Sunday, May 31, 2015

Record level security policy in AX 2012

XDS security in AX 2012 for HRM

Let us explore the standard AX HCM polices that are shipped OOB but there is no document available. This blog will also help to understand functional and technical overview of the record level security and legal entity level access to users.

Description:
A Security Policy is required to restrict access to Worker and Position Records based on the Legal Entity granted to the Human Resources Local Admin Role.
The Microsoft Dynamics AX 2012 Human Resources Module framework has been enhanced to provide greater flexibility and sustainability across the organization. The data model has also been completely revised to permit many of the core Human Resources (HR) tables to be shared and to enable new functionalities. In prior versions, users had to log in and out of companies to manage applicants, employees, positions, and employee information. These processes have been streamlined as the data is now shared across all legal entities.
Since HR Data is shared across legal entities, there is a concern that HR Local Administrator must only see the workers and positions for the Legal Entities that it’s responsible for (and not for all legal entities). To address this security concern, Security Policies must be customized and applied to the Human Resources Local Admin Role.
Target Role: Let’s consider the securable role for this policy would be ‘Human resource assistant’ (AOT: HcmHumanResourceAssistant). It is out of the box role that allows to access global workers and positions.

Solution:
1. Create a policy to restrict workers for the legal entities that the ‘Human resource assistant’ has access to.
This policy is already exposed in the AOT by Microsoft. Let us see how this policy works.
AOT-> Security-> Policies -> HcmWorkerLegalEntity


This policy restricts the user to view workers for the legal entity that is associated with the user’s permission.

Properties: Change the context type to Role Name and the role name should be selected as HcmHumanResourceAssistant.



Setup: Note that the help text says that the user should be granted access to legal entities. In order to do this, navigate to the user master (system admin – Users – User role fast tab ) and assign the user with the Human resource assistant role. The ‘Assign organization’ button will be enabled to associate legal entities or legal entities hierarchy for the user and role combination. Select the ‘Grant access to Specific organizational hierarchy’ and select the desired legal entity. In our case we are in the standard AX R3 demo data and I am restricting it for USMF.

Caution: If you are adding more than one role for the user, by default the role will have access to all legal entities. Even if you are using ‘system user’ you need to perform the assignment of organization in order to make the policy work. When we added system user to this user and all legal entities were granted access, the security policy would not work. It is because the XDS table formed during invocation considers union of allowed legal entities. We also have a work around described in the later part.

Now, let’s log in to test the security policy for the role. Aaren is employed to USRT, which should not be visible for the HR assistant.

Visibility for HR assistant:

Also the HR assistant is restricted to create worker for USMF legal entity.

Technical details:
The query contains the data source with filters to manage data that will be allowed for the user. The Security Policy will take care of applying the constraints with the use of the query. In most cases, we would be required to pass dynamic filtering of the primary table. In our case during runtime, we need the information of the legal entities tied to the current worker. In this particular case, the query contains a temp Db table that populates the data based on the invocation of XDS method. Depending on a call (RefreshFrequency) you can cache this table per user session. Also check the best practice stated my MS while creating query as it impacts performance. Have a look at the XDS method of the ‘MyLegalEntity’ table. It dynamically fills the temp table per session with the Legal entity info for the logged user.
Also note this part of the code, which selects the legal entities for all the roles associated with the user. Hence as a caution it was advised to restrict legal entities for all the roles associated with the user.

2. Create a policy to restrict the view of the departments of the legal entities the user is associated to.
The relation between department and organization structure is tied to legal entity.

This standard AX policy can be used for this purpose. It only allows the use of departments that are associated to the hierarchy in the organizational structure for the legal entities allowed for the user to access. While designing organizational structure, the organizational purpose, and linkage with the legal entities should be well thought.

In the demo data, USMF is not associated with the IT department and client services department. For more details on the organizational hierarchy check the best practice to design the hierarchy. In the subsequent screen the budgeting hierarchy for the departments is shown from the system user and the HR assistant perspective after enabling the security policy ‘HcmDepartmentLegalEntity’. This policy will also show the departments that are not linked with any legal entity in the hierarchy.

Legal entity
Department
Positions

Fig A: For system admin

Fig B: For HR assistant

Note that for the HR assistant the departments will be shown as blank nodes in the hierarchy form.
Technical details: The query used for this security policy consist a no exist join with a temp table HCMMyDepartmentsNoAccess that stores the department that does not have access to the legal entities data during runtime that has refresh frequency per session. Thus whenever the user is logged in to the system or when a session is created, this temp table is filled with the data thus resulting performance gain. The number of joins is reduced during run time.

3. Create a security policy for restricting access only to positions associated with legal entities in which the user has been granted access.
Since we have already restricted the departments, the positions falling under these departments should also be restricted. Standard AX security policy HCMPositionLegalEntity solves this purpose.

Let us assign to the HR assistant role in our previous considerations.
The IT manager position is part of IT Department which does not belong to USMF legal entity in the standard demo data. For the HR admin having access to USMF legal entity, should not be allowed to view the IT department’s position.

Using HR assistant role: cannot find relevant positions.

Technical details:
The positions that are linked to the workers that this HR assistant does not have access to will show unknown workers. In order to restrict the positions records based on employee, we can add the position tables to the constraint table of the first policy we enabled for workers. To add constraint table right click New -> add table by relation should be selected. The property ‘constraint table’ should be set to yes.

The query used for this security policy consist a exist join with a temp table HCMMyDepartments that stores the department data during runtime that has refresh frequency per session. Thus whenever the user is logged in to the system or when a session is created, this temp table is filled with the data thus resulting performance gain.

4. Restrict the employment record of the worker to the legal entities that the user is associated to.
The local HR assistant is responsible for the employment for USMF only. There may be workers having more than one employment role in multiple legal entities. The local HR should be restricted to view the employment of the associated legal entity only i.e. USMF in our example.
The standard AX policy for this is HcmEmploymentLegalEntity. Let’s enable this for the HR assistant role. Currently we have a worker employed in multiple companies as below.
User -> version tab-> Employment history

Currently the user is contractor in USMF, employee in INMF and GLSI legal entities. Now, let’s look from the HR assistant role. The employment details for other legal entities are not shown as seen in the below form.