AX 2012 Security Unwrapped Series - Licensing Model

This post will unwrap the Dynamics AX Licensing Model.

In Dynamics AX 2012, the licensing model is by named user (vs. concurrent user in AX 2009).  There are also 4 levels of user licensing: Self-Serve, Task, Functional, and Enterprise.

The cost of the licenses are on an exponential curve with Enterprise being the most expensive.  Each function in AX has been programmed with a license level.  The user is assigned a license level by reviewing all functions they are granted, and assigning that user the highest license level function that they are have been granted.  It only takes one function that is Enterprise to make a user Enterprise!

Empirically, any function related to the general ledger update or inquiry will be Enterprise.  Yes, even inquiry - OUCH! Functions related to forecast or planned orders are also Enterprise.

Use the report, Named User License Counts, on the System Administration menu to see your named user license count vs. the number of licenses purchased.  There is a function, Named user license count reports processing, that was set up with the initial install of Dynamics AX which does the analysis.






If you have the Security Development Tool installed, you can review your roles and see the effective license level of each role.  Additionally, you can view all functions within that role and see the effective license level of each function.  Execute the function Load addition metadata to retrieve the licensing information.  Then you can enter a role, duty, or privilege and examine the effective license level of that role.

You can also see each function within the role and the associated license level.  If you filter for a specific license level, you can analyze if you can modify the role to reduce the effective license level.  This is a great tool to analyze your roles to see if you can reduce the licensing impact.

View my prior post for a more detailed discussion on the Security Development Tool.

Using the Security Development Tool, you can do quick analysis on your roles and see which are Enterprise.  Using the filter function, you can see how many menu items are causing the license level.  With that information, you can do some analysis to see if you can reduce your licensing level.

AX 2012 Security Unwrapped Series - Security Development Tool

This post will unwrap the Security Development Tool for Dynamics AX.  This is a tool created by Microsoft and applies only to AX 2012.  It is considered pre-production, when installed it will go into the USR layer.

First, here is the link to Microsoft's documentation site which has all you need to install:
https://docs.microsoft.com/en-us/dynamics365/operations/dev-itpro/lifecycle-services/ax-2012/overview-security-development-tool-user-interface

Let's walk through the tool and some of its main functions.  When you first open the tool it may take a few moments as it loads all the entry points.  On the left, is the entire menu structure.  Click the + sign to expand.  On the right, are the menu items and names.

Now you can enter in a role, duty, or privilege in the "Type" field and then enter in a respective security object name.  The tool will load the access for that security object.  The below screenshot is after loading Buying agent.  Note that you move the cursor to an item on the left, it will check the object on the right.  Also note that a few field has been loaded to the right - "Access level" which denotes the level of access of the security object that was loaded.

These are the access symbols and what access level they represent.




From the function ribbon, you have access to several functions.  A few are briefly described below (for more information view documentation on Microsoft's documentation site which was noted at the top of this blog entry):

1. Open the security test workspace - This will allow you to test the access of the security object entered using the UI.
2. Start recording - Records all entry points accessed as you navigate in the workspace.
3. Load track file - Loads the entry points that were traced in the Enterprise Portal.
4. Load additional metadata - This will load the effective user license level, labels, layer, and model.

The most useful, in my humble opinion, is the Load metadata to see the effective user license:

There are also some useful shortcut menu options: (1) Reference duty and (2) Reference privilege.  Cursor to a menu item on the left, right click and select one of the shortcuts.  Below is a screenshot after selecting Reference privilege:

In Summary, the tool is great for the security administrator.  It allows you to quickly identify the name of menu items and then find the specific duty or privilege you need to grant.  You can verify what access a specific role, duty, or privilege has.  And lastly, you can analyze licensing and see what menu item is associated with the Enterprise, Functional, and Task.

AX 2012 Security Unwrapped Series - Supplemental Setups

This post will unwrap the Dynamics AX Security Supplemental Setups.  We will review some setups that will affect a user's access but is outside of the main security menu functions.

User Groups are a second level of security for the General Ledger transactions.  (This was once stated to be a deprecated feature.  However it still exists in 2012 R3.)  You can control access to General Ledger journals and Inventory journals.  Setting this up is a two step process.

Step 1: Create user group and assign users.

Navigation path: System administration> Common> Users> User group

Click on the down arrow next to File and select new.

Then create a new group, and give it a long name if desired.

Then click on the Users tab.  A list of all AX users will display on the left under Remaining users.

Cursor over to the desired users, and then click the "<" button to add them to the user group.

To remove a user, put your cursor on the Selected user, and click the ">" button.






Step 2: Go to the Journal name set up to prevent all users EXCEPT those defined in the user group to be able to perform the journal transactions.

In the field labeled Blocking, you enter in the user group that you want to allow access.  There are 3 places where journal name definitions are found which are pictured below:

Navigation path: General ledger> Setup> Journals> Journal names



Navigation path: Inventory and warehouse management> Setup> Journals> Journal names, inventory

Navigation path: Inventory and warehouse management> Setup> Journals> Journal names, warehouse management

Whose code prevails...peeling the onion!

 

When applying partner models, be sure to check for code merge errors.  Also confirm that your partner code is going in the same layer.

As you can see in the diagram, SYS (Microsoft code) is the core.  Then ISV, VAR, CUS, and lastly USR.  What this means if the same code object exists in two or more layers, the code in the outermost is what will be used.

In our company's upgrade, we were surprised by one application that moved from the VAR to the ISV layer.  The standard process for installing models assumes that the layer has not changed.

Therefore in our case, when we installed the new model from our partner, the model installed in the ISV layer leaving the old model in the VAR layer.  When we compiled, much of the code of the new model was not recognized since it used old code from the VAR layer.  This resulted in compile errors.

Practice makes perfect !?!

If you've ever cooked something for the first time, you likely have read and followed a recipe. If its a complex dish and you want to perfect it, then you probably added additional instructions, warnings, etc. for when you make it again.

The same concept applies when you are doing a system implementation, conversion, or upgrade. You have the basic recipe, then you walk through the steps several times to perfect it before the actual live run.

Let's put this in the context of an upgrade - an R1 to R3 upgrade to be specific.  The upgrade in-place process is very complicated with many, many steps.  There are scripts to follow, manual steps, messages to pay attention to.  You obviously want your Production upgrade to go flawlessly.  So perfect the recipe by double-checking instructions; making notes adding your own additional steps and references; and following the recipe several times so that you can make that 'perfect' dish!

When it comes time to do the Production upgrade, you want to feel confident in your steps and have perfection!  Follow your recipe - don't rush, check your notes, and take deep breaths!!!