Security – Part 3 – Security development Tool – Recording

Microsoft introduced a security development tool which helps the user create/identify the required entry points to build a security role within AX.

In this blog I have written a quick walk through guide into using the security development tool. Note that in order to use this walk through effectively I would suggest reading this.

Firstly you will need to install the security development tool, details on this can be found here:

http://technet.microsoft.com/en-us/library/hh859727.aspx

Once installed follow these steps to create a simple Duty which will allow a user to view the inquiry ‘On-hand’ (Stock and warehouse management > Inquiries > On-hand)

Setup

To start with we will create ourselves a new Duty for this demo call it ‘Demo_1’:

  1. Open the AOT (Ctrl+D)
  2. Navigate to Security > Duties
  3. Right click on the ‘Duties’ node and select New Duty
  4. Name the duty ‘Demo_1’ (remember to change the name and the label in the properties pane)

Now to start using the security tool:

  1. Open the security development tool: System administration > Setup > Security > Security entry point permissions 
  2. Click the start recording button
    26
  3. Now carry out your operation in our case it is Stock and warehouse management > inquires > On-Hand I will also navigate to the dimension display button and save a change there.
  4. Open the Security entry point permissions window and click Stop recording
    27
  5. This should return the following values:
    28
  6. Now select the type of ‘Duty’ and enter the name ‘Demo_01’
    30
  7. Tab away from this field, this should bring up a loading bar (don’t worry you will not loose you recording)
  8. Select both of the entry points and right click and select Set entry point permission
    31
  9. Amend these records to have ‘full control’ to do this highlight the two records and then amend the access level using the Bulk update and click Apply
    32
  10. Click Next
  11. Now we need to add a privilege to the duty (this will contain the entry points identified), to do this right click the Duty and click New privilege
    34
  12. Enter the following information then click OK
    33
  13. Next we will attach the entry points to the privilege, right click the newly created privilege and select  Apply entry point access level to selection
    35
  14. This should look like this: 
    36

15. Closing the screen will make the appropriate updates.

To test this newly created duty you can use the ‘Open the security test workspace’ function or you can apply the new duty a user and observe the change. For this example I will use the test work space.

  1. Click Open the security test workspace, Click yes to the info log.
  2. This will open a new work space
  3. Navigate to Stock and warehouse management > inquires > On-Hand 
  4. Check that the appropriate functions have been made available.

 

KNOWN ISSUES: 

So this product is great and it is really helpful but it is 100% accurate you will probably hit about 90% of the entry points that you need (good starting point) some of the areas I’ve had troubles with include: (I will add more when remember / come across them)

  • Query screens – E.g. the normal on-hand stock form doesn’t register the query form at the start.

Warehouse – check list

I’ve put this post together to help people create a warehouse and potential find the areas where they’ve missed something. PLEASE NOTE THIS IS A WORK IN PROGRESS

Site

Firstly you will need to create a site to manage you items.

To create your site navigate to: Inventory and warehouse management > Setup > inventory breakdown > Site

Create a new site and attached an address.

Warehouse / Locations

Next you will need to create your warehouses. You will need to create 3 warehouse 1 default warehouse, 1 quarantine warehouse and 1 transit warehouse.

To do this follow these instructions:

  1. Navigate to Inventory and warehouse management > Setup > Inventory breakdown > Warehouse
  2. First create the quarantine and transit to do this create two warehouse select the appropriate warehouse Types within the general tab.
  3. Next create the general warehouse with the transit and quarantine selected as shown below:
    21
  4.  Next select the location names within you warehouse. A basic warehouse should have Aisles and Racks.
    22
  5.  Next you will need to setup the locations within the warehouse, click Functions > Location wizard
  6. Follow the steps within the location wizard making sure you take care with locations and how you set the physical dimensions. Make sure these locations are large enough not to cause issues when putting pallets away – note if AX comes across this issue at put away the error it’s not a helpful one!
    23
  7. Make sure you review the Store Areas/Store zones
  8. Once you’ve finished creating the locations navigate back to you default warehouse within the tab Warehouse management set up the default receipt and issue location.
  9.  Close and save your settings

Store Areas / Zones

If you would like to create your own store zones/areas follow these instructions:

  1. Firstly you will need to create a Store Area.
  2. Navigate to Inventory and warehouse management > Setup > Inventory Breakdown > Store areas
  3. Create 2 new Store areas:
    24
  4.  Next you will need to create a Store zone
  5. Navigate to Inventory and warehouse management > Setup > Inventory Breakdown > Store zones
  6. Create a new store zone and select the input area created above:
    25
  7.  Next you will need to update all locations within you warehouse to be within the appropriate areas.
  8. Navigate Inventory and warehouse management > Setup > Inventory Breakdown > Warehouse
  9. Select your warehouse and click Functions > Update Store areas
  10. Follow the wizard and select the appropriate store areas for your locations.
  11. Finish and save your changes.

