Security Management Best Practices: When Revoking Access

Within AX 2012, we have the ability to grant, upgrade, downgrade or revoke Role access when using security permissions:

1. It is best to revoke or downgrade access when the number of menu items you would like to revoke or downgrade are limited. If it is not limited, this is a critical sign that you need a role with less access.

In an alternative scenario, if you need to provide only limited permissions to the Role, then:

2. It is best to start from scratch and upgrade access – Create a new Role and grant Privileges or drag and drop the Duties into the Role rather than using the existing out-of-the-box Roles and revoking permissions. If these best practices are not followed, the risk of creating unnecessary duplicates of security permissions such as Duties with revoke access Privileges can ultimately amount to junk data in the system.

3. If you are working on providing limited access to a menu item, then revoke the menu item’s access completely (no access) and then upgrade access levels by granting only the access level needed rather than downgrading or revoking access of a privilege and going one by one for the menu item, buttons, and fields.

4. While revoking access it is also important to decide, if you would like to revoke access to the menu item in question from all the other Roles performing the same Duty or just from a particular Role.

If you do not want any other Role to be impacted then it is best to always duplicate the Duty you are modifying, work on the Privileges appropriately, and roll it back to the Role. Most importantly, you need to maintain a consistent naming convention while creating these new objects.

5. You may wonder how much effort it takes to tailor to the needs of traceability and audit logs for all these tasks you perform in order to simply downgrade or revoke a Role’s access to menu items.

An alternative to avoid manual inputting of data would be to utilize the Arbela Security Manager (ASM) which will provide a one-click solution to these complexities and time consuming tasks. This solution makes it quick and easy to modify security permissions and maintain audit tracking and traceability.

Click here to learn more!

Posted in General, Technical | Leave a comment

How to Create a 4-4-5 Calendar in AX 2012

The 4-4-5 calendar is a method of managing accounting periods. It is a common calendar structure for industries such as retailmanufacturing and the parking industry. The 4-4-5 calendar divides a year into 4 quarters. Each quarter has 13 weeks, which are grouped into two 4-week “months” and one 5-week “month”. The grouping of 13 weeks may also be set up as 5-4-4 weeks or 4-5-4 weeks, but the 4-4-5 seems to be the most common arrangement. Its major advantages over a regular calendar are that the end date of the period is always the same day of the week, which is useful for shift or manufacturing planning, and that every period is the same length.

To setup the 4-4-5 Calendar in AX:

Menu Path: General Ledger > Setup > Fiscal Calendars

On the menu bar of the Fiscal Calendars windows, click “New Fiscal Calendar”.

Enter the “Name”/”Description” of the calendar, then indicate the “Start” and “End” date.

Now that we have created a new Fiscal Calendar and a new Fiscal Year, we need to manually delete all the operating type periods except period 1.

When all the operating type periods are deleted except period 1, we can start dividing the period 1.

Once you select the “Divide period”, enter the start date of the next period and name the period.

Now I have a “period 2” in my calendar list with a new start date of 12/30/2013.

By default, the month will be driven by the period we have recently divided. As we are dividing periods you need to make sure you update the month as well as the quarter.

Repeat these steps for the rest of the periods until you have completed the entire calendar.

Note: the months and quarters are in chronological order, in case you forgot to change the month or quarter; you will have to chronologically change from the last period to the first period.

When you reach Period 7, you need to change the quarter 2 “period 13” to quarter 3 in order to be able to assign quarter 3 for period 7.

The same applies to Period 10, when we change from quarter 3 to quarter 4.

Now you have the calendar with your start/end dates, and the 4-4-5 Calendar.

Posted in General, Technical | Leave a comment

Setting up Profiles for Time Registration: Flexibility vs. Structure

In Microsoft Dynamics AX, there are quite a few considerations before setting up Shop Floor Control, now consolidated into the Human Resources module in AX 2012. It is fairly typical for the need for tracking labor-related items such as tardies, absences, break time, overnight shifts, indirect labor costs, and overtime.

Depending on the size of the firm and the needs of the business, the setup of time registration may call for flexibility, or it may call for strengthened internal controls. So which profile setups are appropriate for the business, simple profiles or rigid profiles?

Profiles with defined clock in times inserted: Example

As you can see, the clock in and clock out times entered in the profile are clearly defined. There are a number of pros and cons that are associated with this type of setup.

