Sunday, February 2, 2014

Microsoft Dynamics AX 2012 Excel Add-in – Security Roles (Add Tables, Add Data)

Microsoft Dynamics AX 2012 Excel Add-in – Security Roles (Add Tables, Add Data)
 
Purpose: The purpose of this document is to explain security settings required by Microsoft Dynamics AX 2012 Excel Add-in for data import/export using "Add Tables" and "Add Data" methods.
 
Challenge: When using Microsoft Dynamics AX 2012 Excel Add-in you have 2 methods to access data using "Add Tables" and "Add Data" functions. "Add Tables" function allows you to access raw tables (as they are listed in AOT). "Add Data" function allows you to access Services, standard Queries (Query references) and Custom Queries exposed through Document Data Sources in Organization Administration > Setup > Document Management. The challenge is how to set up security settings for Microsoft Dynamics AX 2012 Excel Add-in following required minimum privilege principle to allow users import/export data. 
 
Solution: When using "Add Tables" function the system will access raw tables (as they are listed in AOT) and thus the user should be assigned to System Administrator role in order to import/export data. When using "Add Data" function the system will access the list of Document Data Sources to provide the user with the access to business data in accordance with his/her permissions. In order to use "Add Data" function the user does NOT need to be assigned to System Administrator role, instead you can leverage a very granular security setup to allow the user to import/export business data exposed through Document Data Sources, for example, only using certain operations preventing business data damage which may occur when using raw tables approach.  
 
Walkthrough
 
When using "Add Tables" function the system will access raw tables (as they are listed in AOT).
 
Select Tables
 
 
In Microsoft Dynamics AX 2012 by default and by design only System Administrators have access to AOT.
 
Recommendation
Description
Always assign the least permissions when you set up and configure the user security features in Microsoft Dynamics AX.
Before you set up and configure the least permissions in Microsoft Dynamics AX, consider the following recommendations:
  • By default, and by design, only Microsoft Dynamics AX system administrators have access to the Application Object Tree (AOT). Do not grant users access to the AOT, unless the users are members of a development role who must access the AOT as part of their job requirements. If you grant regular users access to the AOT, the users may intentionally or unintentionally compile the application, synchronize the application, change license files, or change module configurations. All of these actions can cause problems in your business or organization.
  • Do not make users members of the System administrators role, or grant these users access to System administration in Microsoft Dynamics AX, unless the users are responsible for setting up and configuring Microsoft Dynamics AX in your business or organization. If you grant regular users access to this group and module, the users may intentionally or unintentionally cause problems in the Microsoft Dynamics AX application.
  • Do not assign users to the Windows Administrators group or Power Users group on their local computers, unless the users are explicitly required to perform the job functions of an administrator or power user. Members of these groups can add applications to their local computers and remove applications from their local computers, and these actions can introduce security risks. Instead, assign users to the Windows User group. Click Start > Administrative Tools > Server Manager > Local Users and Groups.
 
Please find more info about Security Best Practices in AX 2012 here:  http://technet.microsoft.com/en-us/library/hh202063.aspx
 
When the user invokes "Add Tables" or "Add Data" functions in Microsoft Dynamics AX 2012 Excel Add-in the system will use AifUserSessionService AIF Web Service to retrieve info about current user session
 
[SysEntryPointAttribute]
public AifUserSessionInfo getUserSessionInfo()
{
    AifUserSessionInfo info = new AifUserSessionInfo();
 
    info.parmAXLanguage(this.getLanguage());
    info.parmCurrencyInfo(this.getAifCurrencyInfo());
    info.parmCompany(this.getCompany());
    info.parmCompanyTimeZone(this.getCompanyTimeZone());
    info.parmUserPreferredTimeZone(this.getUserPreferredTimeZone());
    info.parmUserPreferredCalendar(this.getUserPreferredCalendar());
    info.parmUserId(this.getUserId());
    info.parmIsSysAdmin(Global::isSystemAdministrator());
    info.parmAOSLocaleName(AifUserSessionService::getAosLocaleName());
 
    return info;
}
 
Please note that an instance of AifUserSessionInfo class will have UserId and IsSysAdmin properties assigned to be consumed in External code (Excel Add-in). IsSysAdmin property signifies that the current user is assigned to System Administrator role, and in case IsSysAdmin property is set to "true" the user will have access "Add Tables" – "Select Tables" screen regardless of what actual UserId value is passed ("Admin" or not). And vice versa even if UserId = "Admin" value is passed, but IsSysAdmin property is not set the user will not have access to "Add Tables" – "Select Tables" screen and "The role you are assigned does not have permissions to access the selected data" error will appear.
 
