Role-based security in Dynamics 365 for Operations. What changed and what stayed the same.

New version of AX has a couple of changes in the security architecture. Process cycles are removed (no one really used them in AX 2012) and record level security is finally obsolete.

However, because of new code architecture and restrictions that came with it, there are some changes in the way how we create new security artifacts.  Previously, in AX 2012, all security objects were stored in AOT as a metadata, even if you did security setup from UI new objects were created or changed in AOT. Now, because of .Net platform, we cannot generate assemblies on the go, so there are two ways how to create security objects:

  1. Create security objects in Visual Studio.

Nothing has changed here, developer can create or edit new roles, duties and privileges in AOT. Then they can be deployed via deployable packages.  For today’s blog I created simple role, duty and couple of privileges.

  1. Create security object from UI.

In current version experience is similar to AX 2012, where user can create and edit security objects from UI, but under the hood AX does not create any objects! All changes are stored as a data. On screenshot below you can see new role created by me for this article.

myrole

New role has one duty and this duty has only one privilege. Now I’m going to add one more privilege “My PrivilegeTwo” to my duty. To do this you need to select a duty you want to modify, click “Add references” and select a privilege you want to add.

MyRoleChange.jpg

After that, you may notice “unpublished objects” and you can either publish them or undo.

myrolepublishchanges

Let’s add one more privilege in AOT.

MyDutyAOTChanged.jpg

As you can see, in AOT my duty consists only from two privileges, however, in UI AX shows three:

MyRoleAOTUIChanged.jpg

Two of them were created by developer in AOT and one was done in UI and is stored as data.

In next blog post I will show how to deploy security data changes across environments and how to use Security diagnostics tool.

Advertisements

12 thoughts on “Role-based security in Dynamics 365 for Operations. What changed and what stayed the same.

  1. Alejandro January 26, 2017 / 6:53 pm

    Do you know if there is any tool to create all the artifacts into code by reading a exported file from AX?

    • ievgensaxblog January 26, 2017 / 7:05 pm

      Hi Alejandro,
      As far as I’m aware, there is no tool. However, I heard that this feature is in the road map.

  2. Tim January 24, 2018 / 6:13 am

    How do we ‘undo’ the unpublished objects. I have a couple that I would like to delete but I’m not sure how.

    • Ievgen Miroshnikov January 24, 2018 / 7:18 am

      You may simply close the form and it will delete all unpublished changes.

      • Andreas April 10, 2018 / 3:47 pm

        Hello – in our verison the unpublished objects will not be deleted after closing the form – a warning will appear, but if I come back – still unpublished.

  3. Henry March 2, 2018 / 9:49 pm

    Are their any disadvantages to creating security objects through the UI. While the security is saved in tables in the database would there be conflicts having security both in the AOT and now in the database? All documentation directs users to make changes through the UI.

    • Ievgen Miroshnikov March 3, 2018 / 3:43 am

      I don’t see any disadvantages. UI takes priority over code and end users would not have any access to the code, so will use UI all the time. You don’t want to go though development and deployment every time you need a security change 🙂

      • naresh August 15, 2018 / 9:23 pm

        That is a great feature. I see that this feature will let you create\modify on the fly through UI. Let us say, we made few changes to security via UI in PROD to save time. I understand that data changes take precedence over the code. Is there a process to permanently embed these into code or AOT? So, far the only way I see is to keep track of changes that are made through UI and make them via code again in DEV if we want to distribute the changes to the different environment. The question is surrounding how do we move these changes to a different environment?

      • Ievgen Miroshnikov August 16, 2018 / 2:57 am

        There is no way to convert data to code. To move it to different environment you just do export and import using data management.

  4. Joakim Tokvam March 16, 2018 / 12:49 pm

    Thanks for this. It is interesting that the security artifacts now are stored as data and not code.

  5. naresh August 15, 2018 / 9:23 pm

    That is a great feature. I see that this feature will let you create\modify on the fly through UI. Let us say, we made few changes to security via UI in PROD to save time. I understand that data changes take precedence over the code. Is there a process to permanently embed these into code or AOT? So, far the only way I see is to keep track of changes that are made through UI and make them via code again in DEV if we want to distribute the changes to the different environment. The question is surrounding how do we move these changes to a different environment?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s