Automatic Inference of Permissions in AOT Security

Article
05/18/2015

Applies To: Microsoft Dynamics AX 2012 R3, Microsoft Dynamics AX 2012 R2, Microsoft Dynamics AX 2012 Feature Pack, Microsoft Dynamics AX 2012

This security topic describes the automatic inference engine for permissions in the AOT of Microsoft Dynamics AX. It also describes how a developer uses the outputs of automatic inference to create privileges that the administrator can assign to a role.

Automatic Inference for a Form

When you save a form in the AOT, the system automatically discovers all the tables and other items that must be accessed by the form. Those items are listed under nodes that the system automatically adds under the MyForm > Permissions node. The system automatically adds, or updates, the following nodes under the AOT > Forms > MyForm > Permissions node:

Read
Update
Create
Correct – added only if valid time state tables are involved.
Delete

Permission Sets

Each node in the preceding list contains a set of permissions. For example, suppose the CustTable table is used by the form. Under the Permissions > Update node, there is a CustTable node. The CustTable node has its EffectiveAccess property set to Update. All items under the Permissions > Update node have their EffectiveAccess property set to Update. The system has automatically inferred that the set of permissions under the Permissions > Update node might be helpful to any developer who must use permissions to create privileges for this form.

This part of the AOT is captured in the following screen shot. The following screen shot shows that nodes under the Permissions > Delete node have a DefaultAccess property value of Delete.

Automatically inferred permissions under a form no

Automatically inferred permission sets under a form node in the AOT

Hierarchy of Permissions

The permission values for the EffectiveAccess property represent a hierarchy. Read is the weakest permission, and Delete is the strongest. Delete permission includes every other permission. Create permission includes Update and Read. In the following ordered list of permissions, each permission includes all those that occur earlier in the list:

Read
Update
Create
Correct
Delete

NoAccess

Suppose you do not want the Delete permission set to support delete operations on a particular table that is under the node AOT > Forms > MyForm > Permissions > Delete > Tables. You should set the EffectiveAccess property to NoAccess on the Delete > Tables > MyTable node.

Warning

If instead you delete the MyTable node, the MyTable node will be added back automatically the next time someone expands the Delete > Tables node in the AOT.

Modify a Permission Set

You can modify the values of the permission properties on nodes such as AOT > Forms > MyForm > Permissions > Update > Tables > MyTable. For example, the Update node might be almost perfect for your needs, except one table might not need to be updatable. Read permission might be sufficient.

On the AOT > Forms > MyForm > Permissions> Update > Tables > MyTable node, you change the EffectiveAccess property from Update to Read. Now the EffectiveAccess and DefaultAccess properties have different values. This difference automatically changes the SystemManaged property from Yes to No.

Note

The ManagedBy field should be updated only by automation tools.

Suppress a Permissions Set

You can choose which permission sets that the automatic inference engine creates. You do this by setting property values on the node AOT > Forms > MyForm > Permissions. These properties are shown on the Properties tab in the following image.

Properties that control which permission sets are

Properties that control which permission sets are built by automatic inference

A menu item provides a mechanism to start a form. Security properties on the menu item control which sets of form permissions will be available to select when privileges are assigned to the menu item.

Each menu item has the following security properties:

ReadPermissions
UpdatePermissions
CreatePermissions
CorrectPermissions
DeletePermissions

These properties refer to the nodes under AOT > Forms > MyForm > Permissions.

For example, the UpdatePermissions property refers to the node AOT > Forms > MyForm > Permissions > Update.

The available values for each of these permission properties are described in the following table:

Property value	Description
Auto	Is the default. Auto means the corresponding set of form permissions will be available to select as privileges on this menu item. The privileges will be selected on the privilege node for this menu item that will be under the Entry Points node. The path of this menu item privilege node is AOT > Security > Privileges > MyPrivilege > Entry Points > MyMenuItem. For example, if the UpdatePermissions property is set to Auto, the permission set under the node MyForm > Permissions > Update will be available to select for privileges under AOT > Security.
No	Means the opposite of Auto. The corresponding permission set will not be available to select as a privilege on the menu item privilege node under the Entry Points node.

Auto

Is the default. Auto means the corresponding set of form permissions will be available to select as privileges on this menu item.

The privileges will be selected on the privilege node for this menu item that will be under the Entry Points node. The path of this menu item privilege node is AOT > Security > Privileges > MyPrivilege > Entry Points > MyMenuItem.

For example, if the UpdatePermissions property is set to Auto, the permission set under the node MyForm > Permissions > Update will be available to select for privileges under AOT > Security.

Means the opposite of Auto. The corresponding permission set will not be available to select as a privilege on the menu item privilege node under the Entry Points node.

The UpdatePermissions property of a menu item

The UpdatePermissions property of a menu item

Assigning Permissions to Privileges under AOT > Security

The node AOT > Security > Privileges > MyPrivilege > Entry Points > MyEntryPoint must be added for the menu item that references the form. The node has an AccessLevel property with a drop-down list that contains some or all of the following values:

NoAccess
Read
Update
Create
Correct
Delete

For example, the drop-down list contains the Create value if, but only if, the CreatePermissions property of the menu item node under AOT > Menu Items is set to Auto, and there is a Create node under AOT > Forms > MyForm > Permissions.

The AccessLevel value determines which node under AOT > Forms > MyForm > Permissions defines the security permissions for this privilege.

The assignment of privileges from eligible permiss

Selecting the permission set for the privilege

EffectiveAccess and AccessLevel Properties Values

The properties EffectiveAccess and AccessLevel have the same drop-down list of values. However, these two properties are not similar.

Property name	Where exists	Description
EffectiveAccess	A property on the nodes such as AOT > Forms > MyForm > Permissions > Tables > MyTable.	Operations that users in a security role can perform, if the role is granted a privilege or duty that contains this permission.
AccessLevel	A property on nodes such as AOT > Security > Privileges > MyPrivilege > Entry Points > MyEntryPoint, which is often a menu item.	Identifies a permission set under AOT > Forms > MyForm > Permissions, or under similar nodes on other AOT elements other than forms. Forms are one type of securable object.

EffectiveAccess

A property on the nodes such as AOT > Forms > MyForm > Permissions > Tables > MyTable.

Operations that users in a security role can perform, if the role is granted a privilege or duty that contains this permission.

AccessLevel

A property on nodes such as AOT > Security > Privileges > MyPrivilege > Entry Points > MyEntryPoint, which is often a menu item.

Identifies a permission set under AOT > Forms > MyForm > Permissions, or under similar nodes on other AOT elements other than forms.

Forms are one type of securable object.

Sequence of Using Automatically Inferred Permissions

There is a sequence associated with the automatic inference of permissions. The following diagram illustrates the sequence.

Sequence from automatic inference of permisions

The sequence of using automatically inferred permissions.

Some permissions sets are described in AOT nodes under Forms > YourForm > Permissions. The initial descriptions are automatically inferred by the Microsoft Dynamics AX system, to save you the effort. You can edit the initial inferred values if necessary. These sets of described permissions are not yet real permissions, they are merely descriptions of possible permissions. These sets are named Read, Update, Create, Correct, and Delete.

On YourMenuItem for the form, you specify which of the described permissions sets this menu item will allow to possibly become real permissions. For example, a menu item that is named ReadTheAccount might be confusing and misleading if it allowed the UpdatePermissions. Read and update are different concepts.

The menu item entry point under YourPrivilege has an AccessLevel property. The drop-down list of values for that property contains the permissions description sets that YourMenuItem allows. Of course, other menu items could allow more permissions description sets for the form.