When using "Add Data" function the system will access the list of Document Data Sources to provide the user with the access to business data in accordance with his/her permissions. Please consider using "Add Data" function for business data import/export which does NOT require your user to be assigned to System Administrator role.
 
To illustrate a necessary security setup for Microsoft Dynamics AX 2012 Excel Add-in when using "Add Data" approach I'll use User KEN for import of Ledger transactions via LedgerGeneralJournalService AIF Web Service
 
Please note that LedgerGeneralJournalService AIF Web Service is exposed and activated in Document Data Sources as shown below
 
Document Data Sources
 
 
This is security settings in Microsoft Dynamics AX 2012 for User KEN. Please note that User KEN is NOT assigned to System Administrator role
 
User KEN (Financial controller)
 
 
Now if I try to invoke "Add Tables" function the following error pops up
 
Dynamics AX Error
 
 
Please note that User KEN is NOT assigned to System Administrator role
 
Now instead of "Add Tables" I'm going to invoke "Add Data" function and select LedgerGeneralJournalService AIF Web Service
 
In the case your User doesn't have access to the business data based on tables in the query used by AIF Web Service you could see "User is not authorized to select a record in table" error
 
Microsoft Dynamics AX Office Addin  
 
 
In this particular case I used User TONY who doesn't have access to the required business data. You can easily fix it by assigning TONY to the role which has access to the required business data
In fact User KEN already has access to the required business data, so I'm going to invoke "Add Data" function now
 
Add Data
 
 
LedgerGeneralJournalService AIF Web Service shows up in the list of available Document Data Sources now. Please make sure you deploy appropriate Service group in order for Services to show up in the list
 
For example, on Microsoft Dynamics AX 2012 Demo VM I had to deploy LedgerServices Services group
 
Service group
 
 
Now I can compose a data set for data import/export using Field Chooser. The next step will be to retrieve the info about Ledger journals from Microsoft Dynamics AX 2012 using Refresh function
 
Refresh
 
 
Now it's time to use Publish function and create a brand-new Ledger journal in Microsoft Dynamics AX 2012 using Excel Add-in
 
Publish
 
 
When I try to publish the following error may occur if the user doesn't have permissions to execute operation
 
Publishing Details
 
 
This is because User KEN doesn't have access to the Server method which is one of possible securable objects in Microsoft Dynamics AX 2012 
 
In order to resolve this issue and grant appropriate access for User KEN I will create my own Role and assign User KEN to it
 
Security Role "Alex"
 
 
Duty
 
 
Privilege
 
 
Please note that I explicitly provided access to Server method (LedgerGeneralJournalService.create), so User KEN will be able to create Ledger journals
 
Add permissions to privilege
 
 
Add permissions to privilege
 
 
Now I'll assign User KEN to my new Security Role "Alex"
 
User KEN
 
 
Now I'll be able to successfully create Ledger journal in Microsoft Dynamics AX 2012
 
Publish
 
 
Publishing details
 
 
Here's the resulting Ledger journal in Microsoft Dynamics AX 2012
 
General journal
 
 
Please note that in terms of access to the business data you can also assign permissions to particular tables through Override permissions as shown below
 
 
This approach allows to granularly set up permissions for users to use Microsoft Dynamics AX 2012 Excel Add-in without assigning them to System Administrator role.
 
Summary: This document describes how to set up security settings required by Microsoft Dynamics AX 2012 Excel Add-in for data import/export following required minimum privilege principle.
Author: Alex Anikiev, PhD, MCP
 
Tags: Dynamics ERP, Dynamics AX 2012, Excel, Dynamics AX 2012 Excel Add-in, Data Import, Data Conversion, Data Migration, Application Integration Framework, Add Tables, Add Data, Security Role, System Administrator.
 
