Don’t want to have the default System user role assignment?

System user role assignmentImage by Gerd Altmann from Pixabay

When you create a new user in Microsoft Dynamics 365 Finance, SCM or Retail, this user will get the system user role assigned by default. In this post, I will elaborate on use cases when this is not helpful and how to avoid having this automation to be able to do the assignment in your preferred way.

Use cases to remove the System user role assignment

The system user role contains privileges to execute basic functionality in the system like switching companies, maintain user options and alerts. It is a security role which is required to have the system functioning correctly. The first version of Microsoft Dynamics AX 2012 did not have the automatic system user role assignment which led to issues due to lack of knowledge and experience. For that reason, Microsoft made a change in the kernel to add the system user role to any new user which will be created. When you delete the role, there will be a warning, but the application is not stopping you.

There are, in my opinion, valid reasons to avoid having the system user role assigned automatically. You might have a lot of legal entities or legal entities which do have sensitive information. In that case, you don’t want a user to see all legal entities when switching legal entities. You can actually assign organizations to limit the number of legal entities, but when you do forget that, the user will see information, even a company name, which they should not be able to know about.

In the past, I had a customer with over 2500 legal entities; this is too much to show in a list and there were also highly sensitive companies. Together with a large number of users and changes in positions monthly, the challenge was born to find a better way of maintaining the security. Using automatic role assignment, the customer could achieve exactly what he wanted. One problem: As the system user role is created by the system with a manual assignment option, there was no way to restrict getting the system user role automatically assigned. A manually assigned role will not be changed by the automatic role assignment job. It appeared that the coding is part of the kernel and I had to find a work-around.

Delete System user role assigment

There was no other option than having a data event after creating the user. So, I created a small class with an event handler to delete the assignment which was just created some milliseconds before. Below, I will share the coding, I have reproduced on Dynamics 365 as my customer in the past was using Dynamics AX 2012.

The coding is provided as-is. You may freely use and modify it to your needs. The use and installation of this coding is at your own risk. I cannot be held liable for any error or damage in your environments. For this reason, please first deploy it on a test environment which is not important in your project. Test it carefully before using it eventually in a customer production environment. I have only tested it on my own sandbox. 

class DynPed_SysUserInfo
{
    /// <summary>
    /// Data event handler to delete the system user role assignment when creating a user.
    /// </summary>
    /// <param name="sender"></param>
    /// <param name="e"></param>
    [DataEventHandler(tableStr(UserInfo), DataEventType::Inserted)]
    public static void SysUserInfo_onInserted(Common sender, DataEventArgs e)
    {
        SecurityRole        secRole;
        SecurityUserRole    secUserRole;

        UserInfo            userInfo = sender;

        select firstonly RecId from secRole
            where secRole.AotName == 'SYSTEMUSER';

        ttsbegin;

        delete_from secUserRole
            where secUserRole.User ==userInfo.id
            && secUserRole.SecurityRole == secRole.RecId;

        ttscommit;
    }

}

When you create a class with the coding above, after the build it will be effective. When creating a new user in Dynamics 365, it will look like there is no assignment of the system user role.

There is more…

Potentially, you can change the script to or:

  • Change the manual assignment to automatic instead of deleting the record
  • Create a parameter to be able to switch on or turn off the deletion of the system user role

Whatever you decide to manage the system user role assignment make sure that all users will have this role assigned when they are a normal business user.



I do hope you liked this post and will add value for you in your daily work as a professional. If you have related questions or feedback, don’t hesitate to use the Comment feature below.


That’s all for now. Till next time!

/1 Comment/by
You might also like
Dynamics 365 Saturday Amsterdam 2019 Automatic role assignment in AX2012 – part 2
Change name security objectsImage by Arek Socha from Pixabay Change the name of new configured security objects
Security Form ControlsImage by Kris from Pixabay Securing a menu item is not enough – form controls
AX: How to enable the Contoso personas
Dynamics 365 Saturday Amsterdam 2019 Solve permission error in Management Reporter
Secure by retail channel Extensible Data Security examples – Secure by retail channel
Dynamics 365 Saturday Amsterdam 2019 Dynamics 365 Saturday is visiting Amsterdam
Dynamics 365 Saturday Amsterdam 2019 Tips on AX 2012 Security Development Tool – Part 8
1 reply
  1. Calvin Eddings
    Calvin Eddings says:

    Thanks for this blog topic. It was a big help on understanding the system user role and also on deciding how to manage it for my organization.

    Reply

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.