AX 2012 Security Role Basics
Here are some tips on security basics in AX 2012 when assigning roles and working with existing duties and privileges.
1. I have a user assigned to the Product Designer security role. In AX, in the Product Information management module> Common> Released products form, I now want to remove “All cases” in the Engineer tab, Product change group from this role –
Here are the steps I took:
Right click on select Personalize on the Released products form. If you click on the Information tab you will see that the name of this form is EcoResProductPerCompanyListPage
In the Personalization form, in Layout tab, expand ActionPane> Engineer> Product change> then click on All cases.
You will see that the System name: is EngineeringChangeGroupAllCase
Edit the form (EcoResProductPerCompanyListPage)
You can get there by clicking on the Information tab then click on Edit button at the end of the Form name (or go to AOT> Forms)
In DesignList and look for the above system name (EngineeringChangeGroupAllCases).
Notice the Needed permission in the Properties for this object is set to None by default. You will need to set this to something other than *none so you can then override the permission to the All cases button for your role.
*Refer to this TechNet article for help on setting the Needed permission.
For this example I set the needed permission to Read (the least restrictive permission).
Once you have Needed permission changed to something other than none, you can then override the permission for this button for the role to “No access”.
To do this, go to a developer workspace in AX (Cntrl+D in AX), **edit the BOMProductDsigner (AOT name for Product Designer) role in AOT by going to AOT> Security> Role. Select the role and expand it, then expand Permissions. You will then see Forms node.
** Instead of modifying the original out of the box role, I would recommend duplicating the role to a new custom role and call it something like “SSI_BOMProductDesigner” so, you leave the original role as it is so you can use it for comparing to your changed role.
Open up another AOT window and navigate to Forms node then look for EcoResProductPerComanyListPage. Drag this form to the Form node under BOMProductDesigner> Permissions> in the other AOT – \Security window. So you will end up with this –
Next in AOT> Form> expand EcoResProductCompanyListPage> expand DesignList and look for the control called EngineeringChangeGroupAllCases. Notice the Needed Permission for this control has been changed to Read (from None). Click on this control and drag it to the other AOT – \Security window under the EcoResProductPerCompanyListPage form.
Notice the EffectiveAccess in Properties tab for that control for BOMProductDesigner role is NoAccess (and that’s how you remove access to the All cases button for the role!)
Log in to AX with the user with Product Designer role and you will see the user no longer have All cases in the Engineer tab.
2. I want to also remove Associated with Cases in Engineer tab for Product Designer role
Edit this form (EcoResProductPerCompanyListPage)
In the Personalization form, layout tab, expand ActionPane> Engineer> Product change> then click on Associate with case. Note the System name – EngineeringChangeGroupAssociateCase
Go to design list for this form, and look for EngineeringChangeGroupAssociateCase.
Look at its properties. You will see this –
To take away the button, you will need to remove access to EngChgCaseAssociateReleased Product form.
In AOT> MenuItems> Display, look for EngChgCaseAssociatedReleasedProduct, right click> Add-ins> security tools> View related security roles
You will see this role’s related duty and privilege to the above form (entry point).
You will need to remove this form (entry point) from the role’s privilege. For this example the privilege name is “EngChgCaseReleasedProductMaintain”. So, you will need to edit this privilege and remove the entry point “EngChgCaseAssociateReleasedProduct”. I would duplicate the privilege I want to change so I leave the original out-of-the-box privilege alone (other duties may be using this privilege), remove the entry point from this duplicated privilege. For this example my duplicated privilege is called “SSI_EngChgCaseReleasedProductMaintain_PD” and in this privilege, I would remove the entry point “EngChgCaseAssociateReleasedProduct”.
I would then duplicate the duty. In this example the duplicated duty is called “SSI_InventProductsForOperatnMstrMaint_PD”. I edited this duty by removing the privilege. “EngChgCaseReleasedProductMaintain” and added the modified privilege “SSI_EngChgCaseReleasedProductMaintain_PD”.
Next, you would have to modify the Role. Duplicate the role give it a name like SSI_BOMProductDesigner, change the Label so it is different than the original, remove the original duty and add the modified duty “SSI_InventProductsForOperatnMstrMaint_PD” –
Doing this will make sure you do not break other Roles that are using the existing Duty and Privilege and other duties that are using that existing privilege.
Assign a user to this new role to test.