Skip to main content

MSDN: Walkthrough: Creating a Simple Default Security Policy [AX 2012]

Source: http://msdn.microsoft.com/en-us/library/hh272123.aspx

Source: http://msdn.microsoft.com/EN-US/library/hh272121.aspx

Overview of Security Policies for Table Records [AX 2012]

Security policies enable developers and administrators to block access to subsets of data rows in tables. A policy is roughly similar to a where clause in an SQL select statement. A security permission increases the access a user has to data, but a security policy decreases access to data.
In the Application Object Tree (AOT), policies are displayed under Security > Policies.
Security policies are enforced in the Application Object Server (AOS). All access mechanisms that route through the AOS are subject to policy enforcement. These access mechanisms include forms, Enterprise Portal webpages, SSRS reports, and calls from class methods.
Microsoft Dynamics AX uses an extensible data security (XDS) model. XDS extends data security from a single table to the tables and views that contain related data.
Security policies are part of an overall extensible data security model. The conceptual model in the following illustration shows the influence of context on security policies.

AOTXDSConceptualModel
The conceptual model of extensible data security
 

The following table defines the concepts of the XDS model.
Concept Description
Constrained tables and views A security policy could constrain the data access of the SalesTable to only those records that have one particular CustAccount foreign key value. You can define constrained tables and views in the AOT at Security > Policies > YourPolicy > Constrained Tables.
Primary table You can use a primary table to secure the content of the related constrained table. For example, in a policy that secures all sales orders based on the CustGroup foreign key value, the Customer table would be the primary table.
Policy query You can define a policy query by specifying a value for the Query property in the AOT at Security > Policies > YourPolicy. You can use a policy query to secure the constrained tables specified in a given security policy. The query selects data from a primary table. The values in that data are then used to restrict the data returned from the constrained table.
Context A policy context controls the circumstances under which a given policy applies. The policy is not enforced unless the context is set.
The types of policy contexts are as follows:
  • Role context – can enable policies that are based on the roles to which the user is assigned.
  • Application context – can enable policies that are based on information which is set by the application.
For more information about policy contexts, see Security Policies Properties.

----------------------------------------------------------------

Walkthrough: Creating a Simple Default Security Policy [AX 2012]

1 out of 2 rated this helpful - Rate this topic
Updated: September 30, 2011
Applies To: Microsoft Dynamics AX 2012 R2, Microsoft Dynamics AX 2012 Feature Pack, Microsoft Dynamics AX 2012
A security policy reduces the range of table records that users in roles are allowed to access. In the AOT, you create a security policy by first creating a query that has a range. Next you create the policy and set its Query property to the new query. Roles and users that are associated to the policy can see only the subset of table records that are included by the range.
In this topic you create a security policy on the CustGroup table.
To complete the final steps in this topic, you must understand how to test security. Robust testing requires you to be a user in the following different user roles at different stages:
  • Developer
  • System administrator
  • Application user
For more information, see How to: Test the Role-based Security Configurations under AOT Security.
It is convenient to create a project to collect the AOT elements that you create for this topic.
  1. Create a project named SecurityPolicy. The project can be either private or shared. For information about how to create a project, see How to: Create a MorphX Development Project.
  2. In the Projects window, right-click your project, and then click Open. This opens your project in its own window. You can close the Projects window.
The following steps are based on the test data that is named Contoso Entertainment Systems (West)(CEU). It is not necessary for you to have this particular set of test data. As you follow the steps, you can perform analogous actions with your test data set.
  1. Open the Microsoft Dynamics AX client and switch to company Contoso Entertainment Systems (West) (CEU).
  2. Switch to module Accounts Receivable and open Setup > Customers > Customer groups
  3. Verify that the Major customers customer group has an ID value of 20, as shown in the following image. You will create a policy so that an application user can only work with data for this customer group.
    AOTSecurityPolicyCustomerGroups
    The customer group that you work with