Note: This document is intended for information purposes only, presented as it is with no warranties from the author. This document may be updated with more content to better outline the concepts and describe the examples.
 

Wednesday, April 24, 2013

Dynamics AX 2012 Excel Add-in - Issues and Solutions (Method UpdateRecIdVisibility not found)

Dynamics AX 2012 Excel Add-in – Issues and Solutions (Method not found: ‘Void Microsoft.Dynamics.AX.Framework.OfficeAddin.DataSourceContainer.UpdateRecIdVisibility(Boolean))
Purpose: The purpose of this document is to outline some issues you may encounter when using Dynamics AX 2012 Excel Add-in for import of data and provide solutions to resolve them.
 
Issue: ‘Method not found: ‘Void Microsoft.Dynamics.AX.Framework.OfficeAddin.DataSourceContainer.UpdateRecIdVisibility(Boolean)’
 
Reason: After you initially install Microsoft Dynamics AX 2012 R2 Office Add-ins and then install Microsoft Dynamics AX 2012 R2 CU1 the old Microsoft Dynamics AX 2012 R2 DLLs related to Office Add-ins may still be present in the file system. The system uses old Microsoft Dynamics AX 2012 R2 DLLs related to Office Add-ins DLLs which causes this issue
 
Dynamics AX Error
 
For example, on the latest (as of today, April 24, 2013) Microsoft Dynamics AX 2012 R2 CU1 Demo VM this error occurs when you launch Excel 2013, define connection Options and then try to Add Table or Add Data  
 
Please note that Microsoft Dynamics AX 212 R2 CU1 build number is 6.2.1000.156
 
In fact if you look for UpdateRecIdVisibility method in Microsoft Dynamics AX 2012 R2 CU1 Microsoft.Dynamics.AX.Framework.OfficeAddin.dll assembly you will be able to find it there
 
So the real problem is in the fact that the system uses old Microsoft Dynamics AX 2012 R2 Microsoft.Dynamics.AX.Framework.OfficeAddin.dll assembly instead of new one
 
Please note that Microsoft Dynamics AX 212 R2 build number is 6.2.158.0
 
And if you check the version of Microsoft.Dynamics.AX.Framework.OfficeAddin.dll assembly
 
in C:\Windows\Microsoft.NET\assembly\GAC_MSIL folder
 
You will see that it’s 6.2.158.0 which corresponds to Microsoft Dynamics AX 2012 R2
 
Solution: Please delete highlighted above Microsoft.Dynamics.AX.Framework.Office.Addin folders in C:\Windows\Microsoft.NET\assembly\GAC_MSIL folder to get rid of old versions of DLLs   
 
If you get a message that Microsoft.Dynamics.AX.Framework.Office.Addin.dll is being used by another process when you try to delete it, please stop Microsoft Dynamics AX AOS and try again
 
Result: As the result you will be able to Add Tables and Add Data in Excel workbook
 
Options
 
Add Tables
 
Field Chooser
 
Specials Thanks is for Chris and Jason for helping to resolve this issue
Please check out Chris’ blog for more interesting articles here: http://blogs.msdn.com/b/chrisgarty/
 
Tags: Dynamics ERP, Dynamics AX 2012, Excel, Dynamics AX 2012 Excel Add-in, Data Import, Data Conversion, Data Migration, Application Integration Framework, Issue, Problem, Solution, Resolution.
 
Note: This document is intended for information purposes only, presented as it is with no warranties from the author. This document may be updated with more content to better outline the issues and describe the solutions.
 
Author: Alex Anikiev, PhD, MCP
 
 

Monday, October 22, 2012

Microsoft Dynamics AX 2012 Excel Add-in – Questions and Answers (Business Logic)

Microsoft Dynamics AX 2012
Excel Add-in – Questions and Answers (Business Logic)
 
Purpose: The purpose of this document is to provide answers to frequently asked questions related to Microsoft Dynamics AX 2012 Excel Add-in.
 
Question: How can I execute additional business logic using Microsoft Dynamics AX 2012 Excel Add-in?
 