Item setup

Create an items to be Site/Warehouse/Location/pallet controlled.

  1.        First navigate to Product information > Common > Released product
  2.        Create the item with the following settings selected:
Item group Audio
Item model group FIFO
Storage dimension group Site-warehouse-Location-Pallet
Tracking dimension group None
Item sales tax group All
Item sales tax group All
Pallet type 42”x42”
Pallet quantity 10
Min. Output pallet quantity 1
  1.        Set up the warehouse item information by clicking the Released products > Manage inventory > Warehouse > Warehouse items
  2.        Create a new line for the warehouse created above.
  3.        Select the tab Locations and fill in the information:
Store zone [Use store zone created above]
Default receipt location In_01
Default issue location Out_01
Picking location 01-01
  1.        Close and save your changes.

AX 2012 – EP Procurement Catalogues

Overview

Within the enterprise portal AX offers functionality for employees to order products via a product catalogue which is be maintained from within AX. Below I will discuss the two elements:

  •          Setting up the catalogues
  •          Purchasing products using the Employee self-service

Setup

Creating a Procurement hierarchy

Category hierarchies are used to classify products and can be used for reporting and analysis. Each category hierarchy consists of a structure of categories. An organization can create more than one category hierarchy but only one procurement category hierarchy can be active.

  1. Select Product information management > Setup > Categories > Category hierarchies
  2. Create a new hierarchy by clicking Category hierarchy in the New group in the ribbon bar.
  3. Enter a Name and Description for the category hierarchy, and then click Create.
  4. The Category hierarchy form will open. Use the Edit button to modify the new hierarchy and add new categories.
  5. Click Close when you are finished.

 

Attaching products

You can use the Procurement category form to assign vendors, products and attributes to categories in the procurement category hierarchy. You can set these characteristics at a parent category level and then require subcategories to inherit all characteristics from the parent category. You can also manage the settings for each subcategory individually.

  1. Click Procurement and sourcing > Setup > Categories >Procurement categories.
  2. Select the node that you want in the procurement category hierarchy on the left to add products to, and then click the Products tab.
  3. Click Add on the Action Pane strip.
  4. In the Add products form, in the upper grid, select the check box next to each product that you want and then click Select -> to move the selected product to the lower grid.
    16
  5. When you are finished selecting products, click OK.

Attaching Vendors

  1. Click Procurement and sourcing > Setup > Categories >Procurement categories.
  2. Select the node that you want in the procurement category hierarchy on the left to add Vendor to, and then click the Vendors tab.
  3. Click Add on the Action Pane strip.
  4. In the Add Vendors form, in the upper grid, select the check box next to each vendor that you want and then click Select -> to move the selected vendor to the lower grid.
  5. When you are finished selecting vendors, click OK.

Setting the Procurement hierarchy

When you first enter a standard Contoso AX 2012 system a procurement hierarchy will already be selected. You will need to delete this setup in order to activate you procurement hierarchy. To do this follow these steps:

  1. Click Product information > Setup > Categories > Categories hierarchy type
  2. Select the current Procurement hierarchy and clicking the Delete button.
  3. Now add in your Procurement hierarchy by clicking New and filling in the following:
  4. Category hierarchy type – Procurement category hierarchy
  5. Category hierarchy – “select you hierarchy”
  6. Close the form.

 

Creating a catalogue

Procurement catalogues can be created either manually or by using the procurement catalogue as a template. Once you have created and published a catalogue you will be able to generate purchase requisitions from the employee self serves EP site.

Creating the procurement catalogue

To create a procurement catalogue follow these steps:

  1. Click Area Page node: Procurement and sourcing > Common > Catalogs > Procurement catalogs
  2. Click the Catalog > New > Catalog button
  3. Change Name from ” to ‘TEST’ if you would like to inherit the procurement hierarchy as a template select the tick box ‘Populate catalog using procurement category hierarchy’
  4. Click the OK button
  5. If you would like to create additional categories  click New child button
  6. Once you are happy with your procurement catalogue you will need to save and activate that catalogue. To do this click Activate catalog
    NOTE – This will not set this catalogue as the current procurement catalogue. This is controlled by procurement policies.
  7. To continue setting up the catalogue navigate to Procurement and sourcing > Setup > Policies > Purchasing policies
  8. Select the purchasing policy you have active for that legal entity
  9. Open the fast tab Policy rules
  10. Create a new policy for Catalog policy rule
  11. Select the procurement catalog created before select an active from and to date and click OK.
  12. Navigate back your catalog Procurement and sourcing > Catalogs > Procurement catalogs
  13. Click Publish catalog
  14. If you have products attached to you catalog you will also need to ‘synchronise’ this by clicking Product information > Periodic > Commerce Service > Synchronize products run this batch job.
  15. You procurement site should now be ready to use.

