web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Finance | Project Operations, Human Resources, ... / Security best practice...
Finance | Project Operations, Human Resources, ...
Answered

Security best practice on a form that creates a record on init

(0) ShareShare
ReportReport
Posted on by Greg's Mom

I am trying to add some security to the AX ProjBudget form in AX 2012 R3.  In the init method of the form, there's a chunk of code that does a FindOrCreate.  It finds the budget if it already exists and it creates a budget if one doesn't exist.  We have a requirement where some user roles should be able to create project budgets while others should only be able to view them.  My user role has view only access to both the ProjBudget table and the ProjBudget menu item which opens the ProjBudget form.  When I click a menu item button that points to the ProjBudget display menu item, the form opens and creates a record on my behalf.  I think I misunderstood the AX security framework and figured that code in the init would fail to create a new record since my user has view only access.  I tried overriding the security by adding the ProjBudget table to the permissions on my user role and setting the EffectiveAccess property to NoAccess and still the system is creating the record on my behalf.  I was surprised to see my user id on the CreatedBy field thinking that if the system is creating the record, at least it would show the AOS user but the system is somehow able to create this row on my behalf.  

Am I doing something terribly wrong?  I'm wondering if it's not a good coding practice to put this FindOrCreate on the init of a form where you want users to be able to view records but not have access to create them.  

To resolve this issue so our read only users are no longer able to create project budgets, I had an idea for a work around which would be to create a second menu item to the same form.  One would be for create and one would be for view/edit.  The view only user would get no access to the create button and would get access to the view/edit button.  Then I have to do extra work on the parent form to check whether a budget exists and show the create button if no budget exists and show the view/edit button if a budget exists.  This way my view only user just won't see a button if no budget exists and will be able to see and click the button if a budget exists.  This feels really hacky, I don't think the calling form should have to be conscious of the existence of a record in a child form and toggle the buttons like this but I'm not sure of another way to deal with this without doing a bigger refactor on the project budget creation process.  

Any thoughts or suggestions would be greatly appreciated!

I have the same question (0)
  • Verified answer
    André Arnaud de Calavon Profile Picture
    André Arnaud de Cal... 301,035 Super User 2025 Season 2 on at

    Hi Brawndo,

    Is this FindOrCreate standard coding or a customization? You can use a condition to find out if the user has insert rights on the table or not. Then only execute this FindOrCreate when he has the proper access to create new records.

  • Greg's Mom Profile Picture
    Greg's Mom on at

    Hi Andre,

    This is standard SYS layer code.  Thanks for the suggestion about checking whether the user has insert rights on the table.  Do you know of any examples of this in AX?  I'm not sure if I need to query security role tables/views to find out if a user has permission or is there a framework class that I can use to easily perform this check?  I've never taken this approach with security in AX before.  

  • Verified answer
    Martin Dráb Profile Picture
    Martin Dráb 237,884 Most Valuable Professional on at

    You can utilize SecurityRights.tableAccessRight(). You can see it in init() method of CreditCardCust form, for example.

    If it was your table, you could set Aos Authorization, but it can't be changed by extensions.

  • Greg's Mom Profile Picture
    Greg's Mom on at

    Thank you Andre and Martin.  I ended up adding this check in the ProjBudget FindOrCreate method:

           // Description: Only create the budget record if the user has access to do so

           if (!projBudget.RecId && (projBudget.tableAccessRight() >= AccessRight::Add))

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Responsible AI policies

As AI tools become more common, we’re introducing a Responsible AI Use…

Neeraj Kumar – Community Spotlight

We are honored to recognize Neeraj Kumar as our Community Spotlight honoree for…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Finance | Project Operations, Human Resources, AX, GP, SL

#1
Martin Dráb Profile Picture

Martin Dráb 565 Most Valuable Professional

#2
André Arnaud de Calavon Profile Picture

André Arnaud de Cal... 450 Super User 2025 Season 2

#3
Sohaib Cheema Profile Picture

Sohaib Cheema 250 User Group Leader

Last 30 days Overall leaderboard

Featured topics

End-of-life Announcement for Microsoft Dynamics GP

Product updates

Dynamics 365 release plans