The AX 2012 Security Development Tool is created by Microsoft and provides additional functionality helping you to create and maintain security artifact like Roles, Duties and Privileges. I have used the tool since the release and noticed some very good features and also some features which could cause unwanted scenarios. To help you get the most out of this tool and use it in a proper way, I decided to write a series of blogs on this feature. This first post will tell you about the configuration of the menu-items which will start the Security Development Tool and also how to fix the view on User License Type to show the correct CAL type.
What is the AX 2012 Security Development Tool?
As mentioned in the introduction AX 2012 Security Development Tool provides additional features to support you on:
- Simplify the creation and maintenance of security artifacts such as Roles, Duties and Privileges
- Creation of new security artifacts on the basis of access through various entry points
- Ability to test newly created or modified security Role without using a different test account
- Ability to record business process flows and identify the entry points used, to speed up development of security artifacts
- Ability to view effective named user license values at different security artifact levels
The full description and also useful links to downloads and user manual can be found on a blog from the Dynamics AX Server Team.
Tip: Complete setup by creating menu items
Initially when you have downloaded and installed the tool, you don’t see any changes and it looks like nothing is installed. If you look in the Development workspace (AOT), you can find new objects. There is a project called “SecurityDevelopmentTool” containing all related objects.
If you browse all objects, you also will find two menu items. These are not linked in any menu. As mentioned in the user guide, you can run the class SysSecEntryPointManagerSetup to link the menu items to standard AX menus. Right click on the class and select the menu option Open to perform this task. As a result these can be found in the System administration menu and also the context menu in the AOT.
Tip: How to view the correct CAL license type for menu items and roles
When you have opened the Security Development Tool form, there is a button called Load additional metadata. If you click this button, new properties are added on the grid. One of the columns is called Effective user license type. Within this field it is possible to analyze which menu items are causing a certain CAL license type for the particular role. You can sort or filter on this field to find the data you are looking for. If you change an existing role, it might be possible that a Functional role will become an Enterprise role due to menu items exists in a certain privilege. This might affect your current license and probably unwanted license upgrade costs are involved. For this purpose also a field called Current user license type is added above the tree.
Note that in AX 2012 R2 and R3 the Current user license type is showing incorrect values. The license type Server Users is a type added since the R2 release. It is introduced to have an indication which menu items are part of the Server license and does not have impact on the license types. This field should show only the values Enterprise, Functional, Task and Self-serve. These are taking care of the number of CAL counts. Due to a new value in an enumeration this Server Users value has priority over the needed values. To fix this, you have to change the x++ logic in two methods on the form SysSecEntryPoinManager:
The line with the next code should be changed from:
if(SysSecEntryPointTmp.EffectiveUserLicense > maxLicenseType)
if(SysSecEntryPointTmp.EffectiveUserLicense > maxLicenseType && SysSecEntryPointTmp.EffectiveUserLicense != UserLicenseType::Server)
You have to do this is both methods UpdateLicenseTypes and LoadAdditionalMetadata. Then the system will show the correct CAL license type after this change:
Tip: Test combination of multiple roles
If you want to grant more than one role to a single person, you can test it using the Security Development Tool. A while ago I wrote already a blog to explain this. Read the tip in this post: AX2012 – Testing combination of multiple roles.
I do hope you liked this post and will add value for you in your daily work as a professional. If you have related questions or feedback, don’t hesitate to use the Comment feature below.
That’s all for now. Till next time!
The link was broken for “AX2012 – Testing combination of multiple roles”.
So update the latest one.
Thanks for reporting the broken link. It has been corrected.
I changed the code on both methods and I still get None as the Licence
I’m using AX 2012 R3 Kernel 6.3.4000.127
Can you check if the CIL compilation completed without issues? The code suggestion was to solve an issue related to showing ‘Server users’. You are mentioning ‘None’ as license type. What role or menu item are you referring to?
Thanks Andre, I ran the CIL again and it worked this time
Can I create a role that causes a user to not be able to view a record according to the value of a field?
For example, for my specific case, I want a user not to see the vendors but depending on their vendor group, that they can see the vendors of the vendor group “X1” but can not access the vendor group “X2”. Can this be done?
This is possible using eXtensible Data Security. The Security Development Tool is not helping you for this requirement. You can visit the Dynamics Community site (link provided in my blog) and search for similar questions and answers how to achieve it.
I installed the tool but not able to get Project “SecurityDevelopmentTool” under project area. I checked Objects also not presented in AOT.
I am using AX 2012 R3 CU11.
When you cannot see any object related to the tool, the installation of the objects failed or you imported another model with objects. Please review if the correct model was imported and if the import was successful or stopped with an error.
Hi André, Thanks for your documentation and tips — superb!
Any way to know which user is considered as Enterprise and which one as Functional.
Hello good day, I’m doing some tests in security roles, and I need to hide some menus for some users.
Has anyone done something similar to this before, who can advise me?
You can hide menu items, but not a menu. A menu will only be hidden automatically once all menu items are not part of the security role. In some cases this is hard to achieve as e.g. the All sales orders menu item is part of two menus. If you then need to have this menu item available in the Sales menu, but the Accounts Receivable menu hidden, this is not possible. When those menu entries are two different menu items, you can achieve it.
Hola amigos, intento descargar la herramienta ‘Security Development Tool para AX 2012 R3’ desde Lifecycle Services, pero no la encuentro, me podrian indicar si esta dentro de un paquete o lugar, gracias.
English translation: “Hello friends, I try to download the tool ‘Security Development Tool for AX 2012 R3’ from Lifecycle Services, but I can not find it, could you tell me if it is inside a package or place, thanks.”
Initially, your comment was considered as spam as it was not in English. The tool is available on the Downloadable tools section in LCS.