 Fields of interest:

  1. If you would like the procurement catalogue to update the enterprise portal automatically or only when the publish catalogue function is select you will need to select that category to be static or dynamic.
  2. Static – requires the user to click ‘Publish catalogue’
  3. Dynamic – will automatically update changes to the EP.
  4. If you would like to change the name of category that you setup in the procurement hierarchy you can do so by un-ticking the field ‘Map text’ and update appropriately.
  5. Product images – Product images can be transferred to the ESS make sure you run the Synchronize products batch job.

Employee self-service – Order products

Enterprise portal users are able to raise purchase requisitions using the order product functionality on AX. To do this follow the instructions below.

Pre-requisite

  • Worker associate to your user
  • Access to the employee self-service EP
  • Catalogs above have been setup

Ordering a product

  1. Open the Employee self-service portal
  2. Click Order products
    17
  3. The catalog set up previously can be found in the lower left hand pane:
    18
  4. Selecting one of the categories with products setup against it you will be able to order that item by clicking the Trolley symbol or clicking on the Item number
    19
  5. Once you’ve selected the items you would like to order click either the shopping cart in the ribbon or select My shopping cart from the left hand pane
  6. Once you are happy with the order you can order this shopping cart by clicking Order20
  7. From here follow the instructions. This will then raise a purchase requisition in the background.

Excel add-ins

In this blog i’m going to run through the functionality available in the ‘Excel Add-ins’ tool. For this example I will be updating an existing Customer group and I will also create a new customer group.

Finding the connection details for your system: 

  1. Open AX and navigate to System administration > Setup > Services and Application Integration Framework > Inbound ports
  2. Click the port name AifServices 
  3. The port details should be in the WSDL URL:
    10

Using Excel Add-in

  1. Open Excel
  2. Select the tab Dynamic AX
  3. Click Configure > Options 
  4. Enter the appropriate information (Identified above) then click Connect and OK
    11
  5. Click Design > Add Data > Add Table
  6. In this example I’m going to be using the CustGroup, Find the CustGroup within the Available table and move this table across to the Selected tables using the >
    14
  7. Click OK
  8. Select the fields you would like to import/amend in the Field chooser (this is done by by double clicking the fields required, in this example I’m using all the fields)
  9. Next close the field chooser plane
  10. This should reveal the Refresh button, clicking  this will bring through the current AX records in that table.
  11. Create a new record by adding a new line to the bottom of the table and amend another record in the table that exists.
  12. This should bring up a new tab called Dynamics AX Status this tab should detail the publishing of two records (the new record and the update of the record that existed)
  13. Within AX open the table you have modified and confirm that this information has been amended and imported.

Security – Part 2

Data security policies

Prerequisite – Please note to work through this lab you will need to have Admin rights to the system and have basic AOT navigation skills.

Microsoft have introduced an alternative to the ‘Record level security’ used in AX 2009 which caused huge performance issues. This alternative is known as ‘XDS’ (Extensible Data Security).

The concept is extremely simple and it doesn’t take long to setup a XDS query of your own. In this blog I will start by explaining the ‘concept’ behind XDS after which I will run through a simple lab.

Note – Microsoft have have made extensive notes on this feature. Please find the links at the bottom of this page.

Concept

“XDS limits a specific Role to only see a specific set of data within an AX table”  

Above I’ve attempted to summaries in one line the primary function of XDS. In essence the XDS security policy will apply a permanent filter onto a specific table within AX. To understand this better I will work through a simple business requirement.

Company A have two manufacturing sites (Site 1 and 2) they require the Production managers (Worker Z, Worker Y and Worker X) to see specific sets of data.

workers

Worker

Site 1

Site 2

Z

Yes

 

Y

 

Yes

X

Yes

Yes

Above we are attempting to display that the share the same AX security roles (the ability to access the same forms and preform the same tasks) however they should only be able to see the data from their respective sites.

Requirement gathering for XDS

The first step in setting up an XDS policy is simply identify the table you would like to apply a filter too, the field you are filtering on and the variants of this filer. So working through this for the scenario above you would end up with:

  • Table to be filtered?                                  Production order table
  • Field you would like to filter on?               Site
  • Variants required?                                     1 and 2

Next we will need to identify the Primary table and the Constrained tables. These have been defined below:

Constrained table – The constrained table act as the table you desire the filter to appear upon (Note – There can be multiple constrained tables as long as the primary table and the filtered field can been seen in that constrained table).