Pros:

  1. The punch clock users can see an accurate visual representation of their scheduled shift vs. their time worked that day in the Balances form, which can be accessed from the job registration form (punch clock) if configured to do so.
  2. The profiles can be arranged into Profile groups, and when a clock in line is registered in the Calculate form, the profile is automatically changed.
  3. For employees who use the punch clock, having clock in lines will allow you to enter an absence code as a reason for being late to work, which will transfer onto the Calculate form.
  4. You can assign special days to the profile calendar in the event of a mass holiday. The profile calendar is able to push an absence code directly to the Calculate form when there are holidays.
  5. If a worker is absent, the system will automatically enter an absence line with start and stop times that are encapsulated by the clock times on the profile.
  6. Absences recorded at the beginning, middle, and end of day are possible with this setup.
  7. Other profile types, such as overtime or premium time, can be set up on both ends of the clock times.
  8. You can use profile tolerance on either end of the clock times to allow workers to clock in late or clock out early without penalty.
  9. When using “Normtime” in pay adjustments, the daily value is equal to the Profile time day value, and the weekly value is equal to the Profile time total value:

Cons:

  1. You may have to create many profiles to satisfy the flexibility requirements of certain field employees.
  2. If you want to take an unpaid lunch break, and it is not built into your profile, the clock out time will not be extended to give more time to your shift.
  3. You may have to add work time to the profile outside the normal shift in order to compensate for the possibility of a break.
  4. You cannot select more time than is in between your profile clock in and clock out times to register an absence.
  5. If you decide to stagger profiles, you may have to create as many pay agreements as you will create profiles, if your new 24-hour period does not begin at midnight for each profile.

Profiles without clock times inserted

These profiles are designed to allow much more flexibility in entering clock times. Below is an example of how these profiles would be set up:

Pros:

  1. Profile groups can still be used.
  2. Great flexibility.
  3. A single profile can work for a wide number of shift scenarios.
  4. Overtime can be set up based either on the Profile type column selections, or the Overtime/flex limit field.
  5. The number of absence hours given for an employee’s full-day absence equal to the number of hours entered in the Overtime/flex limit field.
  6. The overtime/flex limit controls the number of hours expected to be worked in a day; if the completed workday is less than the number of hours entered in the Overtime/flex limit field on the profile, then a blank absence line will automatically be generated.
  7. There is a time and attendance parameter called Auto insert flex-/absence that allows a specific absence code to be automatically generated when the calculated function is run, and an absence line is generated. This feature is subordinated by manual entry of an absence code and absence reason selection from the punch clock. It appears as below:
  8. If you leave the clock in line, but remove the clock out line, you still have the ability to have the user enter an absence code as a reason for tardiness.

Cons:

  1. You still may have to create many profiles, if the client does not have standard times for standard time and overtime cost.
  2. All absence is calculated at the end of the work day, always.
  3. Punch clock users will not have the ability to enter an absence code as a reason for tardiness. The concept of tardiness does not apply to this type of profile.
  4. You cannot use the Profile Calendar to assign Special Days!
  5. Tolerance cannot be used!
  6. “Normtime” is based on the total work hours for the week, and not what was calculated in the Profile time total and Profile time hours fields on the profile. Therefore, it is unwise to use Normtime in your pay adjustment calculations.
  7. The Profile time area on the profile is blank.
  8. For punch clock users, the Balances form only compares the day’s hours worked to a blanked out 24-hour period.
  9. Most standard AX reports for Time and attendance are no longer useful.


Posted in General, Technical | Leave a comment

Security Management Best Practices: Granting/Upgrading Access

Within AX 2012, we have the ability to grant, upgrade, downgrade or revoke Role access when using security permissions. While granting or upgrading access, it is a best practice to grant permissions using existing Privileges which provide the desired level of access (viz., view or full control). Although it may seem like the quickest choice to simply create a new Privilege with desired access levels and grant permissions for that specific Role; an example of the drawbacks of granting this permission would be if you choose to provide access to the global address book:

  1. Using a new Privilege – You might tend to provide access to only the menu item ‘GlobalAddressBooklistPage’. But will this be enough for all situations? We would also need access to the related functions such as: Edit, Maintain documents, Email Distribution, Address book, Etc.
  2. Using existing Privileges – These existing Privileges will provide access to all the related menu items in order to use the Global Address Book in its full capacity with the desired access level.

The complexity involved is the task of finding these exact Privileges among a few thousand out of the box Privileges. Moreover, it becomes a tedious and time-consuming process to cater to the needs of traceability and audit logs for all these tasks we perform in order to simply grant or upgrade a Role’s access to menu items. An alternative to avoid manual changes would be to utilize the Arbela Security Manager (ASM) which will provide a one-click solution to these complexities and time consuming tasks. This solution makes it quick and easy to modify security permissions and maintain audit tracking and traceability.

