Role-Based Security Concepts Overview

Applies To: Microsoft Dynamics AX 2012 R3, Microsoft Dynamics AX 2012 R2, Microsoft Dynamics AX 2012 Feature Pack, Microsoft Dynamics AX 2012

Microsoft Dynamics AX role-based security system restricts system access to authorized users. You can create security roles to represent various job functions. A defined set of application access privileges is assigned to specific roles. Users can be assigned to one or more security roles and through those role assignments acquire the permissions to perform particular system functions.

You can use privileges to group together securable objects, such as entry points and permissions for tables, forms and server methods. You can further combine privileges into duties and duties into process cycles. A duty is a set of application access privileges that are required for a user to carry out their responsibilities. A process cycle is a collection of duties that represent a higher level business process.

The following table summarizes role-based security system concept definitions.

Concept

Description

Security role

  • Security roles represent a behavior pattern that a person in the organization can play.

  • A security role includes a defined set of application access privileges.

  • A security role can be defined as a group of duties for a job function.

  • System administrators can limit the data that users can access by applying data security policies. Administrators can also control the level of access that users in the role have to current, past, or future records.

  • Users are assigned to one or more security roles. Each user must be assigned to at least one security role to have access to Microsoft Dynamics AX.

  • Examples of security roles: Shipping Clerk, Accounts Receivable Clerk, System Administrator.

Role hierarchy

  • Security roles can be organized into a hierarchy by defining roles as combinations of other roles. For example, the accounting manager role could be defined as a combination of the manager role and the accountant role.

  • A role hierarchy is a many to many relation that allows defining a security role as being derived from another security role.

  • Instead of having to define each security role independently, a role hierarchy allows security roles to inherit the permissions from other security roles and reuse them.

Duty

  • A duty is a responsibility to perform one or more tasks or services for a job. Duties correspond to parts of a business process.

  • A duty can be defined as a group of related privileges allowing a specific business function.

  • In the security model, a duty is a set of application access privileges that are required for a user to carry out their responsibilities.

  • Duties are designed with a specific business objective in mind.

  • A duty can be assigned to more than one role.

Process

  • A functional work structure that an organization is responsible for designing, controlling, and improving.

  • A process consists of a coordinated set of activities in which one or more participants consume, produce, and use economic resources to achieve one or more organizational goals.

Process cycle

  • Process cycles organize duties and access privileges according to high level processes. For example, revenue cycle.

  • A process cycle can be defined as a group of duties for a job function.

Privilege

  • A privilege specifies the access that is required to accomplish a job, problem, or assignment.

  • A privilege contains permissions to individual application objects, such as user interface elements and tables.

  • Privileges group together related securable objects. For example, menu items and controls.

  • Privileges can be assigned directly to roles. However, for easier maintenance, we recommend only assigning duties to roles.

Entry point

  • An entry point is the object that triggers a user action to start a particular function, such as a form or a service.

  • In Microsoft Dynamics AX, there are three different types of entry points - menu items, Web content items and service operations.

Caution

In the licensing model for Microsoft Dynamics AX, entry points are referred to as menu items.

Permission

  • Permission refers to the securable objects and associated access levels that are required to perform the function associated with an entry point. This could include any tables, fields, forms or server side methods that are accessible through the entry point.

  • Security permissions are used to control access to individual application elements: menus, menu items, action and command buttons, reports, service operations, Web URL menu items, Web controls, and fields in the Windows client and Enterprise Portal.

  • Permissions group securable objects and permissions that are required for them. For example, form and report permissions.

  • In Microsoft Dynamics AX, individual security permissions are combined into privileges, and privileges are combined into duties.

Caution

Be aware that modifying permissions may impact licensing requirements. For more information about how licensing relates to security, see the Security roles and licensing white paper for Microsoft Dynamics AX 2012.

Permission set

A permission set refers to the objects and associated permissions that are required to perform the function associated with an entry point. This could include any tables, fields, forms or server side methods that are accessible through the entry point.

See also

Role-based Security in the AOT for Developers

Announcements: New book: "Inside Microsoft Dynamics AX 2012 R3" now available. Get your copy at the MS Press Store.