Primary table – The primary table can typically be defined as the field used to filter the constrained table.

In order to identify which tables meet the above definitions navigate to the table you desire to filter upon and identify the appropriate table relationships. Below I have worked through the example of filtering the production order table down by site. This should help you to apply the same logic to your desired business scenario.

  1. Open Production control > Common > Production orders > All Production orders.
  2. Make sure you have the field site displayed to do this click View > Dimensions
  3. Select site and save the changes
  4. Firstly we will identify the Constrained table, right click on the field ‘Production order number’ and click ‘Personalize’ in the menu
  5. Within the Personalization screen identify the table used (this can be seen in the screen shot below)
    1
  6. Next we will need to identify the primary table and field. In our case the field ‘Site’
  7. Right click the field ‘Site’ and select ‘Personalize’
  8. Within the Personalization screen identify the table and field used (this can be seen in the screen shot below)
    2
  9. This information has been summarised below:

    Primary table

    Filtered field

    Applier filter

    Constrained table

    XDS – Production orders – Site 1

    InventDim

    InventSiteID

    =”1″

    ProdTable

    XDS – Production orders – Site 2

    InventDim

    InventSiteID

    =”2″

    ProdTable

  10. If you can create an advance query to represent your desired outcome you will also be able to create this using XDS. Also it will help you understand how the relationships work.
    3

Pre-XDS setup

Prior to setting up the XDS policy you will also need to create a new Role within AX. This will generate less maintenance than applying the XDS directly to an existing security role. If you were to apply the XDS security policy directly to the production manager security role you would need to then create two production security roles and therefore maintain two production manager security roles rather than the one security role with an additional XDS role on top of that. Instead I would suggest that you create three new security roles one called ‘XDS_Site_1’, ‘XDS_Site_1_2’ and ‘XDS_Site_2’.

To do this follow these steps:

  1. Open the AOT (Ctrl+D)
  2. Navigate to Security > Roles
  3. Right click on the ‘Roles’ node and select New Role
  4. Name the roles appropriately (remember to change the name and the label)

Setting up XDS

In this next section we will run through the steps you would need to take in order to create the XDS policy.

  1. The first thing you will need to do when creating an XDS policy will be to create a project within the AOT. This will help to keep your work together and simplifies the deployment of code too.
  2. Open the AOT (Ctrl + D)
  3. Open the projects screen (Ctrl+Shift+P)
  4. Right click the ‘Shared’ folder and select New > Project
  5. Select an appropriate name for the project (XDS_PRODUCTION_ORDERS_SITE_1)
  6. Right click and Open the project

Now we have created a suitable work space to create our policy we will now need to build the query that we would like to run. This should mirror the query set-up in step 10 above.

  1. Right click you project and click New > Query
    4
  2. I find it helpful at this point to also name the query to do right click the query and select ‘Rename’ (XDS_InventDim_SITE_1)
  3. Next we need to define the primary table
  4. Expand the query and right click the ‘Data source’ and select New Data Source
  5. This will create a new node called ‘INVALID TABLE_#’
  6. Selecting this node should bring up a properties plane on the right hand side of the development screen
  7. In the properties screen first select an appropriate name and then specify the table you would liking this node should bring up a properties plane on the right hand side of the development screen
  8. In the properties screen first select an appropriate name and then specify the table you would like to filter on.
    5
  9. We have now selected the primary table but we still need to define the ‘Range’ (Criteria) for the filter.
  10. Expand the data source you created and right click on the ‘Ranges’ node and select New Range.
    6
  11. Again using the Properties screen amend the following fields:

Name

XDS_Site_1

Field

InventSiteId

Value

=”1”

  1. Next select the field’s node and again in the properties amend the property ‘Dynamic’ to ‘Yes’.
    7

Now we have set the query up we need to setup the XDS policy to apply the query to the constrained tables and relate to a specific AX role.