Each security policy relies on a query. The ranges of the query are a primary element of the security policy.
You can create a new policy query by following these steps:
  1. Create a policy query by right-clicking the SecurityPolicy project, and then navigating to New > Query. Rename the new query to MajorCustomersPolicyQuery.
  2. Locate Data Sources under the SecurityPolicy > MajorCustomersPolicyQuery node. Add a new data source.
  3. In the Properties window for the new data source, set the Name property to CustGroup_1, and the Table property to CustGroup.
  4. Right click the Ranges node and select New Range.
  5. In the Properties window for the new range, set the Field property to CustGroup, and the Value property to 20.
  6. Locate Fields under the MajorCustomersPolicyQuery > Data Sources > CustGroup_1 node.
  7. In the Properties window for Fields, set the Dynamic property to Yes. The Yes value indicates that all fields are queried.
You can create a security policy by following these steps:
  1. Create a security policy query by right-clicking the SecurityPolicy project, and then navigating to New > Security > Security Policy. Rename the new security policy to MajorCustomersPolicy.
  2. In the Properties window for MajorCustomersPolicy, set the following properties:
    Property Value
    Name MajorCustomersPolicy
    Label Restrict data to major customers
    PrimaryTable CustGroup
    Query MajorCustomersPolicyQuery
    PolicyGroup Customer group based policy
    ConstrainedTable Yes
    Enabled Yes
    Operation All operations
  3. Save and compile the security policy.
The security policy is now ready for deployment and testing. Note that the ContextType property is currently set to the value ContextString, but the ContextString property is empty. This combination implies that when it is enabled, this security policy will always be applicable for all users.
AOTSecurityPolicyProject
The project that you create
 

You have created all the items necessary for this walkthrough as shown in the following image.
As an application user, you can now verify that the security policy that you have created is enforced by the system.
  • Verify that the application user can view only the Major customers customer group, as shown in the following image.
    AOTSecurityPolicyOutput
    The customer group that the application user can view


  • Try to insert a record and verify that the application user cannot add any other customer group.
    When you try to insert a record you will see the code output to the Infolog window as shown in the following image.
    AOTSecurityPolicyError
    The system error output caused by the enforced security policy


    1. Assign an application user to the Sales manager role. The form for this in the System administration module, at System administration > Setup > Security > Assign users to roles.
      For more information, see Assign users to security roles.
    2. Log on to the system as an application user. Then run the AX32.exe client application from a command prompt window.
    3. Switch to company Contoso Entertainment Systems (West) (CEU).
    4. Switch to module Accounts Receivable and open Setup > Customers > Customer groups

    Comments

    Post a Comment

    Popular posts from this blog

    Get Position and Department of an employee | AX 2012

    A simple job to get position/designation and department of an employee using employee id: static void WorkerPositionDepartment(Args _args) {     HcmWorker                       hcmWorker;     HcmPositionWorkerAssignment     hcmPositionWorkerAssignment;     OMOperatingUnit                 oMOperatingUnit;     HcmPositionDetail               hcmPositionDetail;     HcmJob                          hcmJob;     HcmPosition             ...
    Post a Comment
    Read more

    Run SSRS report using x++ code | AX 2012

    This post describes how to run an SSRS report through x++ code and passing report parameters as well. Its a simple code and comments are added for further ease in code understanding! public static void runSSRSReport() {     SrsReportRunController controller;             controller = new SrsReportRunController();     controller.parmLoadFromSysLastValue(false);      // write report name and its design in quotes that you want to run     controller.parmReportName("ReportName.DesignName");      // set additional, optional properties like setting landscape to true     controller.parmReportContract().parmPrintSettings().landscape(true);          // set print destination screen/printer/file etc.     controller.parmReportContract().parmPrintSettings().printMediumType (SRSPrintMediumType::S...
    Post a Comment
    Read more

    How to pass value from form to class, AX 2012

    Courtesy : DUG Dynamics User Group It's very simple to pass value from a form to a class by defining a method on form and using args.caller() in the class. 1. Take a String control in the form design like  string Customer Name. 2. Go to String control properties and set "Auto declaration" property to "Yes". 3. Go to form methods -> new method -> write return type method like;           public str customerName()      {            return CustomerName.Text();      } 4. Go to main() method of the class and type following:     public static void main(Args args)     {            str custName;            ;                if(formHasMethod(a...
    Post a Comment
    Read more