Microsoft Dynamics AX 2012 introduces role-based security, which makes security easier to manage. Relations between security roles, duties and privileges are complex. However, you can apply a tool to represent these relations in a grid.
This document describes another way to represent security objects and the relations between these objects.
DGML is an XML based file format for directed graphs. For example, this is the graph:
…and this is the DGML file behind it:
The DGML format is supported in Visual Studio 2010 Ultimate and Premium and in some other third party tools as well. In this document, Visual Studio is used:
In Visual Studio 2010, there is Directed Graph toolbar and a Legend window that allow you to change the appearance of the graph. For example, this is one graph, rendered in different ways:
There is a context menu, which provides even more options, such as Advanced selection. For example, you can also:
- select all nodes with a specific property value
- group nodes
- hide the nodes in order to simplify the graph
- select all incoming and/or outgoing connections for the currently selected nodes
Before reading any further, we recommend that you watch this video which is dedicated to large graphs.
First of all, import the attached XPO file to Microsoft Dynamics AX 2012.
There are 4 classes in the SecurityToDGML private project. SysDgmlFromSecurity is the main class, which should be run in order to generate the DGML file. The SysDgmlGraph, SysDgmlNode and SysDgmlLink classes encapsulate graph construction logic.
Note: Eventually, you may want to customize the solution by adding more attributes to the nodes and links. For example, objects with a particular prefix may require an additional attribute to make it easier to select them when manipulating the graph.
When you have imported the XPO to AX, run the SysDgmlFromSecurity class. In the dialog, verify the output file name, and then click OK. After several minutes, the file is generated and it opens in Visual Studio (or in the tool that you have assigned to open DGML-files).
Important: The graph is comprehensive so every little change, such as adding a property to the Legend or switching the rendering mode from Left to right to Quick clusters, will take 10 to 20 seconds or more to complete. So avoid any unnecessary clicks on the workspace. The idea is to hide as many nodes as possible and still be able to explore the nodes and relations that you want to focus on. The fewer nodes on the visible graph, the faster it is rendered.
Working with graphs
Scenario 1: Find out what external* roles have access to duties and privileges in your area (in this example, Inventory)
*External roles: In this example, roles from areas other than Inventory, such as Manufacturing. There is some logic in the SysDgmlGraph class that tries to determine the owner team of the object and add an Area attribute to the corresponding graph node. The owner team is determined based on a prefix and/or a suffix of the object name. This is where you may need customization. You can find a sample Excel sheet attached to the this post.
1. Open the DGML-file.
3. Repeat zooming until you see something like the following:
You can see 3 columns of nodes, left to right: roles, duties, and then privileges. There are too many visible relations, so some have to be hidden.
6. Click the I button three times to select incoming connections.
With three clicks you can select a chain of Inventory privileges: For example, a non-Inventory role can have a non-Inventory sub-role which can have a non-Inventory duty which can provide access to the Inventory privileges. By clicking once on the I button you select the duty, with two clicks you also select the sub-role, and with three clicks the whole chain is selected.
At this point, you see all Inventory nodes and all the external nodes that relate to these nodes.
10. Click the O button three times like you did with the I button in order to select all outgoing connections for the selected (=non-Inventory) nodes.
11. Right-click any of the selected nodes and select Selection > Hide unselected.
12. Click anywhere in the workspace to clear the selection of the nodes. This way you reduce the number of nodes in the graph to about 300.
The final graph is not very large. The only thing missing is the set of highlighted external duties and roles.
The product designer has access to 4 Inventory privileges. If something is wrong here, we have an issue.
21. Turn off the Butterfly mode and proceed to the next non-Inventory node. Repeat until you are finished.
Scenario 2: Do the opposite of the first scenario to figure out what external privileges and duties are used by roles in your area
This scenario is similar to the first scenario except for the fact that you should use the I and the O buttons in the reverse order.
Note: If objects are marked with wrong areas, you must update the prefixes in the ownership Excel sheet and generate the DGML file again.
Further information about Security can be found on MSDN
By Sasha Nazarov, SCM, Microsoft Dynamics AX