx.

    The tool when installed in a test environment enables analysis of roles and permissions by giving a UI to simulate the experience of a user with a given role. While the tool is not perfect, it makes the task of analyzing roles, duties, and permissions much easier.

  • Salome van der Merwe Profile Picture
    Salome van der Merwe 340 on at

    Hi Mark,

    Could you please share the spreadsheet you were speaking of earlier in this thread? I am currently setting up AX 2012 security for a client and am struggling to isolate all the roles etc correctly.

    Thanks!

  • PVN Profile Picture
    PVN 235 on at

    Hi Mark,

    Could you share the spreadsheet to me at punugu@gmail.com

    Thanks,

    PVN

  • Gabor Fulop Profile Picture
    Gabor Fulop 320 on at

    Hi Mark et Al,

    Great posts here.  I would also appreciate a copy of the spreadsheet you describe.

    Many thanks,

    Gabor

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Responsible AI policies

As AI tools become more common, we’re introducing a Responsible AI Use…

Neeraj Kumar – Community Spotlight

We are honored to recognize Neeraj Kumar as our Community Spotlight honoree for…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > 🔒一 Microsoft Dynamics AX (Archived)

#1
Martin Dráb Profile Picture

Martin Dráb 4 Most Valuable Professional

#1
Priya_K Profile Picture

Priya_K 4

#3
MyDynamicsNAV Profile Picture

MyDynamicsNAV 2

Last 30 days Overall leaderboard

Featured topics

Product updates

Dynamics 365 release plans