After four posts about the Security Development Tool, I still have some tips to share. This time I will explain how to build a role using the least effort principle. In addition it will be explained how to track menu items which are not directly accessible from the menu but available on forms. I will also write about the usage of the Assign organizations in the Security Development tool.
Tip: Build using least effort principle
When it comes to authorization it is usually best practice to have the least possible privileges for each role or user. This will minimize the risk related to wrong use of the system, fraud or exposure to confidential information. However to have the lease possible privileges, you will have to create a lot of new privileges and duties for fine tuning. This will require a lot of time and the costs for implementation will be higher. If you look at the risk involved if some reports or some forms are available where the user cannot cripple the system, we can consider it as no or low risk. Granting a standard duty for e.g. maintaining vendor master data also includes some other forms like contact persons and reports. If it is not required to be able to print a report but there is no risk, it is easier to use the standard duties or privileges and thus have the report available for this user. Besides… I personally like to have the contacts form available within this duty, so I don’t have to bother too much to loop through all possible menu items. Now back to the system and find the easiest way to add complete duties or privileges. The Security Development Tool offers a way to quickly find related duties and privileges and add them to the role. This is one of the features I like most of this tool. I will explain how… First we need to open the Security Development Tool form. For this blog I created an empty Demo role to start with. I would like to add full access to all journal forms in Microsoft Dynamics AX 2012.
When we go to e.g. the General Journal, we can right click and choose the menu option Reference duty.
This will open the next forms with all Duties available for this menu item. Note that it also shows duties which are not linked to a security role. When you want to find about the related security objects from the AOT, it will not show duties or privileges which are not attached to a role. So this tool is an enhancement on the AOT option.
You can review all duties and decide which one to take. In this example I will take the selected record. Click the button Add to role and the role will be updated with the duty. Note that refreshing the menu items with the new valid access levels will take some time. When AX has performed this task, you can see in the next picture it has granted access to all menu items (permissions) which were part of the duty.
You will also notice that menu items in other menus are activated by this single action. So by adding available duties you can build up a role very ease and relative fast. You can do the same with privileges. A privilege has mostly only a few menu items in it. Note that when assigning privileges, the functionality for Segregation of Duties will not be triggered, as it only works with duties. So as a best practice you have to use duties as much as possible. When you need to disable some menu items, you can have a look at the tip Duplicate duties and privileges which was described in part 2.
Tip: Discover submenu items
When you want to change the permissions on menu items which are not available in a menu, but on a form, you can use the function Discover submenu items by using the context menu activated with the right mouse button.
This function will build a list of menu items which are used on the form and will also show the current access levels for each menu item. Like the menu items in the main menu, you can start changing the role by discover duties or set entry point permissions. You can even repeat the discovery of menu items to drill down to the next level of menu items related to that form.
Tip: Assign organizations when testing a role
When you want to know if a role will work correctly when it is limited for some legal entities, you can Assign organizations in the Security Development Tool like it is possible when you assign users to the roles. This will be used when you open a security test workspace.
You can click the button Assign organizations and assign one or more organizations to this role. In my example there is no assignment to the standard demonstration company USMF. There is only access for this role to two Consulting companies.
When you did assign the organizations, you can open the security test workspace. The first thing you will notice is that in the company USMF there are no menus available, with the Home menu as exception. So for USMF legal entitiy this is correct.
When you change the legal entity to e.g. USSI which was assigned, the menus and menu items related to the role are available and you can start testing the role. Note that also the System user role is assigned to the security test workspace next to the selected role.
One more tip come…
I do have one more topic to share about the Security Development Framework. It looks like I have already covered all features, but there is one undocumented feature we found out a while ago. In fact it has no direct relation to security… It is a surprise for developers and nice to know for consultants. Curious? Check out my next blog!
I do hope you liked this post and will add value for you in your daily work as a professional. If you have related questions or feedback, don’t hesitate to use the Comment feature below.
That’s all for now. Till next time!