Monday, December 19, 2016

AX 2012 Security Unwrapped Series - Understanding Role Based Security

This post will unwrap the Dynamics AX role based security model that was introduced in version 2012.  It will describe the structure and components.

"Within an organization, roles are created for various job functions.  The permissions to perform certain operations are assigned to specific roles.  Members or staff (or other system users) are assigned particular roles, and through those role assignments acquire the computer permissions to perform particular computer-system functions.  Since users are not assigned permissions directly, but only acquire them through their role (or roles), management of individual user rights becomes a matter of simply assigning appropriate roles to the user's account; this simplifies common operations, such as adding a user, or changing a user's department." (Definition From Wikipedia)

Microsoft created a series of standard Roles.  I've grouped them into 3 categories:
1. General staff - many of these roles have "worker", "clerk", or "agent" in their name.  Examples are: cost clerk, buying agent, warehouse worker.  These roles have the basic functions for the specific functional role.  In many cases they cannot complete the transaction.
2. Management - many of these roles have "supervisor" or "manager" in their name.  Examples are: accounting manager, production supervisor.  These roles have access to the parameters and setups for a functions.  Transaction approval which allows the actual update in the application, typically associated with posting inventory or general ledger transactions.
3. Executives - these roles tend to be specific titles, e.g. chief executive officer, financial controller.  A few key setups or approvals, but mostly inquiry and reports.

Microsoft also defined a series Process Cycles which is an entire business process flow.  Below are the original ones defined in 2012:

Expenditure which is the standard Procure to Pay flow - vendors, purchase orders, receiving, payables
Revenue which is the standard Order to Cash flow - prospects, customers, quotations, sales orders, receivables, project accounting
Conversion is the standard Plan to Produce flow - parts, boms, routes, forecasts, production orders, quality, service
Human capital management - hiring, employees, human resources
Information technology - technical sets like AIF, system parameters, workflow, etc.
Cost accounting - setting up and activating costs, cost accounting, inventory valuation

Several were also added as a part of R2/R3:  Fiscal books, Public sector, Retail, Retail merchandising, Sales operations financial planning, Trade agreement management, Process cycle containing duties related to Multi Channel Retail

Duties and  privileges, and permissions are the building blocks that define access.  As the above diagram indicates, there is a hierarchy.  Roles and Process cycles are comprised of duties and privileges.  Duties contain a set of privileges that typically allow access to a functional process.  Privileges tend to be a single function within a functional process.

Duties and Privileges have a general naming convention, typically starting with an action verb which is very descriptive of the access:

Update: “Maintain…”, “Create…”, “Update…”, “Delete...”, "Add...", "Change/Edit..."
Inquiry: “Inquire into…”, “View…”, "Search..."
Reports: “Review…”, Preview…”, “Generate…”, "Print..."
Parameters:  “Enable…”, “Activate…”
Controls:  “Approve…”. “Complete…”, "Post...", "Reject...", "Cancel..."

Privileges are made up of Permissions which are very specific actions within the application.  I call them the keys to the kingdom.  They define levels of access to tables, menus, functions, etc.  Below is a definition of the access level:
In my next post, I'll dive into the standard AX security menu and its capabilities.

No comments:

Post a Comment