Report security question

(0) Share

Report

Posted on by Community Member

How are you supposed to assign security for new fields on existing reports? I have a user who is not a system admin getting blank values on a customized field. When I copy their permission and test I can see they can't. I can see it's being caused by a call to InventTable::unitConvert. If I comment that out I can return any value I want and it will appear.

I have given these permissions on the Report design:

InventTable table read access
UnitOfMeasure table read access
EcoResReleasedProductUnitConverter.construct invoke access
EcoResReleasedProductUnitConverter.convert invoke access
UnitOfMeasureConverter.convert invoke access

The roles I am using are:

Machine operator
Materials manager
Production manager
Production planner
Production supervisor
Purchasing agent
Retail operations manager
System user
Warehouse manager
Warehouse worker

Thanks

I will add this, this is a query that gets this data. It's a display method on the InventJournalTrans table. It works for users who are System administrators.

According to this document:

https://msdn.microsoft.com/en-us/library/aa658897.aspx

I should be able to just use it and not have to worry about permission. Access to the table / methods of InventJournalTrans is there and the other data comes up.

*This post is locked for comments

I have the same question (0)

All responses (13)

Answers (2)

Martin Dráb 237,990 Most Valuable Professional on at

Like (0)

Report

I suggest you use the Security Development Tool, it will help you detect required permissions and test changes in security setup. You can even run InventTable::unitConvert() with their permissions and still debug the code, to see where exactly it goes wrong.

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report

I have used Security Development Tools and all it does is tell me they have permission to this report.

I am unable to debug this because it's a display method. It doesn't hit the debug point (or even any info logs I was trying to use).

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report

I also noted that running the menu item in the security test workspace isn't even consistent. I launched it under the Machine operator role which has view access to the InventJournalTrans entry point. The values come up as if it should work. Yet in my actual test user client it does not with the same role.

Was this reply helpful? Yes No
Martin Dráb 237,990 Most Valuable Professional on at

Like (0)

Report

Display methods can be debugged as well, although it's true that you may be unable to combine it with restricted permissions. What if you try to run the code directly in a class (again with restricted permissions), instead of going through a report? If you manage to reproduce it in this was, you're debugging will become an order of magnitude easier.

In the worth case, you can always resort to tracing (ETW, simple writing to text files or so).

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report

Testing it in a class through a menuitem. I added the menu item to an entry point of one of the roles privileges. It was able to return a value (a specific value that would get return in the report). So it works when running it through the class directly.

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report

I want to add I tested it by calling the display method in the class as well. So I found the record in InventJournalTrans and called the displaymethod from within the class.

What would make it work calling it through a class vs a report?

I'll add this again the display method works on the report for me and other people who have the System Administrator role.

Was this reply helpful? Yes No
André Arnaud de Cal... 301,194 Super User 2025 Season 2 on at

Like (0)

Report

Hi Dougq,

Please read my blog about tips on the security development tool where I explained how to use the AX debugger when testing a role and also it explains the setting to test report behavior correctly. This might help you finding the culprit.

kaya-consulting.com/tips-on-ax-2012-security-development-tool-part-6

Om the SSRS report there is a permissions node in the AX AOT. You can add tables which are used by this report directly or indirectly to get access correctly.

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report

Andre,

The issue is I can't even debug this report normally. It's in a display method called from a query. It doesn't hit the debug points ever (or display info logs)

and yes I've added UnitOfMeasure table to that node, as well as InventTable.

and why can a user with those same permissions call a class and get a value from that same display method?

I Just want to say it's not not debugging because of the query/display method, it's not displaying because it's a class that is of type SRSReportDataProviderBase and it doesn't allow debugging on those reports.

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report

Also I've gone through your guide before and used it to try to solve this but it states in there that the debugger won't work if you turn on Portal security which I would need to do to properly test this.

Was this reply helpful? Yes No
Verified answer

André Arnaud de Cal... 301,194 Super User 2025 Season 2 on at

Like (0)

Report

Hi Dougq,

You are correct. The security framework is build in a pretty complex to understand way. If a user has permissions to execute the class, it usually also uses indirect table access from within the application itself with the same user session. Executing a table display method is somehow different when a SSRS report is using it. It then creates a worker user session from ouside the kernel itself.

Do you have a scenario which I can setup to test this myself? I'm pretty experienced and interested in the security framework. Which field did you exactly add on what report?

Was this reply helpful? Yes No