Microsoft Dynamics 365 Blog


Microsoft Dynamics AX 2012 introduces role-based security, which makes security easier to manage. Relations between security roles, duties and privileges are complex. However, you can apply a tool to represent these relations in a grid.



This document describes another way to represent security objects and the relations between these objects.

DGML is an XML based file format for directed graphs. For example, this is the graph:


…and this is the DGML file behind it:

<?xml version="1.0" encoding="utf-8"?>

<DirectedGraph GraphDirection="LeftToRight" Layout="Sugiyama" xmlns="">


    <Node Id="Duty D" Area="X" Type="SecDuty" />

    <Node Id="Duty E" Area="Y" Type="SecDuty" />

    <Node Id="Privilege F" Area="X" Type="SecPrivilege" />

    <Node Id="Privilege G" Area="Y" Type="SecPrivilege" />

    <Node Id="Privilege H" Area="Z" Type="SecPrivilege" />

    <Node Id="Role A" Area="X" Type="SecRole" />

    <Node Id="Role B" Area="X" Type="SecRole" />

    <Node Id="Role C" Area="Y" Type="SecRole" />



    <Link Source="Duty D" Target="Privilege F" />

    <Link Source="Duty D" Target="Privilege G" />

    <Link Source="Duty D" Target="Privilege H" />

    <Link Source="Duty E" Target="Privilege F" />

    <Link Source="Duty E" Target="Privilege G" />

    <Link Source="Role A" Target="Role B" />

    <Link Source="Role B" Target="Duty D" />

    <Link Source="Role B" Target="Duty E" />

    <Link Source="Role C" Target="Duty D" />

    <Link Source="Role C" Target="Duty E" />



    <Property Id="Area" DataType="System.String" />

    <Property Id="GraphDirection" DataType="Microsoft.VisualStudio.Progression.Layout.GraphDirection" />

    <Property Id="Layout" DataType="System.String" />

    <Property Id="Type" DataType="System.String" />



    <Style TargetType="Node" GroupLabel="Type" ValueLabel="SecPrivilege">

        <Condition Expression="Type = 'SecPrivilege'" />

        <Setter Property="Icon" Value="pack://application:,,,/Microsoft.VisualStudio.Progression.GraphControl;component/Icons/Key.png" />


    <Style TargetType="Node" GroupLabel="Type" ValueLabel="SecRole">

        <Condition Expression="Type = 'SecRole'" />

        <Setter Property="Icon" Value="pack://application:,,,/Microsoft.VisualStudio.Progression.GraphControl;component/Icons/Users.png" />


    <Style TargetType="Node" GroupLabel="Type" ValueLabel="SecDuty">

        <Condition Expression="Type = 'SecDuty'" />

        <Setter Property="Icon" Value="pack://application:,,,/Microsoft.VisualStudio.Progression.GraphControl;component/Icons/kpi_green_sym2_large.png" />


    <Style TargetType="Node" GroupLabel="Type" ValueLabel="SecProcessCycle">

        <Condition Expression="Type = 'SecProcessCycle'" />

        <Setter Property="Icon" Value="pack://application:,,,/Microsoft.VisualStudio.Progression.GraphControl;component/Icons/Gears.png" />




The DGML format is supported in Visual Studio 2010 Ultimate and Premium and in some other third party tools as well. In this document, Visual Studio is used:


In Visual Studio 2010, there is Directed Graph toolbar and a Legend window that allow you to change the appearance of the graph. For example, this is one graph, rendered in different ways:


There is a context menu, which provides even more options, such as Advanced selection. For example, you can also:

  • select all nodes with a specific property value
  • group nodes
  • hide the nodes in order to simplify the graph
  • select all incoming and/or outgoing connections for the currently selected nodes

Before reading any further, we recommend that you watch this video which is dedicated to large graphs.

Generating graphs

First of all, import the attached XPO file to Microsoft Dynamics AX 2012.

There are 4 classes in the SecurityToDGML private project. SysDgmlFromSecurity is the main class, which should be run in order to generate the DGML file. The SysDgmlGraph, SysDgmlNode and SysDgmlLink classes encapsulate graph construction logic.

Note: Eventually, you may want to customize the solution by adding more attributes to the nodes and links. For example, objects with a particular prefix may require an additional attribute to make it easier to select them when manipulating the graph.

