Can't post a free text invoice because of XDS security policy

(1) Share

Report

Posted on by AbdullahAhmed_

513

I have a role based security policy on CustInvoiceJour and the policy query is linked with another table that has some Vouchers.. when I try to create a free text invoice, it creates one but when I try to post the free text invoice it gives me this error:

when I remove the role related to the XDS policy, the post process is completed without any errors!

I thought that posting process creates a new ledgerVoucher and since the table that contains the vouchers related to CustInvoiceJour doesn't has this new ledgerVoucher, and the user doesn't has access to it.

So, I was thinking of an extension of insert method of CustInvoiceJour and insert the newly created voucher number before performing the insert:

[ExtensionOf(tableStr(CustInvoiceJour))]
final class CustInvoiceJour_Table_Extension
{
    public void insert()
    {
       XDSCustInvJourTable   xdsCustInvJour;

       if(this.LedgerVoucher)
       {
           xdsCustInvJour.clear();
           xdsCustInvJour.LedgerVoucher = this.LedgerVoucher;
           this.LedgerVoucher.insert();
       }
       next insert();
    }
}

this scenario also happens when I create a sales order and try to make it invoiced where there's a new LedgerVoucher is created, before I add the extension method it was giving an error, but after the extension method it works fine.

I have the same question (0)

All responses (9)

Answers (1)

Sort by

Sohaib Cheema 49,679 Super User 2026 Season 1 on at

Like (0)

Report
Copy link

Link copied!

It seems you have restricted the user from viewing all vouchers. Shouldn't the user be able to see at least the vouchers created as a result of free text invoices, particularly those posted by the user?

You may want to create a Dynamics security policy that doesn't restrict users from viewing all vouchers but limits access. This means users should be able to see all vouchers except those not posted or created by them.

There are fields in the Voucher Transactions that show "Created By" and "Created Date Time." You can link these fields with the CurUserId() filter in the XDS query.

Was this reply helpful? Yes No
AbdullahAhmed_ 513 on at

Like (0)

Report
Copy link

Link copied!

The user is restricted by custAccount.. I want him to view vouchers related to a certain customer and the vouchers he created by himself.. but in my case he can't post a voucher because I have predefined set of vouchers that he's allowed to view.

What I was trying to do is add the vouchers he newly created to my defined vouchers in the database, but for some reason he can't post a voucher even if I insert it in my defined set of vouchers in the database!

Was this reply helpful? Yes No
Sohaib Cheema 49,679 Super User 2026 Season 1 on at

Like (0)

Report
Copy link

Link copied!

There are different levels of security you can set in the XDS policy. If you select AllOperations in the operation property of XDS, that’s how it will behave, i.e., it will not allow you to read, write, or update data in the table. Posting writes/creates the new data(vouchers)

You may need to reconsider creating a new XDS policy that can behave dynamically or fix your existing XDS.

XDS can be bypassed using code, but in this case, you are using the standard free text invoice posting functionality. You can refer to a blog post by Andre on that topic.

Could you provide more details about the process or how you have predefined a set of vouchers that the user is allowed to view?

Was this reply helpful? Yes No
André Arnaud de Cal... 304,711 Super User 2026 Season 1 on at

Like (0)

Report
Copy link

Link copied!

Hi Abdullah,

Can you share technical details about your XDS policy? What is the definition of the query? What tables are constrained with what operation type? Should the XDS policy be active for the persons that post an invoice?

Was this reply helpful? Yes No
AbdullahAhmed_ 513 on at

Like (0)

Report
Copy link

Link copied!
Hellosohaib,

The class responsible for posting is CustPostInvoiceJob, I thought I can make an extension of the class and uncheck the policy during the execution of the main() but unfortunately It didn't work!

[ExtensionOf(classStr(CustPostInvoiceJob))] final class CustPostInvoiceJob_DYNADDV_Extension { public static void main(Args args) { unchecked(Uncheck::XDS) { next main(args); } } }

I'll elaborate more on technical details in my next reply to Andre..

Was this reply helpful? Yes No
AbdullahAhmed_ 513 on at

Like (0)

Report
Copy link

Link copied!
I have 2 policies and 2 queries:

Both polices apply on select operations not all operations!

The first policy is has custTable as primary table with some constrained tables including CustInvoiceTable (free text invoice table)

and this is the query:

CustTable is linked with another table that has pre-defined customer accounts to ensure the user only has access to these customers across the system.

the 2nd policy is for CustInvoiceJour:

and here's its query:

CustInvoiceJour is linked with another table that has also pre-defined voucher numbers that

user can has access to...

So, for the user that's restricted by these policies, he should be able to create a free text invoice and post it.. but posting it means he has access now to a voucher number that isn't pre-defined in my tables, so, I had an idea if the posting process is valid and no errors, the system inserts the record in CustInvoiceJour.. so, I insert it in my tables too so the user can see it in the system now.. like this:

[ExtensionOf(tablestr(CustInvoiceJour))] final class DYNADDVCustInvoiceJour_Table_Extension { public void insert() { XDSCustInvoiceJour xDSCustInvoiceJour ; if(this.LedgerVoucher) { xDSCustInvoiceJour.clear(); xDSCustInvoiceJour.LedgerVoucher = this.LedgerVoucher; xDSCustInvoiceJour.UserId = curUserId(); xDSCustInvoiceJour.insert(); } next insert(); } }

Was this reply helpful? Yes No
Sohaib Cheema 49,679 Super User 2026 Season 1 on at

Like (0)

Report
Copy link

Link copied!

Based on the your provided input, You are trying to insert before the next insert(). Fair enough, but that's not sufficient.

You are restricted in selecting the records due to your second policy/XDS query. Your XDS does not allow the value for selection(read), so whether you do it before or after the next insert(), it will remain empty.

By the way, if we look at your original post, the screenshot mentions being unable to retrieve a currency for the exchange rate (_fromCurrency)

Was this reply helpful? Yes No
AbdullahAhmed_ 513 on at

Like (0)

Report
Copy link

Link copied!

Yes, the error is because of the policy.. The policy is role based and it's assigned to the user, when I remove the role there are no errors in posting process and it works fine.

Although, I disable the XDS before CustPostInvoiceJob Main() and still not working!

Was this reply helpful? Yes No
Verified answer

AbdullahAhmed_ 513 on at

Like (0)

Report
Copy link

Link copied!

Solution update:

I debugged the class CustPostInvoiceJob and found that it fails at exchRateCurToMst() of CustTrans table

and when I checked my policy again I found that CustTrans was restricted and when I made it not constarained (set sontrained to No).. everything works fine with posting process..

So, to recap:

1- policy 1 has CustTable as primary table and CustInvoiceJour as constrained ...> this ensures pre-defined customers are shown to the user.

2- policy 2 has CustInvoiceJour as primary table and no constrained tables! ...> the user can see some pre-defined invoices.

3- in case of creating a new record in custInvoiceJour, weather it was by posting a free text or by invoicing a sales order, this creates a new record to custInvoiceJour and ofc a new voucher number...

In extension method of custInvoiceJour, I insert the new voucher number to my pre-defined set of voucher numbers before the insert in custInvoiceJour, so, the system see that the user is allowed to deal with this new voucher number.

Was this reply helpful? Yes No