What am I missing in setting up a simple XDS security policy in Dynamics 365 for Operations?

(1) Share

Report

Posted on by DD-19021315-0

230

We have a requirement to filter some information (e.g. Purchase Orders) visible to certain users by an internal attribute - Depots. A user may have access to multiple depots, so I have created a custom table, UserDepot, which contains fields UserId and Depot, and have populated this via a Data Entity using a Logic Apps. I have checked the contents using the .../Data/UserDepots URL.

Ignoring for the moment the issues of selecting Depots by Userid (I am thinking of creating a 'temp' table MyDepots in the same way MyLegalEntities and MyDepartments are created at login) and the current requirement that a user with no Depots listed should have access to all Depots, as an initial test I created a query to link PurchTable to UserDepot and then created a Security Policy to apply this query to constrain both PurchTable and PurchLines.

The query looks like this:

5340.Capture1.PNG

8054.Capture2.PNG 7416.Capture3.PNG 7416.Capture4.PNG 1121.Capture5.PNG

And the security policy is:

4744.Capture6.PNG

3286.Capture7.PNG 6811.Capture8.PNG

The DepotAccess model references ApplicationFoundation, ApplicationPlatform and ApplicationSuite.

To test, I'm using the workspace Purchase Order Preparation (mi=PurchOrderMaintainWorkspace) which, I believe uses view PurchOrderApprovedView which is based on table PurchTable and hence, I beleive, should be constrained as a result of the constraint on PurchTable.

The problem is that it doesn't work. With only 1 valid Depot in the UserDepot table a user with limited access (i.e. not System Admin) can still see all Purchase Orders.

I've tried linking the Security Policy to Role SystemUser (change Context Type to RoleName and insert SystyemUser in the Role Name on the security policy properties) and also tried synchronising the database, all to no effect.

Unless I've seriously misunderstood how XDS works, I can't see why this shouldn't work, but can't see what I've failed to configure or where my test doesn't work.

What am I missing?

*This post is locked for comments

I have the same question (0)

All responses (16)

Answers (1)

Community Member on at

Like (0)

Report

RE: What am I missing in setting up a simple XDS security policy in Dynamics 365 for Operations?

Dear Derek, Did you log any issue to Microsoft for that case? I just discover the same trouble using version 1611. Regards

Was this reply helpful? Yes No
DD-19021315-0 230 on at

Like (0)

Report

RE: What am I missing in setting up a simple XDS security policy in Dynamics 365 for Operations?

Defining a query extension works (sort of). The extension I added was:

The user view is now what we want:

Unfortunately, the filter (as a query) is now also applied to system administrators, who currently don't have entries in the UserDepot table. The effect is that the PurchOrderApprovedPart query returns nothing, but the Approved tiles shows 4 (as expected) and clicking on this to open the PurchOrderApproved form in its own page shows all entries.

I'm not sure if its a bug, but it seems that using a query to populate a grid bypasses XDS. Of course, if it is a bug, it's the sort where fixing it may break many things which rely on the behaviour, hence it can't be fixed! I think I'd need to see if there are other places where a grid is populated with a query and see if trying to limit the data with XDS worked or not before deciding it was a bug.

For the moment, I think I need to modify the MyDepots generator to return everything if the user has System Admin role.

Was this reply helpful? Yes No
DD-19021315-0 230 on at

Like (0)

Report

RE: What am I missing in setting up a simple XDS security policy in Dynamics 365 for Operations?

PurchOrderApprovedPart is actually a Query not a view, so attempting to constrain it gives the error: "Table or view 'PurchOrderApprovedPart' does not exist.". I am looking at creating a Query Extension as it would appear from this that queries bypass XDS.

Was this reply helpful? Yes No
André Arnaud de Cal... 297,231 Super User 2025 Season 2 on at

Like (0)

Report

RE: What am I missing in setting up a simple XDS security policy in Dynamics 365 for Operations?

Hi Derek,

I did check the form in Visual Studio now as well. The theory wasn't sufficient anymore...

The form PurchOrderApproved seems to use a view called PurchOrderApprovedPart which in turn is an implementation of PurchOrderApprovedView. Can you try to add PurchOrderApprovedPart as constrained table in your security policy like you did with PurchOrderApprovedView? If this isn't working, it could be a bug indeed.

Was this reply helpful? Yes No
DD-19021315-0 230 on at

Like (0)

Report

RE: What am I missing in setting up a simple XDS security policy in Dynamics 365 for Operations?

I have now written extensions to PurchOrderApprovedVeiw and the PurchOrderApproved form to add the Site (InventSiteId) field.

After synching the database, the Purchase Order Preparion screen for a user who is supposed to only be able to view one site (depot) shows:

The XDS method in MyDepots gets called after the main grid has been displayed and before the count of 1 is displayed in the Approved tile. Clicking on this tile shows only one line as expected.

So it seems this grid is being filled bypassing the XDS constraint. IS this a bug or is there some way to get it to honour the restriction?

Was this reply helpful? Yes No
DD-19021315-0 230 on at

Like (0)

Report

RE: What am I missing in setting up a simple XDS security policy in Dynamics 365 for Operations?

Hi Andre,

The administration information shows that the form (PurchOrderApproved) has no entry in the DataSource field. Instead it has a Query Statement:

Query PurchOrderApprovedPart object afdd7f10: SELECT FORUPDATE * FROM PurchOrderApprovedView(PurchOrderApprovedView) ORDER BY PurchOrderApprovedView.ApprovedDateTime DESC JOIN FORUPDATE FROM SysFilterTable(SysFilterTable_1) ON ((RecId = 68719497737))

This refers to PurchOrderApprovedView, but doesn't seem to be affected by XDS.

Also, when I look at the PurchOrderApproved form in VS2015, this is the same form which opens when the Approved tile is clicked, which I've checked does get filtered by XDS as expected. Why is it not being filtered when used as a sub-form of another page?

Was this reply helpful? Yes No
André Arnaud de Cal... 297,231 Super User 2025 Season 2 on at

Like (0)

Report

RE: What am I missing in setting up a simple XDS security policy in Dynamics 365 for Operations?

Hi Derek,

Indeed, it may be a different view. I assumed you did lookup the correct one. If you right click on the form, you can choose in the pop-up menu Form information > Form name: ..... Then on the slider window open the Administration fast tab for datasource information.

Or the link may not be recognized correctly

Was this reply helpful? Yes No
DD-19021315-0 230 on at

Like (0)

Report

RE: What am I missing in setting up a simple XDS security policy in Dynamics 365 for Operations?

No. That fixes the error, but the list still opens without applying the constraint. I've now implemented the MyDepots temp table (and tested it works) so set a breakpoint in the method. This is when it first gets hit.

As you can see, it's a ready displayed the list. I presume it's using a different view?

Was this reply helpful? Yes No
André Arnaud de Cal... 297,231 Super User 2025 Season 2 on at

Like (0)

Report

RE: What am I missing in setting up a simple XDS security policy in Dynamics 365 for Operations?

Hi Derek,

Did you use the option to include a new table based on Constrained Expression like mentioned in your other question?

Was this reply helpful? Yes No
DD-19021315-0 230 on at

Like (0)

Report

RE: What am I missing in setting up a simple XDS security policy in Dynamics 365 for Operations?

Relation "PurchOrderApprovedView.PurchId == PurchTable.PurchId" doesn't work either so it's not that the view doesn't expose RedId.

Was this reply helpful? Yes No