共用方式為


How to identify the Security Tasks and Security Roles associated with a specific window or report

David Meego

From the Microsoft Dynamics GP Application Level Security Series.

Microsoft Dynamics GP version 10.0 introduces a new pessimistic task and role based security model. This model is defined in the following way:

  • Access to all windows, tables, reports and miscellaneous permissions are classed as Security Operations.
  • A set of Security Operations required to perform a specific task are assigned to a Security Task.
  • Multiple Security Tasks required to perform a specific role are assigned to a Security Role.
  • Each User and Company combination can then have multiple Security Roles assigned to it.

Note: Operations may be assigned to multiple Security Tasks and Security Tasks may be assigned to multiple Security Roles.

In the situation when a system administrator knows which window (or report) they wish to grant access to a user, but does not know what Security Tasks or Security Roles are associated with the window, there is no simple method to obtain this information from within the application.  It would be possible to scroll through each Security Task on the Security Task Setup window (Microsoft Dynamics GP >> Tools >> Setup >> System >> Security Tasks) and check if the window is selected, but this is time consuming.  The Print Operation Access report which can be printed after selecting the window will show which users have access to the window, but not how that access was obtained based on the Security Roles and Security Tasks.

To obtain the data we will use a new Security Resource Descriptions table (Technical Name: syCurrentResources (SY09400) table) which was added to v10.0 to create a SQL Query to obtain the information.  This table is initially empty, but can be populated by running the Clear Data File Maintenance process on it. The system will then rebuild the contents based on the current installed dictionaries.

Below are the steps to populate the Security Resource Descriptions table:

  1. Click Microsoft Dynamics GP, point to Maintenance, and then click Clear Data to open the Clear Data window.
     
  2. On the Display menu, click Physical
     
  3. In the Series list, click System
     
  4. In the Tables pane, click the Security Resource Descriptions table, and then click Insert
     
  5. Click OK
     
  6. Click Yes
     
  7. In the Report Destination window, select the Screen check box, and then click OK to send the report to the screen. 
     
  8. Close the report.

Now that the Security Resource Descriptions table has been populated we can use it in a SQL Query from SQL Query Analyzer (SQL Server 2000) or SQL Server Management (SQL Server 2005). The Query below will display the Security Roles and Security Tasks associated with a specific window or report as selected by changing the Display Name on the last line of the query.

SQL Query

SELECT  ISNULL(A.SECURITYROLEID,'') AS SECURITYROLEID, ISNULL(M.SECURITYROLENAME,'') AS SECURITYROLENAME, --ISNULL(M.SECURITYROLEDESC,'') AS SECURITYROLEDESC,
 ISNULL(O.SECURITYTASKID,'') AS SECURITYTASKID, ISNULL(T.SECURITYTASKNAME,'') AS SECURITYTASKNAME, --ISNULL(T.SECURITYTASKDESC,'') AS SECURITYTASKDESC,
 R.PRODNAME, R.TYPESTR, R.DSPLNAME, R.RESTECHNAME, R.DICTID, R.SECRESTYPE, R.SECURITYID
FROM DYNAMICS.dbo.SY09400 R
FULL JOIN DYNAMICS.dbo.SY10700 O ON R.DICTID = O.DICTID AND O.SECRESTYPE = R.SECRESTYPE AND O.SECURITYID = R.SECURITYID
FULL JOIN DYNAMICS.dbo.SY09000 T ON T.SECURITYTASKID = O.SECURITYTASKID
FULL JOIN DYNAMICS.dbo.SY10600 A ON A.SECURITYTASKID = T.SECURITYTASKID
FULL JOIN DYNAMICS.dbo.SY09100 M ON M.SECURITYROLEID = A.SECURITYROLEID
WHERE R.DSPLNAME = '<Display_Name>'

Note: The <Display_Name> placeholder represents the actual display name. For example, the display name may be "Sales Transaction Entry".

Below are the example results based on a default installation for 'Sales Transaction Entry':

Result Set

SECURITYROLEID          SECURITYROLENAME                SECURITYTASKID          SECURITYTASKNAME        PRODNAME                TYPESTR         DSPLNAME                        RESTECHNAME     DICTID  SECRESTYPE      SECURITYID
----------------------- ------------------------------- ----------------------- ----------------------- ----------------------- --------------- ------------------------------- --------------- ------- --------------- ----------
BOOKKEEPER*             Bookkeeper                      TRX_SALES_001*          Enter SOP transactions  Microsoft Dynamics GP   Windows         Sales Transaction Entry         SOP_Entry       0       2               619
CUSTOMER SERVICE REP*   Customer Service Representative TRX_SALES_001*          Enter SOP transactions  Microsoft Dynamics GP   Windows         Sales Transaction Entry         SOP_Entry       0       2               619
OPERATIONS MANAGER*     Operations Manager              TRX_SALES_001*          Enter SOP transactions  Microsoft Dynamics GP   Windows         Sales Transaction Entry         SOP_Entry       0       2               619
SHIPPING AND RECEIVING* Shipping and Receiving          TRX_SALES_001*          Enter SOP transactions  Microsoft Dynamics GP   Windows         Sales Transaction Entry         SOP_Entry       0       2               619

If there are no Security Roles assigned to the Security Tasks, they will show as blank. If there are no Security Tasks assigned to the Operation, they will also show as blank.

