Microsoft Dynamics AX (Archived)

Granular security control

(0) Share

Report

Posted on by Community Member

Hi guys

I have two forms and need different security for it.

The forms:

1) EntityCreate

2) EntityDetail

Both forms work on the same datasource namely: Entity

Now, i have 2 menu items. One for each form. A privilege for each menu item.

The EntityCreatePrivilege has Delete access for the EntityCreate menu item/form.

The EntityDetailPrivilege has Read access for the EntityDetail menu item/form.

Created one duty and added both privileges. Added the duty to my role.

During testing i notice i have full access on the Detail form.

Can you advize on a way to get read access on the detail form but still have full access on the create form?

Preferably just via the security objects without changing existing forms/menu items

Thanks in advance guys

*This post is locked for comments

I have the same question (0)

All responses (10)

Answers (0)

Sohaib Cheema 49,438 User Group Leader on at

Like (1)

Report

Interesting one.

Can you try by adding the TABLE under Permissions node of both duties and then setting up the appropriate needed permission.

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report

I tried specifying read and delete permission on that table in both privileges but didnt work

Havent tried to split them in two duties though. Will try

Was this reply helpful? Yes No
André Arnaud de Cal... 301,171 Super User 2025 Season 2 on at

Like (0)

Report

Hi Tim,

This is not possible without adjusting the form. Or have a different (temporary) table on the creation form.

I assume you also want to grant full access for some users on the detail form?

Was this reply helpful? Yes No
Sohaib Cheema 49,438 User Group Leader on at

Like (0)

Report

Within the same role high permission takes priority, among all assigned menu items.

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report

Hi guys

Yes i was getting to the conclusion that AX was just picking the "best" or "highest" permission for a certain datasource/table.

Pretty lame that you can't override it for a certain form :/

@Andre: yes, the details form needs to be editable for other roles.

How can i achieve this by editing the form? I would like to keep the datasource (and not use a different table/datasource).

Thanks in advance

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report

I was reading this but not getting any wiser:

msdn.microsoft.com/.../gg841928.aspx

Was this reply helpful? Yes No
Suggested answer

André Arnaud de Cal... 301,171 Super User 2025 Season 2 on at

Like (0)

Report

Hi Tim,

The link you read is good for understanding how it works. The highest permissions are taken, so in this case it will have create rights on the table when opening the form anyway.

Assuming the creation form is not for maintaining records, but only create new... Probably you can try to do the next steps:

- EntityCreatePrivilege > Set access level to Create instead of Delete.

- On the form permissions node for 'Create' set the UpdatePermissions, CreatePermissions, CorrectPermissions and DeletePermissions to 'No'. ReadPermissions will be set to 'Yes'. This is like explained in the msdn article under section 'Suppress a Permissions Set'.

In this way the create privilege will be downgraded on this form to read only. You can have a separate privilege for Delete (maintain) which will work with all permissions when you leave the Delete node on the permissions untouched.

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report

Hi Andre

I cant get it to work. Can you be a little more specific about step 2?

What i did:

CreatePriv -> Entry Point Create -> Access Level: Create

Menu Item of Detail -> Update/Create/CorrectPermission: NO

I left read and delete permission to AUTO.

Result: create form works but detail page is stull fully editable.

I would have expected AX to ignore update/create/correct permissions and pick Read (and not Delete as the entry point is create level)

When setting every menu item access level to read everything is gray (to make sure there wasnt some code overriding)

Was this reply helpful? Yes No
André Arnaud de Cal... 301,171 Super User 2025 Season 2 on at

Like (0)

Report

Point 2: Go to the details form in the AOT. Then open the Permissions node. Select the Create node and open the properties. Here you can specify the overrides for this form and set read permissions to Yes and all other to No.

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report

Hi guys

Andre: that didnt work. Im having the feeling that AX is getting all the permissions for a certain table, then takes the highest permission, remembers this and applies it to all forms/datasources it initializes.

I did get it to work a bit differently, what i did was:

0) CreatePrivilege has Create permission, DetailPrivilege on Read (results in Create permissions on all forms with that table/datasource)

1) open the Detail form in AOT

2) set all the form controls that needed to be read only to NeededPermission read

3) go to role in AOT

4) go to permissions node -> forms

5) dragged the detail form in the forms node

6) dragged all the controls that needed to be read only on the form node (in role's permission node)

7) set all the EffectiveAccess to read for all those dragged controls

8) Maintain role still has full access, creator role has create access in the Create form and can update only a few fields in the Detail form.

This bugs me as this is not the least privilege principle, i need to explicitly tell AX which controls need to be read-only for this role. New form controls would be updateable by default and would require extra attention in case of security.

But hey it works...

Thanks for all the effort guys... i'm not happy with the result but at least now i know you can explicitly override access via roles -> permissions -> forms

Was this reply helpful? Yes No