In my last blog, I shared some code examples for eXtensible Data Security (XDS). In this post, I will explain how it works and also introduce a V2 version which will be more advanced in determine which legal entities will be visible for the user.
Secure by legal entity
About four and a half year years ago, I already created the first version of the security policy to constrain records on the form Legal entities. At that time I did create a blog describing all steps in detail how to create this policy. You can read the blog How to restrict legal entities based on assigned organizations – AX 2012 how this policy was created.
To be able to have this version of the policy working, you should restrict all security roles; also the system user role. All other details are documented in the initial blog. There might be an additional requirement to constrain also accounting entries. This is based on global tables, but are already filtered on reports and forms within the client. However, if you want to use the Excel add-in in AX2012 with these accounting entries, there was no company (DataAreaId) context field, so it showed also data for companies which are not part of your domain. So, in addition to the explanation provided in the blog mentioned above, this has been covered in this security policy.
As described above, the system user role needs to get restrictions on assigned organizations; otherwise the legal entity form shows too many records. Also, it might be the case that a person would be e.g. a sales assistant in all legal entities, but an accountant in just a few legal entities. For this purpose, I was thinking of another way to get a certain result.
I got the idea to look at all roles which does grant permissions for the Legal entities form. Then only look at the organization assignments for these roles and ignore the settings for the system user and other roles which does not have permissions on this entry point. To be able to achieve the desired result, I had to create a new so-called MyContruct table which builds a list with companies. (A MyContruct table is a special temporary table which creates a temporary table on the SQL server per user with his/her own values using a table method ‘xds()’.)
This new table has been used in a new view instead of the MyLegalEntities table in the first table.
All objects (V1 and V2) can be found on my My OneDrive DynamicsShare. Note that the provided examples of V1 and V2 cannot be used together without modifications. As they both have a policy on the same table(s) for all roles, only one policy should be active at a time.
If you want to explore these examples, feel free to download and use it. The software is provided as-is and you cannot obtain any rights if something is not working correctly. You have to ensure you will install the examples in a separate environment first and test it carefully. If you have questions or feedback, feel free to add comments or send a message.
That’s all for now. Till next time!