[Update] Troubleshooting XDS Security Policy in Dynamics AX 2012
Dear Friends,
I'm stuck up with this issue while implementing custom security policy with DAX 2012. Hope to gather some feedback from my blog post if anyone has come across this issue before. If not, any suggestions are welcome. If I come across a solution, I will come back and update this post.
I have posted this query in Microsoft forums over here
Hi,
Greetings!!
A brief background - We are using custom security roles and policies (using XDS Framework) in this implementaion. We have created a security policy query on DimensionAttributeValueCombination table as shown below, it's a simple filter on LedgerDimensionType and DisplayValue (Please see the ranges in Screenshot 2)
Screenshot# 1 (Security Policy Query) :
Screenshot# 2 (Query Ranges/Filter):
Now, going one level up, to security Policy, Please see the below screenshots for the definition of our Security Policy and Constrained tables within it.
Screenshot# 3: (Security Policy)
Screenshot# 4: (Security Policy(Constrained Tables))
As you might have already seen in Screenshot# 3, the security policy is attached to ContextType RoleName and we have added a test user to that security role. So far, all good.
Now, when the user with the above security role logs in to AX and navigates to GL > Trial Balance, as expected the accounts are filtered based on the query ranges i.e. it brings all accounts which ends with -1-003 and -1-007 as expected. All good here.
But the trouble starts, when we go to forms like Free Text Invoices under AR, The user with the above role can create a new free text invoice header from AR > Free Text Invoices, but when they go to create an invoice line and select the main account from the drop down, the system just hangs, Also we have experienced similar issue when we try to select an account from GL > General Journal
Screenshot# 5: Free Text Invoice
I tried to debug and see the SQL query behind the scene via SQL Profiler and it tells me that the Security policy is in force and it's trying to do an insert into DimensionAttributeValueCombination table, but failing to do so because of the Security query, for testing purpose if i remove the security role from the user's login or try posting the free text invoice as a system admin, it works (because obviously the security policy is not in force)
Is there anything being done wrong above? I also tried disabling the security policy via code i.e. going to CustInvoiceform and using xds.SetXDSContext(0." ") to bypass the security, but this is not working. I also tried disabling the security policy in table methods before insert or validatewrite, but no results.
I checked the forums before posting here and found some interesting posts on XDS Framework, but haven't been answered fully. Like the one where we can have a dynamic query would be nice to have.
http://community.dynamics.com/ax/f/33/t/97472.aspx
Any recommendations or suggestions are welcome. TIA
Update (20/03):
****************************************************************************
After making this changes, the below code makes sense, as it can enable/disable security at run-time because it can find the ContextSecurity string. (Below is a standard ax code which you can find in one of the DirParty* forms in AOT)
In conclusion, the limitation is we can't have both RoleName and ContextString both enabled on a SecurityPolicy, because as soon as you enable "ContextType" property as "RoleName", ContextString gets disabled.
And with the above limitation, the only way to control security on-demand is through code using ContextString as shown in the above steps.
****************************************************************************
A brief background - We are using custom security roles and policies (using XDS Framework) in this implementaion. We have created a security policy query on DimensionAttributeValueCombination table as shown below, it's a simple filter on LedgerDimensionType and DisplayValue (Please see the ranges in Screenshot 2)
Screenshot# 1 (Security Policy Query) :
Screenshot# 2 (Query Ranges/Filter):
Now, going one level up, to security Policy, Please see the below screenshots for the definition of our Security Policy and Constrained tables within it.
Screenshot# 3: (Security Policy)
Screenshot# 4: (Security Policy(Constrained Tables))
As you might have already seen in Screenshot# 3, the security policy is attached to ContextType RoleName and we have added a test user to that security role. So far, all good.
Now, when the user with the above security role logs in to AX and navigates to GL > Trial Balance, as expected the accounts are filtered based on the query ranges i.e. it brings all accounts which ends with -1-003 and -1-007 as expected. All good here.
But the trouble starts, when we go to forms like Free Text Invoices under AR, The user with the above role can create a new free text invoice header from AR > Free Text Invoices, but when they go to create an invoice line and select the main account from the drop down, the system just hangs, Also we have experienced similar issue when we try to select an account from GL > General Journal
Screenshot# 5: Free Text Invoice
I tried to debug and see the SQL query behind the scene via SQL Profiler and it tells me that the Security policy is in force and it's trying to do an insert into DimensionAttributeValueCombination table, but failing to do so because of the Security query, for testing purpose if i remove the security role from the user's login or try posting the free text invoice as a system admin, it works (because obviously the security policy is not in force)
Is there anything being done wrong above? I also tried disabling the security policy via code i.e. going to CustInvoiceform and using xds.SetXDSContext(0." ") to bypass the security, but this is not working. I also tried disabling the security policy in table methods before insert or validatewrite, but no results.
I checked the forums before posting here and found some interesting posts on XDS Framework, but haven't been answered fully. Like the one where we can have a dynamic query would be nice to have.
http://community.dynamics.com/ax/f/33/t/97472.aspx
Any recommendations or suggestions are welcome. TIA
Update (20/03):
****************************************************************************
I have found a workaround, by taking a different approach to the scenario and instead of attaching the Security Policy to the Role directly, I changed the ContextType to “ContextString” from the previously defined “Rolename” and put a ContextString called “DNTestSec”.
(Step 1)
I then attached this ContextString to the role and query. (Please see below Step 2 and Step 3)
In conclusion, the limitation is we can't have both RoleName and ContextString both enabled on a SecurityPolicy, because as soon as you enable "ContextType" property as "RoleName", ContextString gets disabled.
And with the above limitation, the only way to control security on-demand is through code using ContextString as shown in the above steps.
****************************************************************************
Thanks for this usefull post.
ReplyDeleteCan you tell me where to set the ContextString when i want to enforce a security policy only for "insert,update,delete".
i tried write() in form and table but with no success.