  1. Right click the main project ‘XDS_Production_Orders_Site_1’ and then click New > Security > Security Policy
    8
  2. Select the ‘SecurityPolicy1’ node and modify the properties to be:

Property

Value

Name

XDS_Production_Site_1

Label

Restrict Production orders to site 1

PrimaryTable

InventDim

Query

XDS_InventDim_Site_1

PolicyGroup

Production

ConstrainedTable

Yes

Enabled

Yes

Operation

All operations

Context Type

RoleName

Role Name

XDS_Site_1 (setup in step 14)

  1. Next we need to define the constrained table. Expand the security policy node to reveal the ‘Constrained table’ node right click this node and select New > Add table by relation
  2. Within the properties set the following values:

Property

Value

Constrained Table

Yes

Table

Prodtable

Table Relation

InventDim

  1. We have now setup out XDS policy. Remember to COMPLIE THE WHOLE PROJECT! To do this right click the project and click ‘Compile’ this should then remove the red line next the project. (If it doesn’t try closing the window and navigating to it again)

Now we have successfully created the XDS security policy we will need to test that it works to do this you will need a test user account (Don’t apply it to your user as you will then not be able to change yourself back to admin!)

  1. Open System administration > Common > Users > Users
  2. Select the test user you would like to apply the policy too
  3. Select Assign roles and select the roles Production manager and XDS_Site_1
    9
  4. Close your AX application and open again as a different user to do this hold down ‘Shift’ and right click the AX application and select ‘Run as different user’
  5. Navigate to the appropriate area and test that the filter has been applied.

Summary

To recap on out original requirements we had 3 users Z, Y and X with the following requirements:

Worker

Site 1

Site 2

Z

Yes

 

Y

 

Yes

X

Yes

Yes

To achieve the requirements of Z and Y you would need to create two policies as we did in the example above. However, it should be noted that you CANNOT STACK XDS policies by this I mean if you wanted user X to see sites 1 and 2 but not site 3 you should not apply both two policies created above as they will cancel each other out and you will end up with no data displaying you would need to create a new policy with a query such as =”1”,”2” in a new XDS security role.

The final outcome should be as follows:

 

AX ROLES

Production manager

XDS_Site_1

XDS_Site_2

XDS_Site_3

Worker Z

Yes

Yes

Worker Y

Yes

Yes

Worker X

Yes

Yes

Links:

http://msdn.microsoft.com/en-us/library/hh272123.aspx

Security – Part 1

I’m sure a lot of people will agree that setting up AX and its security is no easy task. Therefore I’ve put together a guide to the information that you need to consider when working with AX 2012 security.

In this first part we will discuss and explain the concept of Role-based security within AX.

1 – Role-based security

At a high level Role-based security works to limit the areas/functions within AX to which a user has the ability to access/Run.

Essentially think of AX as a long corridor with doors on either side, AX security will dictate which doors the user can open and which actions they can take on contents of the that room (AX – records in a table).

These levels can be defined as follows:

Level

Definitions

Entry points

Entry points define the individual sections of code access.

Privileges

Privilege’s define the first level of grouping of entry points and should be used to define an individual tasks. Note – The privilege also dictates the level access available to that privilege.  See fig 2.

Duty

A Duty combines multiple privileges in order to provide a user with the appropriate access to perform a specific process within AX.

Roles

Roles combine multiple Duties in order to allow a user to perform the multiple process necessary to perform their specified day job.

Untitled

Figure 1

AOT Name Label Description
No Access No Access Does not provide any access to data.
Read View An end-user can view data.
Update Edit An end-user can view and edit data.
Create Create An end-user can view, edit and create new data.
Correct Correction An end-user can view, edit, create new and correct date-effective record without creating new records.
Delete Full control An end-user can view, edit, create new and delete data.

Figure 2

2 – Example

The way I like to think of this is that Microsoft have put together a ‘Library’ of ‘Duties’ which can then be selected and placed into the appropriate roles. This is best explained using an example, take the example of the Buying agent whose role is defined as ‘Documents purchase events and responds to purchase inquiries’. If we find this role within AX we can see that the user is made up of the following:

2014-03-18_0957

Figure 3

We can see that Microsoft have used the concept of building a ‘Library of Duty’, we can see this if we investigate the duty  Inquire into import letter of credit which can also be found in the following roles:

  • Accounting manager
  • Accounts payable manager
  • Accounts payable payments clerk
  • Buying agent
  • Chief financial officer
  • Financial controller
  • Purchasing manager
  • Treasurer

Use full links:

http://axwonders.blogspot.co.uk/2012/01/microsoft-dynamics-ax-2012-basic.html

http://msdn.microsoft.com/en-us/library/gg731858.aspx

AX 2012 – First blog

I’ve started this blog to try and share some of the experiences I’ve had whilst using AX 2012 and to help understanding some of the features available.

First a little about me; I start working with AX 2009 when I left University with a degree in Civil engineering after which I started work as a Graduate Business Consultant (Trade and logistics consultant) for a Microsoft Gold partner.

The main focus areas for this blog will be the following:

  • Logistics (Warehousing and transport)
  • Security
  • Data migration
  • New technologies  (Microsoft tools)