The last few months, I did spend a lot of time on speaker sessions for the Summit EMEA, MVP Monday webcast and a coming Dutch Dynamics Community event. In the meantime, it was also extremely busy completing work. One of the topics I talked about recently, is eXtensible Data Security (XDS) in Microsoft Dynamics 365 for Finance and Operations and Microsoft Dynamics AX 2012.
There is not that much written related to this XDS topic. You may find two white papers and some blogs posts on this topic. One whitepaper also describes an example how to restrict financial dimension values.
Developing Extensible Data Security Policies (White paper) [AX 2012]
Securing Data by Dimension Value by using Extensible Data Security (White paper) [AX 2012]
As there is in general not that much knowledge and experience, I decided to share my knowledge in this area on some events and now also using my blogs.
I did create and demo some examples what can be achieved using XDS. During the sessions related to this topic, I promised to share these examples. The examples created do have the next features:
- Secure legal entities
When you do assign security roles with organizations assigned, by default a user can still see them all in the Legal entities form. This policy has the ability to limit it to only those assigned to the user.
- Warehouse security
This example show how you can achieve some record based security on warehouses and sites. It uses a custom setup form to specify the warehouses linked to a user.
- Retail channel security
This example is combining the organization hierarchies, security organization assignment and XDS. Quite a powerful example which could be an inspiration for you.
- Project responsible (added June, 2021)
This example shows how to restrict projects for all projects where a person has a responsibility. An example which can be created in 5 minutes.
Detailed information how to use these examples and an explanation how they are created will be posted in separate blogs. Watch them coming or come back on this page where the links will be updated. Also, the list with examples might grow in future.
At this moment, I can share the examples based on AX2012 and they reside on my OneDrive. The same features for Dynamics 365 for Finance and Operations will be added in the future. The location of the code examples might change in future, so ensure to bookmark this page to be able to find the examples anytime. Currently, you can find them on this location: My OneDrive DynamicsShare
If you want to explore these examples, feel free to download and use it. The software is provided as-is and you cannot obtain any rights if something is not working correctly. You have to ensure you will install the examples in a separate environment first and test it carefully. If you have questions or feedback, feel free to add comments or send a message.
That’s all for now. Till next time!
Thanks a lot for your article.
If a customer has X companies in D365FO, and would like to grant access to some sensitive data (item groups) only to a group of users. Let’s say the customer would like to use the same rule across all companies. Does he need to setup X time policies in XDS or one policy rule can cover all companies?
Moreover in D365, main tables cannot be share by default across all companies. Mainly sub tables like customer or vendor groups can be and not sure about security roles.
Thanks for reading the blog and your question. I just released a new blog about warehouse security. There is a similar situation here as warehouses can be the same or different per legal entity. The example shows an option how to restrict this with one policy (in this example two to have different behavior per group of tables). https://kaya-consulting.com/extensible-data-security-examples-secure-by-warehouse/
Is there a way to setup XDS on financial reports? We have alot of reports and we would like to restrict the output by showing limited GL values to users based on the GL allowed to their roles using XDS.
Thanks in advance
XDS is an option to restrict data which is retrieved or written through the AOS. If you mean reports from Management Reporter, then the data is not controlled by the AOS. Then you need unit security setup in MR. Other reports which are running with e.g. a data provider class in Dynamics, will actually work with XDS.
I need to restrict Specific 3-4 mainaccounts to users , usingthese 3-4 main accounts users should not be able to see balances , should not be able to create payment journal, General Journal .
These above main account should be accessible to users having this role which contains xds policy.
Please help us
There are some similar questions asked on the Dynamics community. I think you also found them as you commented on some of them. The community would be a better place to ask your specific questions. Some tips:
– You have to find all related tables which you do want to constraint. Also define the primary table. In your case, I do think it would be the MainAccounts table.
– Define a method how to restrict (role or user bases or both). Is a setup possible to link users with the primary table? Or define a certain field (e.g. posting type) which would be the key for hiding main accounts for certain security roles.
– Then create the security objects and test it.
If you have more specific questions, you can use the Dynamics community (or contact our sales department for resources to help you).
Is there a ay to restrict users to see only vendors of a particular business unit of financial dimension?
I am unable to find a direct relation between vendtable and financial dimension
For sure this will be possible to achieve. Microsoft created some views which makes it a bit easier to work with the dimension values. You can link the VendTable with the view DimensionAttributeValueSetItemView on the fields VendTable.DefaultDimension = DimensionAttributeValueSetItemView.DimensionAttributeValueSet. In case you have enabled more dimensions, you will get multiple records in this view. One record for each dimension.
To find the correct record in the view DimensionAttributeValueSetItemView you can link the DimensionAttribute table for the Business Unit record also with this view. Then link the fields DimensionAttributeValueSetItemView.DimenionsAttribute = DimensionAttribute.RecId.
Let me know if this is sufficient for you to continue.