Role-based security in Dynamics 365 for Operations. Export security changes and Security diagnostics tool.

As we know from my previous post we can create security artifacts from Visual Studio and user interface. Now we want to deploy them. All objects created in VS could be deployed via deployable package, there is no difference with any code you created. Changes done from UI could be deployed as data via data package. Out of the box we have three data entity to work with security customizations:

SecurityCustomizationEntities.jpg

In the export file for duty customization we will get duty name and xml object contains all privileges assigned to the duty. Other two (roles and privileges) have similar structure.

ExportedDutyChanges.jpg

ExportedDutyChangesXML.jpg

That’s a big improvement in security setup, because in AX 2012 it was hard to track what changes were done in test environment and should be transferred to live.

Security diagnostics tool

To easy the problem of security setup in AX 2012 we have Security Development Tool, unfortunately, it’s not available in current version (Microsoft is working on the replacement). However, there is another useful tool – Security diagnostics tool.

Each form in AX has “Options” tab on the action pane where you can find “Security diagnostics” button. It shows you a list of all roles, duties and privileges that grant access to current form. Using buttons on the top of the dialog you can add role to specific user, duty to specific role or privilege to specific duty to quickly grant access to current form.

SecurityDiagnosticsFromForm.jpg

Using task recorder to setup security.

Task recorder  has been re-built in current release and could be used in different scenarios apart of actual task recording. One of them is security setup, now you can analyse task recording with Security diagnostics tool.

Create task recording.

taskrecorder

taskrecordersteps

Save it.

taskrecordersavesteps

Go to System administrations -> Security -> Security diagnostics for task recordings and open saved recording.

SecurityDiagnosticsOpenRecording.jpg

As the result you will see all menu items involved. When you select user AX shows if he already has permission to entry points.

SecurityDiagnosticsSelectUser.jpg

“Add reference” button will open you Security diagnostics dialog, exactly the same we saw using Security diagnostics tool, where you can do all the setup.

SecurityDiagnosticsAddtoUsersRole.jpg

Role-based security in Dynamics 365 for Operations. What changed and what stayed the same.

New version of AX has a couple of changes in the security architecture. Process cycles are removed (no one really used them in AX 2012) and record level security is finally obsolete.

However, because of new code architecture and restrictions that came with it, there are some changes in the way how we create new security artifacts.  Previously, in AX 2012, all security objects were stored in AOT as a metadata, even if you did security setup from UI new objects were created or changed in AOT. Now, because of .Net platform, we cannot generate assemblies on the go, so there are two ways how to create security objects:

  1. Create security objects in Visual Studio.

Nothing has changed here, developer can create or edit new roles, duties and privileges in AOT. Then they can be deployed via deployable packages.  For today’s blog I created simple role, duty and couple of privileges.

  1. Create security object from UI.

In current version experience is similar to AX 2012, where user can create and edit security objects from UI, but under the hood AX does not create any objects! All changes are stored as a data. On screenshot below you can see new role created by me for this article.

myrole

New role has one duty and this duty has only one privilege. Now I’m going to add one more privilege “My PrivilegeTwo” to my duty. To do this you need to select a duty you want to modify, click “Add references” and select a privilege you want to add.

MyRoleChange.jpg

After that, you may notice “unpublished objects” and you can either publish them or undo.

myrolepublishchanges

Let’s add one more privilege in AOT.

MyDutyAOTChanged.jpg

As you can see, in AOT my duty consists only from two privileges, however, in UI AX shows three:

MyRoleAOTUIChanged.jpg

Two of them were created by developer in AOT and one was done in UI and is stored as data.

In next blog post I will show how to deploy security data changes across environments and how to use Security diagnostics tool.