Security Table Information 

Security Operations for a Security Task are stored in table sySecurityAssignTaskOperations (SY10700).
Security Tasks are defined in table sySecurityMSTRTask (SY09000).

Security Tasks for a Security Role are stored in table sySecurityAssignTaskRole (SY10600).
Security Roles are defined in table sySecurityMSTRRole (SY09100).

Security Roles for a User and Company combination are stored in table sySecurityAssignUserRole (SY10500).

Also see the following post for how to use the Support Debugging Tool for Microsoft Dynamics GP to achieve the same results:

How to identify the Security Tasks and Security Roles using the Support Debugging Tool

Edit: Build 10 of the Support Debugging Tool now includes a Security Information window which can be opened from the Security Profiler and Resource Information windows.  This window will display the Security Tasks and Security Roles associated with the select resource and provide easy navigation to the security windows to make changes if desired. Just right click and select Security Information to open the window. For more information see Support Debugging Tool Build 10 released.

David

Ref: Portions from KB 951229

17-Nov-2008: Add link to Support Debugging Tool version of the post.

15-Jan-2009: Add details of new Security Info window in Support Debugging Tool build 10.

30-Aug-2010: Added link to Update: How to identify the Security Tasks and Security Roles using the Support Debugging Tool.

Comments

  • Anonymous
    November 11, 2008
    PingBack from http://blogs.msdn.com/developingfordynamicsgp/archive/2008/11/10/microsoft-dynamics-gp-application-level-security-series.aspx

  • Anonymous
    November 12, 2008
    Over on Developing for Dynamics GP, David Musgrave continues his killer series on Security in Dynamics

  • Anonymous
    November 13, 2008
    This has been up 2 days and I'm already using it at a client. Thanks David!

  • Anonymous
    November 13, 2008
    From the Microsoft Dynamics GP Application Level Security Series . In the previous post, How to identify

  • Anonymous
    November 19, 2008
    From the Microsoft Dynamics GP Application Level Security Series . When access is denied by the application

  • Anonymous
    November 23, 2008
    One of the great things about blogging is the ability to inform and educate partners and customers on

  • Anonymous
    November 24, 2008
    Posting from the Dynamics GP Blogster http://dynamicsgpblogster.blogspot.com/2008/11/microsoft-dynamics-gp-10-security.html

  • Anonymous
    December 17, 2008
    Thank you for these queries. They were immediately useful for a number of clients. Have you looked at how to identify Smartlist Objects? They do not show up in the query results. I think it has something to do with the Security Resource Type in SY10700 but am not sure. Thank you again.

  • Anonymous
    July 24, 2009
    Wow!  I have needed this for a long time!  Thank you so much.  This is the sort of little thing that Microsoft always leaves out that sometimes renders supporting GP so difficult!

  • Anonymous
    November 13, 2009
    David, The windows for the third-party application I developed have blank fields for security role id, role name, task id and task name.  How do I correct that? Thanks.

  • Anonymous
    November 13, 2009
    Greg, I have a question for you back - what is the difference between YOUR app and a GP 3rd party such as Field Service?  And from there, I assume this all works OK for Field Service?

  • Anonymous
    January 26, 2010
    How does one run the referenced Print Operation Access report?

  • Anonymous
    January 26, 2010
    Hi Dawn From the Security Tasks window (Microsoft Dynamics GP >> Tools >> Setup >> System >> Security Tasks), there is a "Print Operation Access" button on the bottom left of the window. Just select an Operation on the Access List and then click the button to see which users have access to that window. As mentioned, this does not show "how" the user got access.  You can use the Support Debugging Tool to show which Security Tasks and Security Roles enabled the user(s) to get access to a particular operation. David

  • Anonymous
    March 30, 2010
    When setting up GP10 is it okay to modify existing roles or for upgrade reasons should we copy the existing role say AP Clerk and then add things as need to that existing role as needed for our client AP Clerk needs?  Am worried about future upgrades and reseting what is in the core role.  What is the best practice?

  • Anonymous
    March 30, 2010
    Robyn, Yes it is ok to modify the roles.  Best Practice for upgrades?  That is hard to say - my first thought would be that you would probably be ok during any kind of upgrade.  I doubt that we would actually go in and remove all the roles and then recreate them again.  Just because that would be potentially destroying user data at that point. Notice I said "doubt" and not "we wouldn't ever" do that.  I just doubt it unless there wasn't any other option for whatever dev was trying to accomplish.