Answer: Microsoft Dynamics AX 2012 Excel Add-in uses AIF Web Services for publishing the data into Microsoft Dynamics AX 2012. In order to automate certain processes or execute additional business logic you can override updateNow method in appropriate AIF Document class and implement necessary business logic in X++. In this document to illustrate main concepts I will use General journal (LedgerGeneralJournalService) and Customer Payment journal (LedgerCustPaymJournalService) Web Services in Microsoft Dynamics AX 2012.
 
Details
 
Every AIF Web Service has corresponding Document class in AOT, usually these classes are prefixed with Axd. For example, General journal Web Service Document class is AxdLedgerGeneralJournal class and Customer Payment journal Web Service Document class is AxdCustPaymJournal class. Focusing on Business Logic aspect in this investigation we'll take a closer look at Framework classes implementing create and update operations.
 
Classes\AxdBaseCreate\Methods\deserializeDocument
 
Call Stack:
<![if !supportLists]>-          <![endif]>Classes\AxdBase\Methods\updateNow
<![if !supportLists]>-          <![endif]>Classes\AxdBaseUpdate\Methods\postProcessDocument
<![if !supportLists]>-          <![endif]>Classes\AxdBaseUpdate\Methods\deserializeDocument
<![if !supportLists]>-          <![endif]>Classes\AxdBaseCreate\Methods\createDocumentList
<![if !supportLists]>-          <![endif]>Classes\AxdBase\Methods\createList
<![if !supportLists]>-          <![endif]>Classes\AifDocumentService\Methods\createList
 
Classes\AxdBaseUpdate\Methods\postProcessDocument
 
Call Stack:
<![if !supportLists]>-          <![endif]>Classes\AxdBase\Methods\updateNow
<![if !supportLists]>-          <![endif]>Classes\AxdBaseUpdate\Methods\postProcessDocument
<![if !supportLists]>-          <![endif]>Classes\AxdBaseUpdate\Methods\deserializeDocument
<![if !supportLists]>-          <![endif]>Classes\AxdBaseUpdate\Methods\updateDocumentList
<![if !supportLists]>-          <![endif]>Classes\AxdBase\Methods\updateList
<![if !supportLists]>-          <![endif]>Classes\AifDocumentService\Methods\updateList
 
updateNow method in Document class will be executed as a last step (post-processing) after AIF message processing which allows you to execute additional business logic
 
For example, after General journal will be created or updated via General journal Web Service certain fields such as Journal balance, etc will be updated
 
Classes\AxdLedgerGeneralJournal\Methods\updateNow
 
For comparison in Rich Client when you post General journal Journal balance update is triggered from Form in "Validate" (and "Post") button clicked method
 
Forms\LedgerJournalTransDaily\Designs\DesignList\ButtonCheckJournal\Methods\clicked
 
Another example is Customer Payment journal when after its creation or update in certain scenarios it may be necessary to generate Settlements against Customer invoices
 
Classes\AxdCustPaymJournal\Methods\updateNow
 
Typical requirement for automation is when you need to automatically post General journal after its successful creation. Please see below how you can implement this requirement in Microsoft Dynamics AX 2012
 
LedgerJournalPost::postJournal(LedgerJournalTable, false);
 
Classes\AxdLedgerGeneralJournal\Methods\updateNow
 
If you face with this requirement I'd also recommend introducing dedicated parameter in UI to control whether it's required or not to automatically post General journal when General journal AIF Web Service is invoked
 
Once you change necessary Document class please generate CIL because all AIF Web Services related code in Microsoft Dynamics AX 2012 is executed in CIL on the server
 
Please also note that if you use Tables (Add Tables) in Microsoft Dynamics AX 2012 Excel Add-in the system will use Generic Document Web Service at the back-end
 
Version: Microsoft Dynamics AX 2012 R2
 
Tags: Dynamics ERP, Dynamics AX 2012, Excel, Dynamics AX 2012 Excel Add-in, Data Import, Data Conversion, Data Migration, Application Integration Framework, Question, Answer, Business Logic.
 
Note: This document is intended for information purposes only, presented as it is with no warranties from the author. This document may be updated with more content to better outline the issues and describe the solutions.
 
Author: Alex Anikiev, PhD, MCP