Restrict System Admins from assigning roles

(0) Share

Report

Posted on by Community Member

We have a group of outside contractors who need to be system administrators in our Production environment. The external auditors know the rationale behind this and accept it. The one ability from which the auditors have requested the consultants be restricted is "Assign New Role" in the SysUserDetail form. I believe that button calls the SysSecRoleAssignOM form. I need to determine how to restrict access to either the button or the form. Can anyone help me? I am new to AX.

*This post is locked for comments

I have the same question (0)

All responses (6)

Answers (0)

Suggested answer

Vilmos Kintera 46,149 on at

Like (0)

Report

By the nature of how SysAdmin access works, what you ask for is not possible, since it grants all access.

The only way you could do it is if you create a new custom role and add all security privileges, duties, roles except the one that you want to prevent access for, then assign that access to the users instead of the admin. However, if it includes AOT access, they could add back that role and go around your limitation. This solution also prevents performing some tasks in AX which does require the SysAdmin role indeed, so it will never be a true admin user.

Was this reply helpful? Yes No
Suggested answer

Denis Macchinetti 16,444 on at

Like (0)

Report

Hi Spica66

Take a look to the link below in order to create by code a copy of the SysAdmin Role.

axfaq.blogspot.it/.../create-role-as-sysadmin-without-dev.html

Was this reply helpful? Yes No
André Arnaud de Cal... 301,069 Super User 2025 Season 2 on at

Like (1)

Report

Vilmos is correct by suggesting another role

and Denis provided a link to create a special admin role.

Note that no role other than the administrator has access to the AOT. There is no duty or privilege to assign to be able to get AOT rights. A user without system administrator role cannot assign this sysadmin role to other users or himself.

Was this reply helpful? Yes No
Suggested answer

Faisal Fareed 10,796 User Group Leader on at

Like (1)

Report

Hi Spica,

Sometimes ago I wrote a small tool to copy user permissions to different users you can have a look on this tool from here http://daxture.blogspot.com.au/search/label/Tools

However, I have written a small job for you to copy roles from one user to another except system administrator role as this role does not have any content.

static void copyUserRoles(Args _args)

{

    boolean                 ret = true;

    SecurityRole            securityRole;

    SecurityUserRole        securityUserRole;

    SecurityUserRole        securityUserRoleExist;

    SecurityUserRole        securityUserRoleInsert;



    List                    copiedUserRoles = new List(Types::String);

    ListEnumerator          lEnumerator;



    str 20 fromUser = 'faisal.f';

    str 20 toUser = 'faisal.1';

    try

    {

        while select securityUserRole

                where securityUserRole.User == fromUser

            notExists join * from securityUserRoleExist

                where securityUserRoleExist.SecurityRole    == securityUserRole.SecurityRole

                    && securityUserRoleExist.User           == toUser

        {

            select AotName, Name from securityRole where securityRole.RecId == securityUserRole.SecurityRole;

            if(securityRole.AotName == '-SYSADMIN-' && !isSystemAdministrator())

                continue;

            copiedUserRoles.addStart(securityRole.Name);

           securityUserRoleInsert.initValue();

            securityUserRoleInsert.SecurityRole = securityUserRole.SecurityRole;

            securityUserRoleInsert.User         = toUser;

            securityUserRoleInsert.insert();

            securityUserRoleInsert.clear();

        }

    }

    catch

    {

        ret = false;

    }

    if (ret)

    {

        lEnumerator = copiedUserRoles.getEnumerator();

        if (copiedUserRoles.empty())

            info(strFmt("User %1 and %2 has the same security roles",fromUser, toUser));

        while (lEnumerator.moveNext())

        {

            info(strFmt('%1',lEnumerator.current()));

        }

    }

    else

        error(strFmt("Copying aborted"));



}

Was this reply helpful? Yes No
André Arnaud de Cal... 301,069 Super User 2025 Season 2 on at

Like (0)

Report

Hi Faisal,

Copying the System administrator role is not working. This role has no content. In the kernel and within business logic the security is completely bypassed based on the name of the System administrator role.

Was this reply helpful? Yes No
Faisal Fareed 10,796 User Group Leader on at

Like (1)

Report

Hi Andre, Thanks for the correction I updated my response with the code to copy all roles from one user to another once except system administrator role which indeed does not have any content.

Was this reply helpful? Yes No