Click here to learn more!

Posted in General, Technical | Leave a comment

How to Format Numbers, Dates, Etc. Within AX 2012 in Both Forms and Reports

Formatting in AX reports (SSRS reports)
i.e. numbering formats, date formats, etc.

This function is controlled through the language settings in the AX Tools/Options. Exceptions being AR/AP output reports such as invoices, etc. These are controlled by the language setting within the customer/vendor menu.

Formatting in AX reports 
i.e. numbering formats, date formats, etc.

This is controlled through the windows settings on the AX client computer.

In other words, reports formatting is controlled through the AX user’s setup in the Options section. This can be easily setup for various locations.

Forms formatting can also be setup alternatively for different users, but it is dependent on how the AX infrastructure is setup (how and where the AX client is installed).

If the AX client is installed on each individual user’s desktop computer, then each desktop’s windows setting is controlling the formatting in the forms. If the AX client is running in a citrix/remote desktop type structure the users are most likely running the same AX client and therefore all the user’s formatting in the forms will be the same. In this case, we have at least two separate citrix/remote desktop computers with each including an AX client, so one location would be using one of these (with windows setup for geographically local number formatting) and the other location would be using the other (with windows setup for geographically local number formatting).

For more information please contact Amir Khoshniyati.

Posted in Technical | Leave a comment

How do I restore user roles back to ‘factory settings’?

Recently I received this question: Do you know a quick way of restoring user roles to ‘factory settings’?

The way to do it would be to delete the modified layers of the security objects, so basically use Filter to auto accumulate all security Roles, then delete them, you will have to do this for all layers where security changes exist.  This will leave the SYS/SYP versions of the Roles and thereby bring them back to standard or ‘factory settings’.

In the AOT create a new project then open it.

 

Click on the filter button. 

 

This allows you to filter objects into your project.  Press Select then in the inquiry make sure the following information is entered.

 

Once entered click OK and the filter will add all Security Roles to your new project.  When finished select all (Ctrl+A) the Roles, right click, select delete, and AX will ask if you’re sure so don’t do it if not!

After this login to other layers with any security changes and delete them using the same project, no need to filter again!

 

Posted in Uncategorized | Leave a comment

Why can’t I create an alert rule for a user who has access to the trigger?

When setting up an alert for a user who has access to the trigger, one may receive an infolog message saying ‘Insufficient rights for user <user>’ .

As it turns out the System User Role does not have access to all the needed tables in order for an alert to run.  A user needs access to the following tables in order for alerts to work (for a non-System Administrator).

NGPCodesTable_FR and InventFiscalLIFOGroup

By default a System User should be able to access and create alerts, however because of the absence of ‘read’ access to both tables, System users could not be alerted. This is a bug in most R1 and R2 cumulative updates.  Microsoft plans on resolving this in the R3 release!

Posted in Technical | Tagged , , , , , | Leave a comment

Task recorder not working?

When running task recorder in Dynamics AX 2012, do you receive an error noting that ‘Recording could not be initiated’?  This is most likely because the Default_Default node is not directly usable for recording, rather it is just a main node under which you may create actual recording nodes.

So if you are on the default node and click New node, it will create a recording node for you (note the different icon), to start recording.  See below:

It is also possible to import a node structure from excel, as described in the attached document, see below where I filled in a simple structure for sales and imported it.

After the import (note: when importing like this it is possible to create a structure with multilevel master nodes, each having recording nodes under them.  In order to enable the import hierarchy button one needs to set Task recorder to advanced mode.

When using the import method repeatedly on the same excel spreadsheet, it will just create a new node and you will now have two nodes with a structure under them.  If the old node is deleted all recordings in that node will also be deleted (in Task recorder) but remain in the specified folder.

Posted in Technical | Leave a comment

Getting detailed error information when an SSRS report fail printing

If you get the error below when printing a report in AX2012,

You can enable on remote errors by going to the SSRS server in SQL management studio and set the below property to TRUE,

- Carsten Glem

Posted in Technical | Tagged , , , | Leave a comment

Identifying the SSRS report name you need to modify

If you need to modify an SSRS report and you have problems identifying the actual name of the SSRS report (sometimes the code is so complex that it can be difficult to find out which SSRS report is actually printing), instead of digging into the code to find the SSRS report name that is used, you can just print the report to screen and then right click on the
report printout and chose Export/CSV, this will bring up the ‘Save As’ dialog, there you can  see the suggested file name, which reflects the name of the SSRS report name/design.

Posted in Technical | Tagged , , , | Leave a comment