AX 2012开发文档一 05

AX 2012开发文档一 5Chapter 4: SecurityEntry PointsAn entry point is the element that is triggered by a user action to start a particularfunction. There are three different categories of entry points in MicrosoftDynamics AXMenu items point to forms, reports and classes that an end-user canaccess from the rich clientWeb content items point to URLS and actions that an end-user canaccess from the Enterprise portalService operations are used in document service classes in theApplication Integration Framework(AIF). AIF exchanges data withexternal systems by sending and receiving XML documentsPermissionsPermissions refer to the access levels that can be applied to the securableobjects. This could include any tables, fields, forms, reports or server sidemethods that are accessible through an entry pointPermissions are maintained by a developer in the Application object Tree(AOT)Access levels available areAOTLabel DescriptionnameNo AccessNoDoes not provide any access to dataaccessReadⅤiewAn end-user can view dataUpdateEditAn end-user can view and edit dataCreateCreate An end-user can view, edit and create new dataCorrectCorrecti An end-user can view, edit, create new and correctondate-effective records without creating new recordsDeleteFullAn end-user can view. edit create new and deletecontrol datePermissions that give access to reports or classes need only to have access or nothave acBy convention, reports are typically given read access and classesare typgiven delete accesPermissions that give access to tables or fields can make use of all access levelsPossible permission levels are defined on the entry point target. For example,aform might allow permission levels to read, update, create or delete. The level tobe granted to an end-user is defined on the permissionMicrosoft Official Training Materials for Microsoft Dynamics e4-3Your use of this content is subject to your current services agreementDevelopment I in microsoft Dynamics AX 2012PrivilegesA Privilege is a group of related permissions that are required to perform a dutyPrivileges can be assigned directly to roles. However, for easier administrativemaintenance and to use the Segregation of Duties feature, it is recommended togroup privileges into duties and assign duties to rolesPrivileges are typically maintained by a developer in the aot however they canalso be maintained by a system administrator in the rich clienta best practice is for privileges to be maintained in the Aot and to assignprivileges to dutiesDutiesDuties are a group of related privileges required to perform a taskDuties are grouped into the following six Process Cycles· Conversion cycleCost accounting cycle· Expenditure cycleHuman capital management cycleInformation technology cycleRevenue cycleProcess cycles are used in the rich client to make it easier for a systemadministrator to view and find related duties when setting up securityRolesRoles are a group of duties that are required by an end-user to do his or her jobbased on the end-user's role in the organizationRoles can be organized into a role hierarchy. roles can contain sub-roles andinherit the permissions from the sub-role. For example, the accounting managerrole could be defined as a combination of the manager role and the accountantrole. A role hierarchy reduces the need for duplicating security access that makesaccess change management simpler.Microsoft Official Training Materials for Microsoft Dynamics eYour use of this content is subject to your current services agreementChapter 4: SecuritySet Up a New userUsers are setup in the rich client. They are typically imported from ActiveDirectoryA user is assigned multiple roles. An internal user is assigned the following tworoles in addition to functional rolesThe system user role provides access to basic functionality andtools so that a user can access and use base functions in microsoftDynamics AXThe Employee role provides access to base functionality that allnternal roles can use. This includes employee self-service on theEnterprise portalProcedure: Import User from Active DirectoryScenario: Tony Krijnen has just started with Contoso in the Accounts receivableDepartment. Chris, the Information Technology (IT)engineer, is responsible forsetting up new users and assigning security. Chris has already set up Tony asuser in Active Directory and now he needs to give him access to Microsoftynamics AX1. Open the Microsoft Dynamics ax client2. Open the Users form. System Administration >CommonUsers Users3. Click New Import in the action Pane4. Click next5. Select the domain name contoso. com6. Enter Tony for the first7. Click Next8. Click select all9. Click Next10. Click Next1. Select only System User and Employee roles. Chris is not yet surewhat level of access Tony needs12. Click Next13. Select Accounts receivable administrator profile in Same profilein all companies This defines Tony's role center14. Click Next15. Click FinishMicrosoft Official Training Materials for Microsoft Dynamics eYour use of this content is subject to your current services agreementDevelopment I in microsoft Dynamics AX 2012Procedure: Give user access to share PointTony will also need access to SharePoint in order to view his roll center pageThe following procedure will give Tony access to the SharePoint EnterprisePortal1. Open Internet explorer2. Click Site Actions Site Permissions3. Click Grant Permissions4. In the Users\groups box, enter Tony5. Click check Names6. Check full Control7. Click OKAssign a User to a roleroles are typically maintained by the system administrator in the rich clienthowever they can also be maintained by a developer in the AOTThe Security roles form available in the rich client displays all roles defined inthe application and the duties associated with each roleThis form can be accessed from System Administration Setup SecuritySecurity rolesNew roles can be created from the security roles pageRoles and associated duties can also be viewed in the security node in the aotSecurity Roles formThe security roles form displays the following informationAll existing Roles are listed in the left pane of the formThe AoT name for the selected role is displayed at the top center ofthe form together with the name and description. The aot name isthe object name displayed in the Aot.The role content pane in the bottom center of the form displays theduties that are associated with the selected roleThe factBox pane contains three Fact Boxes that contain relatedinformationo Roles with selected duty display other roles that contain theduty currently