Record Level Security in AX

Record Level Security,  with the help of user group permissions, you restrict which menus, forms, and reports that members of a group can access. Record level security enables you to restrict the information that is shown in reports and on forms.

The following examples demonstrate how you can use record level security.

• Allow members of a related user group to see only their related accounts they manage.
• Prohibit financial data from appearing on forms or reports for a specific user group.
• Prohibit account details or account IDs from appearing on forms and reports for a specific user group.
• Restrict form and report data according to location or country/region.

Setting record level security

Setting record level security is a two-part process. The first part involves selecting a user group and the appropriate database table using the Record Level Security Wizard. The second part involves creating a query that specifies the fields and criteria to be applied when record level security is enforced.

Use the Record Level Security Wizard

1. From a Microsoft Dynamics AX client, click Administration > Setup > Security > Record level security.
2. Press CTRL + N to open the Record Level Security Wizard.
3. Select a user group and then click Next.
4. Select a table. By default, the most frequently accessed database tables are shown. Click Show all tables to expand the selection. Click Next.
5. Click Finish.

Create a query

1. In the Record level security dialog box, select the user group and then click Query. The Inquiry dialog box appears. The Range tab shows some of the common fields for the specified table. Specify the fields to be shown to the selected user group on the report or form.
2. Select the first item listed on the Range tab. If no item is listed, press CTRL + N.
3. Use the Field menu to select the field that you want to show on the form or report.
4. Use the Criteria menu to select the criteria for the designated field. If no menu appears, enter the designated criteria.
5. As necessary, press CTRL + N to add fields and criteria.
6. Click OK.
7. Inform members of the selected user group that they must close their current client sessions and start a new session. If it is necessary, end active sessions from the   form. For information about how to end active sessions
8. Verify that record level security is enforced on the report or form by logging on to Microsoft Dynamics AX as a member of the specified user group. You should see only the information specified in the query for the designated criteria. If you see additional information, troubleshoot your query.

Create and manage User Groups

In Microsoft Dynamics AX, permissions and user rights are granted to user groups. By adding a user to a user group, you grant the user all the permissions and user rights assigned to that user group

1.  create a group and add users to that group :

The following procedure describes how to add users to a group at the time that the group is created. You do not have to add users to a group when it is created. You can add users to a group later on the User form 

1. From a Microsoft Dynamics AX client, click Administration > Setup > User groups.
2. On the Groups tab, create a new group.
3. Enter an identification in the Group column (required). For example, Fin for Finance or HR for Human Resources.
4. Enter a name in the User group name column (required). For example, Finance Department or Human Resources Department.
5. Click the Users tab.
6. Select users in the Remaining users list and then click the left-arrow button (<) to move the selected users into the Selected users list. All users moved into the Selected users list are added to the current group.
7. Press CTRL+S to save changes.

Manage Security Permission for User Groups : 

Security keys are the permissions that control access to functionality within the application, and are set to individual user groups and users.

Permissions determine who can access menus, forms, reports, and tables. In Microsoft Dynamics AX, you assign permissions to user groups instead of individual users. Assigning permissions to groups saves time because you do not have to adjust permissions for each user.

When you create a new user group in Microsoft Dynamics AX, by default the group is set to No access for all menus, forms, reports, and tables. This means that after you create a new group, you must use the procedure in this topic to enable permissions. Otherwise, all members of the group are denied access to all menus, forms, reports, and tables

2. Set up security keys

Security keys are set up from Administration > Setup > Security > User group permissions on the Permissions tab.

Within a security profile, you can assign permissions that define access to menu items, form controls, tables, and fields.

Permissions are granted in five available access levels:

• No access – Completely restricts access to that item and any sub-items it controls. The Open command is disabled. Also, the node is not displayed in the Application Object Tree (AOT).
• View access – Members of the user group are allowed only to view the item. The Save, Compile, Lock and Unlock commands are disabled.
• Edit access – Members of the user group can view and edit the item. The New, Duplicate and Rename commands are disabled.
• Create access – Members of the user group can view, edit, and create new items. The Delete command is disabled.
• Full control – Members of the user group have full access. No commands are disabled.