  • Anonymous
    June 30, 2010
    Hello David, Great site and as usual, you provide top tips. This on is amazing ! Do you have one that would also include Extender and SmartList objects ? Thank you Sebastien

  • Anonymous
    July 01, 2010
    Hi Sebastian I am planning to add support for non resource (form, report, table) security objects into the Support Debugging Tool.  I will not be adding it at the SQL Level. Have a look at this post on Victoria Yudin's blog. My friend Robert Cavill added SmartLists into the View victoriayudin.com/.../sql-view-with-security-and-smartlist-details-in-gp David

  • Anonymous
    October 04, 2010
    Posting from Jivtesh Singh at About Dynamics, Development and Life www.jivtesh.com/.../security-taskrole-associated-with.html

  • Anonymous
    July 18, 2013
    Hi David, Thanks again for another useful article! I am struggling to find out how to check if a user has been granted a specific task using Dex code. I have checked the IG guide and the SDK parameters file but cannot get anything that looks like it will give me what I need. We want to use the tasks to manage specific fields on a window so using the standard Security() function will not work (as far as I know). Is there any refrenece material out there for this?

  • Anonymous
    July 21, 2013
    Hi Adriaan You can always look at the security tables directly to see if a user has access to a role which in turn has access to the task.  You would probably need to use a where clause with a nested table (which must be fully qualified). See KB below How to use a "Range Where" clause that is based on more than one table in Dexterity in Microsoft Dynamics GP support.microsoft.com/.../922056 Or you could create your own security type specific to your application. Like Extender and SmartList Builder do. David

  • Anonymous
    March 10, 2014
    David, may I trouble you for the steps to populate the Security Resource Descriptions table in Dynamics/GP 2013.   The steps above are not entirely available, and my experimentation with alternatives hasn't been successful.

  • Anonymous
    March 10, 2014
    Dave Haher, The steps listed above are correct.  If you don't see this, then you either have a major issue or you are not following them correctly. Give it another shot.

  • Anonymous
    March 10, 2014
    Dave If you have the Support Debugging Tool installed, when the table is populated with forms and reports, the SDT will add tables and all the other security objects into the table. If you have Build 18 of the Support Debugging Tool installed, You can rebuild the table using the Options menu on the Security Information Window. No need to use clear data anymore. David

  • Anonymous
    February 04, 2015
    Hi David, Is there a way to see what operations are assigned to a task in SQL?  It looks like this information is populated in a temp table when it is retrieved, but I don't see where the relationship between tasks and assigned operations is stored in the GP database.  Thanks!

  • Anonymous
    September 13, 2015
    David - We are having a security audit and it would be nice to know what the security roles/tasks were at the point of implementation BEFORE there were changes made to them. Is there any way to know what those roles/tasks were before they under went changes?? Thank you, Tanya

  • Anonymous
    October 01, 2015
    Hi Tanya Can you do a quick standalone install of GP onto another machine? That will give you the default security roles and tasks. David

  • Anonymous
    August 05, 2016
    Microsoft should have a list of all the windows in GP that matches with the Security Task ID's. Luckily there is a 3rd party website for that: http://www.gpwindow.com/securitysearch.php We should not have to resort to a 3rd party for this simple task!!! Come on MS!!!!

    • Anonymous
      August 05, 2016
      The comment has been removed
  • Anonymous
    September 07, 2016
    thanks u very much for this valuable information

  • Anonymous
    September 07, 2016
    Hi HasibGlad I could help. You should have a look at GP Power Tools (previously known as Support Debugging Tool) for easily resolving security issues.GPPT Portal: http://WinthropDC.com/GPPTDavid

  • Anonymous
    September 07, 2017
    David,Is this valid for GP 2016 R2? Thank you,Andrew.

    • Anonymous
      September 07, 2017
      Hi AndrewThis will work, but GP Power Tools replaced the Support Debugging Tool and has a powerful yet simple window to provide this information and much much more. Let me know if you want a demo.David
      • Anonymous
        September 18, 2017
        GP Power Tools is not free. I loved the Microsoft Support Debugging Tool. I recently upgraded to GP2016 and the Debugging Tool was not available. I installed GP Power Tools and to find out it's not free.
        • Anonymous
          September 18, 2017
          Hi BeckyThe Support Debugging Tool was solely created by me and was discontinued when I left Microsoft in October 2014. I negotiated with Microsoft to continue developing the product and re-released it as GP Power Tools.It has had many fixes and enhancements in the last three years but is no longer subsidized by Microsoft as I am not an employee any more. I need to charge a subscription fee now as this is now my family's primary source of income. The amount of time saved the features of the tool provide to users, administrators, consultants and developers makes it worth the cost.Thanks for your support.David