Role-based Security in the AOT for Developers
Applies To: Microsoft Dynamics AX 2012 R3, Microsoft Dynamics AX 2012 R2, Microsoft Dynamics AX 2012 Feature Pack, Microsoft Dynamics AX 2012
Microsoft Dynamics AX AOT allows the developer to manage role-based security. Under AOT > Security the developer manages permissions, privileges, duties, roles, and policies.
The system administrator assigns privileges, duties, and policies to roles. Users who are assigned to these roles are affected by these privileges and policies.
Views are a Loose Model of Security
An SQL view has a list of columns in its select clause, and has row filters in its where clause:
The column list gives the view the ability to return data from those columns. If it were possible to list no columns, the view would return no data.
The row filters define the criteria that each returned row must meet. If no row filters are defined, all rows are eligible to be returned.
The column and row mechanisms of an SQL view are a loose model of how the Microsoft Dynamics AX security model works. Under AOT > Security there is a Privileges node and a Policies node:
Privileges – are analogous to the column mechanism in an SQL view. On a form, you cannot see data from any field from any table unless a privilege containing the field is assigned to a role that you belong to. If your roles are assigned no privileges, you cannot see any fields on any form.
Policies – are analogous to the row mechanism in an SQL view. On a form, you can see data from any row from any table unless a policy about rows from those tables is assigned to your roles. If your roles are assigned no policies, you can see any rows or records on any form.
Privileges are Sets of Permissions
A privilege is a set of permissions. Permissions to read and write data originate under the Permissions node of several AOT elements including the following:
Forms > MyForm
Parts > Info Parts > MyInfoPart
Reports > MyReport
Web > Web Files > Web Controls > MyWebControl
Services > MyService > Operations > MyOperation
Policies Originate from Queries
The most common type of security policy originates from a query in the AOT.
On its Ranges node, a query specifies the criteria each row or record must satisfy to be returned. Further criteria are specified on its Relations node. These specifications help define the security policy that refers to this query.
On its Fields node, a query specifies which fields should be returned from which tables. However, the field specifications have no effect on the security policy that refers to this query.
See also
Automatic Inference of Permissions in AOT Security
Security Policies in the AOT for Data Records
Security for Microsoft Dynamics AX
Announcements: New book: "Inside Microsoft Dynamics AX 2012 R3" now available. Get your copy at the MS Press Store.