Security access for each user must be determined before first logon. Access depends on which user groups the user is a member of, and which company or domain the user is a member of. Access to functionality of each security key can depend on its parent, so the calculation must be done hierarchically

Set access permissions for user groups

1. From a Microsoft Dynamics AX client, click Administration > Setup > Security > User group permissions.
2. On the Overview tab, select a user group and then select a domain.
3. Click the Permissions tab.
4. In the list, select the item or items for which you want to set permissions, for example Absence approver.
5. Under Access, select a permissions level. After you have selected a permissions level, the selected item shows a check mark to indicate that permissions have been set.
6. In the Viewing list, select a new area of Microsoft Dynamics AX for which you have to set permissions.
7. Press CTRL+S to save changes.
8. If you changed the permissions of an existing group, especially if you set more restrictive permissions on that group,restart the Microsoft Dynamics AX server. Instruct all group members to restart their Microsoft Dynamics AX clients. 

Manage Users(Create, Monitor, Remove) in Dynamics AX

Create/ Manage Users : 

Microsoft Dynamics AX requires that all users be listed in Microsoft Active Directory directory services on your domain controller before they can be enabled on the User form. If a user is not enabled on this form, that user cannot access Microsoft Dynamics AX.

Import users from Active Directory

1. From a Microsoft Dynamics AX client, click Administration > Users.
2. On the Overview tab, click Import to access the Active Directory Import Wizard.
3. Complete the wizard.

Alias ID duplicates

When you import users from Active Directory into Microsoft Dynamics AX, the wizard tries to create Microsoft Dynamics AX users by creating Microsoft Dynamics AX user IDs from the Active Directory aliases. But, Microsoft Dynamics AX user IDs are limited to five characters, whereas the Active Directory alias can be up to 255 characters. If the first five characters of the Active Directory alias are the same for more than one user, then the wizard then generates alternative Microsoft Dynamics AX user IDs for these users and displays them.

When generating alternative user IDs, if the user alias has more than five characters, then the first four characters from the first name and a single character from the last name are used. If there are still duplicates, then the first three characters of the first name and two characters from the last name are used.

You can change any of the user IDs.

When you approve the new user IDs, the users are created in Microsoft Dynamics AX.

Create new users :

Microsoft Dynamics AX users are employees of your organization or company (or a partner) who require access to Microsoft Dynamics AX to perform their job. Your organization or company could have hundreds of employees, but there might only be a few individuals who need to work with Microsoft Dynamics AX. Any individual who needs to access Microsoft Dynamics AX must be added to the list of Microsoft Dynamics AX users on the Users form as described in this topic. A user must also exist in at least one user group before they can access Microsoft Dynamics AX

Before you can add an individual to the list of Microsoft Dynamics AX users, the individual must be listed in Active Directory directory services on your domain controller. 

To create a new user

1. From a Microsoft Dynamics AX client, click Administration > Users.
2. Press CTRL + N to create a new user.                                                                                                                                                                                                                                                          Note: If you are creating new users in Microsoft Dynamics AX while you are working through the Initialization Checklist, make sure that you have entered license information before you add users. If you add a user before entering license information, the user might have elevated permissions (Administrator permissions) in the application.
3. In the Alias field, enter the user's alias exactly as it is stored in Active Directory.
4. In the Network domain field, enter the user's Active Directory domain.
5. In the User ID field, enter any unique identification for this individual (required). The user ID is restricted to a maximum of five characters.
6. In the User name field, enter the user's name (optional).
7. From the Company list, select the company that this user can access in Microsoft Dynamics AX. If you do not select a company, Microsoft Dynamics AX uses the current company that the administrator is logged into.
8. To allow this user to access Microsoft Dynamics AX, select Enabled. The application checks to make sure the user is listed in Active Directory. If the user is not listed, the application returns an error.
   Note: The External option is read only. An external user is any individual who accesses Microsoft Dynamics AX using Enterprise Portal or a Web browser. This option is automatically set if the user is stored in Active Directory as described in Giving users access to Enterprise Portal sites in the Enterprise Portal Administration Guide.

    10.    Press CTRL + S to save changes.                                                                                                                                                                                                                                

         Note :  The user cannot access Microsoft Dynamics AX until added to at least one user group. To add the user to a group, click the Groups tab. To create new uaer group please refer my blog

Monitor users :

Microsoft Dynamics AX includes several features to help you monitor which users are currently logged on to Microsoft Dynamics AX, how frequently a particular user has logged on, and the length of time that aa user has been logged on. The procedures in this topic explain how to:

• View which users are currently logged on.
• Disconnect one or more connected users.
• View logon statistics for a specified user.