selected in the role content paneo Privileges in selected role displays a list of privileges associatedith the selected roleo Users with selected role displays a list of all users assigned theselected role4-6Microsoft Official Training Materials for Microsoft Dynamics eYour use of this content is subject to your current services agreementChapter 4: SecurityThe Action Pane includes various actions including creating ordeleting roles, assigning users to a role and overriding permissionscurrently granted to a roleSecurity roles(()-Roc nm:: Accounts receivable manager, 5cX D let: COpan iReview custoner nvocc cross peform nce and erotles thecRemeets statuEHwL山EINJe: ureal LcrubLrUtts:and bereftUsers with selected role abo sales arder poiciesTHis pid is crpas-ContankLhseEN8口FIGURE 42 SECURITY ROLES FORMProcedure: Add roles to an Existing UserScenario: Chris is advised that tony krijnen is the new accounts receivablemanager. He needs to assign that role to Tony's user account1. Open the Microsoft Dynamics AX client2. Go to System Administration Common > Users Users3. Double-click Tony Krijnen in the grid to edit his record4. Click assign roles in the user's role section of the form5. Select Accounts receivable manager and click OK6. Click Start> Power button options> Switch User.Administrative Tools PHelp and SupportSwitch userA‖ ProgramsRestartSearch programs and filesShut downFIGURE 4.3 SWITCH USER7. Press Ctrl-Alt-Delete to log on8. Click Other userMicrosoft Official Training Materials for Microsoft Dynamics e4-7Your use of this content is subject to your current services agreementDevelopment I in Microsoft Dynamics AX 20129. Log on as Tony, password PasSwOre10. Run the Dynamics ax client11. View the changes in Tony's access12. Switch user back to AdministratorSecurity roles in the AOTYou can also view and edit roles in the security roles node in the aot. youcan right-click the Roles node to add a new role, and drag-and-drop duties fromthe Security Duties node to add duties to a roleNOTE: You might need to refresh elements in the AOT'so that the changes madein the rich client are visible. In the developer workspace, navigate toTools menu> Caches Refresh elementsChange Duties on a roleclient; however this can also be maintained by a developer in the aOT. e richThe system administrator maintains the assignment of duties to roles in theDuties can be added or removed from a role in the Security roles form availablein the rich clientThis form can be accessed from System Administration Setup> SecuritySecurity rolesDuties assigned to a role can also be edited in the security node of the AotProcedure: Add Duties to an Existing Rolecenario: Tony krijnen will be working closely with service related customers sohe needs access to view service orders which is not included in the standardAccounts receivable manager role. Chris is asked to add service order access tothe accounts receivable manager role1. Open the rich client2. Go to System Administration> Setup Security Security roles3. Click Accounts receivable manager in the list of roles on the leftside of the form4. Click the add button in the role content section in the center of theform to add a new duty5. Expand the conversion cycle process cycle6. Select the Inquire into service orders privilege7. Click Close8. Click Start> Power button options Switch User9. Press Ctrl-Alt-Delete to log on10. Click Other user4-8Microsoft Official Training Materials for Microsoft Dynamics eYour use of this content is subject to your current services agreementChapter 4: Securityl1. Log on as Tony, password PaSSwOrd12. Run the Dynamics aX client13. View the changes in Tony's access4. Switch user back to administratorAdding duties to a role in the aotDuties can also be assigned to a role in the security roles node in the aotYou can also drag-and-drop duties from the security Duties node to a roleNOTE: You might need to refresh elements in the AOT so the changes made inthe rich client are visible. In the developer workspace, navigate to Tools menuCaches Refresh elementsChange Privileges on a DutyThe assignment of privileges to duties is maintained by a developer in thesecurity node of the aotThe Security privileges form available in the rich client displays all dutiesdefined in the application and the privileges associated with each duty. Duties aregrouped by process cycle. Privileges cannot be added to a duty from hereThis form can be accessed from System Administration Setup> SecuritySecurity privileges.Procedure: Add a Privilege to a Dutycenario: Chris, the It manager, is asked to add access to the service ordermargin report for everyone with access to view service orders. Chris realizes thebest way to do this is to add a privilege with permission to access the report tothe Inquire on service order dutI. Open the Aot.2. Expand the security duties > smaServiceOrderProgressInquireno3. Open a second aot.4. Expand the security privilegessmaServiceOrderMargin Generate node5. Drag-and-drop the privilege to the duty.6. Click Start> Power button options Switch User7. Press Ctrl-Alt-Delete to log on8. Click other User9. Log on as Tony, password PasswOrdMicrosoft Official Training Materials for Microsoft Dynamics e9Your use of this content is subject to your current services agreementDevelopment I in microsoft Dynamics AX 201210. Run the Dynamics aX clientl1. View the changes in Tony's access12. Switch user back to AdministratorSecurity Privileges Form: DutiesThe security privileges form displays information about the privileges andpermissions associated with a duty in the rich clientBoth duties and privileges can be viewed in this form. When a duty is selected,the form includes the following informationAll existing Duties are listed in the left pane of the form. Duties aregrouped by process cvcleThe AoT name for the selected duty is displayed at the top center ofthe form together with the name and description. The AoT name isthe object name displayed in the aotThe Privileges pane in the bottom center of the form displays theprivileges that are associated with the selected dutyThe FactBox pane contains three Fact Boxes that display relatedinformationo Roles with selected duty display other roles containing the dutythat is currently selectedo Privileges with selected permission(s) is only used when thisform is used to view a privilegeo Users' assistance hint provides help for a system administratorediting security from this form4-10Microsoft Official Training Materials for Microsoft Dynamics eYour use of this content is subject to your current services agreement