A client in the jewelry retail space recently was faced with the requirement of securing a specific warehouse location’s on-hand inventory for application users in their sales department. In previous versions of AX, this could possibly be achieved using record-level security however that feature has been deprecated and the Extensible Data Security framework has been introduced in AX 2012 to implement data driven security policies. The requirement to implement this restriction can be met by creating and configuring a new Security Policy through the AOT. This new feature allows an Administrator to create a security policy that can restrict or permit certain operations against certain records in a given table or related tables to users assigned to a certain role. The restricted dataset is defined using a Query object.
To demonstrate this, we will use the national demo’s Contoso sandbox and restrict user AarenE from viewing Inventory in Warehouse 11, Location 11 in the USMF company.
Prior to implementing this policy, let’s verify that this user can view inventory in that location without any Security Policy currently affecting that user. You can log-into AX as another user by holding left shift and then right clicking on the launch icon and choosing ‘Run as different user’.
Implementing the policy:
This setup does not require an experienced developer however some functional knowledge of the on-hand Inventory viewing form and basic experience with AOT objects will be required.
Some technical background on this:
- All live inventory is maintained in the InventSum table. This joins to the InventDim which contains dimension information such as warehouse/location/serial # etc…
- Our main table to restrict the data will be the InventDim table, since this is where the warehouse/location combination resides.
Follow these steps:
- From Projects, create a new Shared Project. Name it ‘RestrictOnHand’ or whatever you like.
- Right-click on the Project and go to New Query.
- Rename the Query ‘Restrict_WH_Location’ or whatever you like. This query name will be specified in the Security Policy AOT object’s properties defined later on.
- Add the InventDim table to the Query and set the Fields node’s Dynamics property to Yes.
- Add 2 ranges, one for InventLocationId and the other for wMSLocationId. In this example, we’re restricting warehouse 11 and location 11 so set the Value property on both Ranges to 11.
- Save and compile the query.
- Right click on the Project node and go to New -> Security -> Security Policy.
- Name it ‘Restrict_WH_Location’ or whatever you like.
- Setup the Properties as shown below. In this example, users assigned to the TradeSalesClerk Role will be restricted from viewing on-hand inventory in Warehouse 11 – Location 11.
- Right click on the Constrained Tables node and add the InventSum table as shown above.
- Users who are assigned to TradeSalesClerk or whichever Role is specified in the RoleName property will be impacted by the policy restriction. Note: any users assigned to this role and also the System Administrator Role will not be affected by the Policy restriction.
- Save and compile the new Security Policy.
- Close AX, and log back in as Admin.
- Go to System Administration -> Users.
- Lookup user AarenE and assign the Role TradeSalesClerk to the user. Note: this user will need other Roles to allow viewing of the on-hand inventory form.
- Close out of AX and log back in as AarenE.
- After restarting their AX client, we can see the Security Policy is in effect for user AarenE.
By: Jaffer Hussein
If you would like more information about Microsoft Dynamics AX 2012 and how it can help your organization reach its goals, contact our experts at RSM or call 855-437-7201. You can also read other articles about Dynamics AX 2012 in our Dynamics Community Newsletter.