View which users are currently logged on :

From a Microsoft Dynamics AX client, click Administration > Online users.

Disconnect one or more connected users :

You can end one or more user sessions from the Online users form. Before you disconnect a user, warn that user of the impending disconnection so that you do not disrupt an important operation such as a posting.

From a Microsoft Dynamics AX client, click Administration > Online users.

Select the user who you want to disconnect. Press and hold the CTRL key to select multiple users.

Click End sessions.

Note : You can end one or more user sessions from the Online users form. Before you disconnect a user, warn that user of the impending disconnection so that you do not disrupt an important operation such as a posting.

Remove Users :

1. From a Microsoft Dynamics AX client, click Administration > Users.
2. On the Overview tab, select a user you want to remove from Microsoft Dynamics AX.
3. Delete the user by pressing ALT+F9.
4. Press CTRL + S to save changes.
5. Restart the Microsoft Dynamics AX server to make sure the user has been removed from the system.

Note : If you remove a user from the application, terminate that user's active sessions in the Online users form. It is also important to disable the user's Active Directory account. If the Active Directory account is not disabled, the user may still be able to gain access to Microsoft Dynamics AX. 

Create, Manage Domain In Dynamics AX

A domain in the Microsoft Dynamics AX system is a group of company accounts. Domains enable setting up specific user permission for a group of company accounts.

Just as user groups define sets of users, domains define sets of company accounts that are logically connected. You can set security permissions based on the combination of user groups and domain

By using domains, you could allow a conglomerate company that has several subsidiary businesses to share a single Microsoft Dynamics AX system. Each subsidiary can be represented by a domain, which in turn can limit access based on user group.

One domain, Admin, exists in the Microsoft Dynamics AX system by default. The Admin domain always includes all companies. You cannot remove the domain or delete any companies from this domain. Use the Admin domain for any user groups that need access to all companies.

Note: The domains feature requires a separate license. To obtain a license, contact your Microsoft Dynamics AX Partner.

If your organization or business has more than one company account, you can restrict account access by using domains. Domains restrict account access much like user groups restrict user access.

With the combination of domains and user groups, you can create a strict security policy where each user group in each domain is a distinct entity without any access between groups or domains.

You can also create a customized security policy where, for example, one group has account access to similar group data, forms, and modules across multiple domains. In this graphic the Engineering Africa group has access to all engineering data, forms, and modules across all domains.

Create a domain

1. From a Microsoft Dynamics AX Client, click Administration > Setup > Domains.
2. On the Domains tab, press Ctrl+N to add a new domain.
3. Enter an ID in the Domain ID field, such as Eur for Europe. This is required.
4. Enter a name in the Name field (required), such as Europe.
5. Click the Company accounts tab.
6. Select company accounts in the Remaining company accounts list and then click the left arrow (<) to move the selected company accounts into theSelected company accounts list. All accounts moved into the Selected company accounts list will be added to the current domain.
7. Press Ctrl+S to save changes.

Grant user groups access to a domain

By default, user groups do not have access to a new domain. You must grant access by using the following procedure.

Note : Before completing the following steps, determine which user groups require access to the new domain. Also, determine the necessary permissions for each user group. If you are uncertain about whether to grant access to a user group, deny access until you receive a request from a manager.

1. From a Microsoft Dynamics AX client, click Administration > Setup > Security > User group permissions.
2. On the Overview tab, select a user group. If you have to create a new user group for this domain, you should Manage user groups.
3. Select a domain.
4. Click the Permissions tab.
5. Set the desired permissions.
6. Press Ctrl+S to save changes.

Create domain administrators

Domain administrators have full administration rights to their domain. However, they have no rights to other domains.

Some customers who have many companies in Microsoft Dynamics AX have a requirement to keep the data in each company completely separate. In such large system environments the system administrator is not the person who grants permissions to the user or creates companies. The system administrator creates a role called the domain administrator to do this. Domain administrators have complete access to all resources within their domain, but do not have access to companies in other domains.