When you have imported the XPO to AX, run the SysDgmlFromSecurity class. In the dialog, verify the output file name, and then click OK. After several minutes, the file is generated and it opens in Visual Studio (or in the tool that you have assigned to open DGML-files).

Important: The graph is comprehensive so every little change, such as adding a property to the Legend or switching the rendering mode from Left to right to Quick clusters, will take 10 to 20 seconds or more to complete. So avoid any unnecessary clicks on the workspace. The idea is to hide as many nodes as possible and still be able to explore the nodes and relations that you want to focus on. The fewer nodes on the visible graph, the faster it is rendered.

Working with graphs

Scenario 1: Find out what external* roles have access to duties and privileges in your area (in this example, Inventory)

*External roles: In this example, roles from areas other than Inventory, such as Manufacturing. There is some logic in the SysDgmlGraph class that tries to determine the owner team of the object and add an Area attribute to the corresponding graph node. The owner team is determined based on a prefix and/or a suffix of the object name. This is where you may need customization. You can find a sample Excel sheet attached to the this post.

1. Open the DGML-file.

At first, the graph looks like a vertical stripe in the middle of the workspace:
image This is because there are too many nodes (while this is being written, about 6000 nodes and 10000 relations).

2. Right-click to select a little area on the stripe.
image When you release the button, this part of the graph is zoomed in.

3. Repeat zooming until you see something like the following:
image You can see 3 columns of nodes, left to right: roles, duties, and then privileges. There are too many visible relations, so some have to be hidden.

4. Right-click anywhere on the workspace and select Show Advanced Selection in the menu.

A new window will appear on the right side of the workspace:
clip_image021 Area, Type and AOT name are properties of the nodes.

5. Select the nodes that belong to Inventory.
clip_image022 You will notice that some relations and nodes are selected now:

6. Click the I button three times to select incoming connections.
With three clicks you can select a chain of Inventory privileges: For example, a non-Inventory role can have a non-Inventory sub-role which can have a non-Inventory duty which can provide access to the Inventory privileges. By clicking once on the I button you select the duty, with two clicks you also select the sub-role, and with three clicks the whole chain is selected.

At this point, you see all Inventory nodes and all the external nodes that relate to these nodes.

7. Right-click on any of the selected nodes, and click Selection > Hide unselected in order to hide nodes.
image The graph becomes much smaller and all remaining nodes remain selected:

8. Click anywhere on the workspace to clear the selection of the nodes. The Selection window looks as follows:
clip_image029 Note the 600 nodes compared to the 6000 nodes on the original graph.

9. Select all areas in the Selection window except for Inventory to view only the Inventory nodes that are used by external roles and duties.

10. Click the O button three times like you did with the I button in order to select all outgoing connections for the selected (=non-Inventory) nodes.

11. Right-click any of the selected nodes and select Selection > Hide unselected.

12. Click anywhere in the workspace to clear the selection of the nodes. This way you reduce the number of nodes in the graph to about 300.

13. Select Zoom to fit in the toolbar to see the following:

The final graph is not very large. The only thing missing is the set of highlighted external duties and roles.

14. In the Legend window, click the Add button and then select Node Property > Area.

15. Click on the new Area stripe and then select Background.

16. In the Color Set Picker window, click the button at the top and then select one of the predefined color sets.

17. Change the color for Inventory to White to leave only nodes from other areas highlighted.

18. Click OK.
This is the final graph:

19. Select one of the external nodes, such as Maintain BOM master, in order to zoom in and check the external nodes for eligibility to use Inventory privileges.

20. Turn on the Butterfly mode.
image The graph now looks as follows:

The product designer has access to 4 Inventory privileges. If something is wrong here, we have an issue.

21. Turn off the Butterfly mode and proceed to the next non-Inventory node. Repeat until you are finished.

Scenario 2: Do the opposite of the first scenario to figure out what external privileges and duties are used by roles in your area

This scenario is similar to the first scenario except for the fact that you should use the I and the O buttons in the reverse order.

Note: If objects are marked with wrong areas, you must update the prefixes in the ownership Excel sheet and generate the DGML file again.

Further information about Security can be found on MSDN

By Sasha Nazarov, SCM, Microsoft Dynamics AX



We're always looking for feedback and would like to hear from you. Please head to the Dynamics 365 Community to start a discussion, ask questions, and tell us what you think!