DynamicsAxSCM: Visualizing Security in Microsoft Dynamics AX 2012
Microsoft Dynamics AX 2012 introduces role-based security, which makes security easier to manage. Relations between security roles, duties and privileges are complex. However, you can apply a tool to represent these relations in a grid.
This document describes another way to represent security objects and the relations between these objects.
DGML is an XML based file format for directed graphs. For example, this is the graph:
…and this is the DGML file behind it:
The DGML format is supported in Visual Studio 2010 UltimateandPremium and in some other third party tools as well. In this document, Visual Studio is used:
</span span style="color: #ff0000;"version/spanspan style="color: #0000ff;"="1.0"/span span style="color: #ff0000;"encoding/spanspan style="color: #0000ff;"="utf-8"/span?span style="color: #0000ff;">
In Visual Studio 2010, there is Directed Graph toolbar and a Legend window that allow you to change the appearance of the graph. For example, this is one graph, rendered in different ways:
There is a context menu, which provides even more options, such as Advanced selection. For example, you can also:
First of all, import the attached XPO file to Microsoft Dynamics AX 2012.
There are 4 classes in the SecurityToDGML private project. SysDgmlFromSecurity is the main class, which should be run in order to generate the DGML file. The SysDgmlGraph, SysDgmlNode and SysDgmlLink classes encapsulate graph construction logic.
Note: Eventually, you may want to customize the solution by adding more attributes to the nodes and links. For example, objects with a particular prefix may require an additional attribute to make it easier to select them when manipulating the graph.
When you have imported the XPO to AX, run the SysDgmlFromSecurity class. In the dialog, verify the output file name, and then click OK. After several minutes, the file is generated and it opens in Visual Studio (or in the tool that you have assigned to open DGML-files).
Important: The graph is comprehensive so every little change, such as adding a property to the Legend or switching the rendering mode from Left to right to Quick clusters, will take 10 to 20 seconds or more to complete. So avoid any unnecessary clicks on the workspace. The idea is to hide as many nodes as possible and still be able to explore the nodes and relations that you want to focus on. The fewer nodes on the visible graph, the faster it is rendered.
Working with graphs
Scenario 1: Find out what external* roles have access to duties and privileges in your area (in this example, Inventory)
*External roles: In this example, roles from areas other than Inventory, such as Manufacturing. There is some logic in the SysDgmlGraph class that tries to determine the owner team of the object and add an Area attribute to the corresponding graph node. The owner team is determined based on a prefix and/or a suffix of the object name. This is where you may need customization. You can find a sample Excel sheet attached to the this post.
1. Open the DGML-file.
At first, the graph looks like a vertical stripe in the middle of the workspace:
This is because there are too many nodes (while this is being written, about 6000 nodes and 10000 relations).
2. Right-click to select a little area on the stripe.
When you release the button, this part of the graph is zoomed in.
3. Repeat zooming until you see something like the following:
You can see 3 columns of nodes, left to right: roles, duties, and then privileges. There are too many visible relations, so some have to be hidden.
4. Right-click anywhere on the workspace and select Show Advanced Selection in the menu.
A new window will appear on the right side of the workspace:
Area, Type and AOT name are properties of the nodes.
5. Select the nodes that belong to Inventory.
You will notice that some relations and nodes are selected now:
6. Click the I button three times to select incoming connections.
With three clicks you can select a chain of Inventory privileges: For example, a non-Inventory role can have a non-Inventory sub-role which can have a non-Inventory duty which can provide access to the Inventory privileges. By clicking once on the I button you select the duty, with two clicks you also select the sub-role, and with three clicks the whole chain is selected.
At this point, you see all Inventory nodes and all the external nodes that relate to these nodes.
7. Right-clickon any of theselectednodes, and click Selection > Hide unselected in order to hide nodes.
The graph becomes much smaller and all remaining nodes remain selected:
8. Click anywhere on the workspace to clear the selection of the nodes. The Selection window looks as follows:
Note the 600 nodes compared to the 6000 nodes on the original graph.
9. Select all areas in the Selection window except for Inventory to view only the Inventory nodes that are used by external roles and duties.
10. Click the O button three times like you did with the I button in order to select all outgoing connections for the selected (=non-Inventory) nodes.
11. Right-click any of the selected nodes and select Selection > Hide unselected.
12. Click anywhere in the workspace to clear the selection of the nodes. This way you reduce the number of nodes in the graph to about 300.
13. Select Zoom to fit in the toolbar to see the following:
The final graph is not very large. The only thing missing is the set of highlighted external duties and roles.
14. In the Legend window, click the Add button and then select Node Property > Area.
15. Click on the new Area stripe and then select Background.
16. In the Color Set Picker window, click the button at the top and then select one of the predefined color sets.
17. Change the color for Inventory to White to leave only nodes from other areas highlighted.
18. Click OK.
This is the final graph:
19. Select one of the external nodes, such as Maintain BOM master, in order to zoom in and check the external nodes for eligibility to use Inventory privileges.
20. Turn on the Butterfly mode.
The graph now looks as follows:
The product designer has access to 4 Inventory privileges. If something is wrong here, we have an issue.
21. Turn off the Butterfly mode and proceed to the next non-Inventory node. Repeat until you are finished.
Scenario 2: Do the opposite of the first scenario to figure out what external privileges and duties are used by roles in your area
This scenario is similar to the first scenario except for the fact that you should use the I and the O buttons in the reverse order.
Note: If objects are marked with wrong areas, you must update the prefixes in the ownership Excel sheet and generate the DGML file again.
Further information about Security can be found on MSDN
By Sasha Nazarov, SCM, Microsoft Dynamics AX
Расскажите о новых и интересных блогах по Microsoft Dynamics, напишите личное сообщение администратору.
|DynamicsAxSCM: Operational Sites in Microsoft Dynamics AX 2012||Blog bot||DAX Blogs||0||25.05.2011 19:11|
|dynamics-ax: Interview with Microsoft's Lachlan Cash on his new role, AX 2012 and more||Blog bot||DAX Blogs||6||22.04.2011 14:55|
|axinthefield: Dynamics AX Event IDs||Blog bot||DAX Blogs||0||01.03.2011 22:11|
|CRM DE LA CREME! Configuring Microsoft Dynamics CRM 4.0 for Internet-facing deployment||Blog bot||Dynamics CRM: Blogs||0||18.08.2009 11:05|
|axStart: Microsoft Dynamics AX 2009 Hot Topics Web Seminar Series||Blog bot||DAX Blogs||0||06.08.2008 12:05|
|Опции темы||Поиск в этой теме|