Create domain administrator user groups

Before the system administrator creates the domain administrators, the companies, domains, and users must be created in the Microsoft Dynamics AX environment. For instructions, see Manage company accounts, Manage domains, and Manage users.

1. From a Microsoft Dynamics AX client, click Administration > Setup > User groups.
2. On the Groups tab, create a Domain administrator user group for each domain in the Microsoft Dynamics AX system.
3. Select the new Domain administrator user group, and then click Permissions.
4. Select the Admin domain in the Domains pane, and then open the Permissions tab.
5. Select every security key and apply View access to them for the Admin domain.
6. Open the Overview tab again and select the domains in the Domains pane that this user group will administer.
7. Open the Permissions tab.
8. Click Set all to Full control.
9. In the Permissions tree, select Administration > Open domain access and apply No access.
   This restricts the Domain administrator from seeing data in other domains.
10. Close the form.
    This grants full rights to the Domain administrator user group for the selected domain.

Add domain administrators to the domain administrator user groups

After the Domain administrator user groups are created for each domain, the system administrator adds users to these user groups.

1. From a Microsoft Dynamics AX client, click Administration > Setup > User groups.
2. Select the Domain administrator user group that you just created.
3. Open the Users tab.
4. Select the users who will be the domain administrators for the domain represented by the user group, and then click the left-arrow (<) to move each user into the Selected user pane.
5. Open the Groups tab.
6. Select the Admin user group and any other unnecessary user groups.
7. Open the Users tab.
8. Select the users who are domain administrators, and then click the right-arrow (>) to move these users into the Remaining users pane.
   This makes sure that the Domain administrators do not have administrator rights over the whole system.

How To Create New Company, Virtual Company in AX

In this lesson, we will create a new company and Virtual company in Microsoft Dynamics AX.

Create new company :

1. Click Administration > Company accounts.
2. Press CTRL+N to create a new record.
3. Enter a company code in the Company accounts field.
4. Enter the name of the company in the Name of company accounts field.
5. If you have a Domain license, click the Domains tab.
6. Select the domains that the new company should be included in.

Create a virtual company account : 

After company accounts are created, you can set up virtual companies that share tables from the main Microsoft Dynamics AX database. For information about the relationship between these types of accounts

In Microsoft Dynamics AX, data is segregated by company account. If two or more companies need to share data, then you can create a virtual company.

If multiple companies share the same security profile, then you can use a domain. A domain is a group of company accounts. Companies can be organized into domains in order to grant permissions to users. For more information about domain. Pls Refer manage domains in my blog.

Virtual company accounts contain data that is shared across company accounts. This type of account enables users to post information in one company that is available to another company.

Prerequisites

Requirements to create or modify a virtual company accountare as follows:

• Must be running a single instance of the Application Object Server (AOS). All other AOS computers must be shut down.
• Must be logged in as an administrator.
• Only one active client connection is allowed.

Create Virtual Company :

1. Click Administration > Setup > Virtual company accounts.
2. Enter the company identification in the Company accounts field.
3. Enter the name of the virtual company in the Name of company accounts field.
4. Click the Company accounts tab.
5. Select the company accounts to participate in the virtual company.
   • To add a virtual company account, select the company name under Remaining company accounts and then click the left arrow (<) to move it to theSelected company accounts list.
   • To remove a virtual company account, select the company name under Selected company accounts and then click right arrow (>) to move it to theRemaining company accounts.
6. Click the Table collections tab and select the table collections that contain the specific tables that you want to share in the virtual company.
   • To add a table collection, select the table collection name under Remaining table collections and then click the left arrow (<) to move it to theSelected table collections list.
   • To remove a table collection, select the table collection name under Selected table collections and then click the left arrow (>) to move it to theRemaining table collections list.
   Table collections are groups of tables. They can be created by developers through drag-and-drop functionality in the Application Object Tree (AOT).
7. Shut down and restart the Microsoft Dynamics AX client.
   You must restart the Microsoft Dynamics AX client to update the client with the new virtual company account information.

How To Create a Duplicate Company in AX?

1- Administration --> Company accounts

2- select the company(EMP)

3- click on duplicate button

4- a dialog will appear to you, just type the code of 3letters for the new account and description of the duplicate company

5- The Duplicate company will be created