Thursday 10 January 2019

Extensible Data Security (XDS) in Dynamics AX Finance and Operations

Today, I will be discussing about XDS feature in D365 F&O. Microsoft introduced a  framework namely extensible data security as a evolution to record level security of AX 2012.

Extensible Data Security framework is used for securing shared data in order to give users the access to show only that part of table data which is allowed by enforced  policy.

Let's take an example of Custgroup Form. We have a particular customer group with value 10 and  we want to show only sales orders of customer group 10 to user . For this purpose we will be implementing extensible data security framework.

Note: Security policies does not work for system administrators role.

Below is the data showing all sales orders with different customer groups on Sales table form.


Following are setups required for developing XDS.

Step 1) Create a query to filter records on primary table in my case it is CustGroup table. So CustGroup table will be added as data source and we will apply range of value 10 on it.









Step 2) Create a policy and set following properties on it.
  • Constraint table : Set value to Yes if you want your primary table to be secured using this policy.
  • Primary table : Custgroup will be set as its value
  • Query : Set CustGroupXDS query as its value.
  • Enabled : Set its value to yes if you want to enforce policy by this extensible data security on run time.










Step 3) Create a new role or using existing one. For demo purpose I have created a new role and added existing privileges in it for binding with context type.
















Step 4) Add the constrained table or views. In my case it is Sales table and Sales line.

Note : When you are adding a constrained table, you must also choose the relationship to be used to join the primary table with this constrained table. 








Step 5) Setting the context.
There are three different type of context types.
  • Context string : Use it if a context is used to determine whether the policy should be applied. Whenever it is required this context string needs to be set by the application using the XDS:SetContextAPI.
  • RoleName : Use it if the policy requires to be implemented only for a user in a specific role that accesses the constrained tables.
  • RoleProperty : Use it if the policy is to be applied only if user is a member of any one of a set of roles that have the context string property set to the same value.
So we will set Contexttype and role name here.











Step 6) Add newly created role to the user. By going on System administrator -> Select Users -> Edit it -> Assign role










Step 7) Final output. Only sales orders with customer group 10 will be shown to user. :)


at
Labels: , , ,

7 comments:

  1. harsh10 January 2019 at 01:05

    Nice post with details.

    ReplyDelete
  2. Unknown28 January 2019 at 21:39

    Also worth to note that this XDS applied roles needs to be assigned directly to Users. If in case that role is assigned as a sub-role then Sec policy is not applied.

    ReplyDelete
  3. Unknown17 June 2019 at 07:11

    if i want to add to the same range more than one value - for example for custGroup 30 and/or custGroup 40

    ReplyDelete
    Replies
    1. Maha Jamali26 June 2019 at 14:56

      Well I am have not tried this but i guess you can try to add another range on custGroup with value 40.

      Delete
  4. Ahmed Joum27 January 2020 at 02:53

    I'm trying to do the same filtration for EcoResProduct table by certain product dimension from EcoResProductDimensionGroup table, how this could be done?

    ReplyDelete

Note: only a member of this blog may post a comment.

Subscribe to: Post Comments (Atom)

Connect and upload in azure blob with azure key vault using x++

 Today, I will be sharing details about file upload in azure blob using azure vault that includes pre requisite and code snippet used to it....