Wednesday, July 7, 2010

Ax Security (Part 1)

Security has always been and continues to be a bit of a hassle in current Ax versions. In anticipation of the new role/task based security in Ax6, I will talk a bit on how the current security works.

Upto version 2009, Ax' security is based on security keys. Security keys are a hierarchy of nodes in the security tree, as you can see on the user group permissions screen. Objects in the AOT get assigned security keys in their properties, which makes them show up in the hierarchy on the permissions screen. This is where the confusion begins.

Security "inheritance".

Security keys can have a parent security key, which on its turn may have a parent security key, etc. This is what makes the hierarchy. If a parent security key has a certain permission granted, it will trickle down to every security key underneath it, and down to every object at the lowest level. Of course, at any level the permission level may be overridden, which then changes the permissions for the security keys and objects underneath, etc.

So technically, setting permissions on the highest level key will grant that permission implicitly to everything underneath.

Forms (screens)

Forms are usually a bit of a challenge. First of all, although it appears that way, a form does not have security directly attached to it. The security is set on a menu item (an entry in the menu used to open the form) which in its turn links to a form. Technically, you can have multiple menu items linked to the same form, with different security.

Additionally, the access to the form is not only controlled by the access given to the menu item, but also by the security given to the tables used on the form. If security is set on both, the user will experience the lowest security settings (if full control set to menu item and read-only on table, the user will get read-only… the same read-only result when read-only on menu-item and full control on table).

Another issue with forms is the buttons (which technically are menu items) that appear on the screen. They have separate security, which can be set on the form security in the security tree, or on the menu item itself (if you know where it appears in the tree).

Here's the caveat. If you give access to a menu item button on a screen, the user will get access to that menu item from anywhere else it is available (other screens, on the menu, etc).

It is VERY tempting to click the "cascade" button. I've always strongly recommended people never ever to click that button. First of all, you are giving access to all these menu items available on the forms. You will also cascade your security down to the tables. Which means, if you need full control to a table somewhere else, setting view permissions and cascading it down will result in changing your table's security to view everywhere else in the system!

And of course if will also require you to explicitly remove security, to make some of the menu items "inherit" from their parents. If you set no security and cascade that down, you are removing access rather than removing the security. It is very confusing.

Deny permission

Ax does not have a "deny" permission. When users are in multiple groups, they will get the union (maximum) permissions of all the groups they are in. There's no way to have a group that denies permission which overrides any other permissions coming from other groups.

Security is a big topic and there's lots more to talk about. There are some tools one can build and will talk about that in an upcoming post. Missing tools/reports are for example: where's the security in the security setup tree for object X, who has what access to object Y, etc.

To put the above in technical perspective, we need to know how the security is stored. We can build on that to create some tools. Stay tuned.

Thursday, July 1, 2010

Secrets of SysLastValue

Over the years I have had quite a few customers ask me how to use the user setup and form queries. It's not so much the initial setup that is the issue, but how to distribute changes and setup to other users? And how can we move our changes from our development or test environment to production?

The answers lie in the secrets of the SysLastValue table.

SysLastValue is a kernel-level table that does not show up in the AOT data dictionary. There is however a form called "Usage Data" that can be accessed (check tools / development tools / application objects / usage data). The form itself is called "SysLastValue" (yeah, really) in the AOT. We can use the datasource on the form to right/click and table browse this mysterious table.

SysLastValue stores many different things. The majority of records you will find in there pertain to caching, or "last use" type of data, which will remember the last values you've entered on a dialog, the last printer selection you made for a report, etc. But, which is why we're interested, it will also store any user setup you make on a form, and any and all queries being stored. The field "recordtype" will indicate exactly the type of values stored.
We are interested in type "UserSetup" with the "isKernel" flag set to no, these are the user setups on forms, and the "elementName" field will tell you what form name.
Type "UserSetupQuery" contains the queries saved for a form. You will notice the "designname" contains the form's name, and the "elementname" field contains "f:formname".

So there we are. All the building blocks to build a little tool to distribute user setup and form queries among users, and even migrate between environments, or take backups before clicking "usage data" on the user options.

We have build our own little tool for this and actually taken it a step further. For more information on our IntelliMorph tool called "Personalization Center", check our company website at