Security Policy with Financial Dimensions

I used to have customers that would like to limit the data available in whatever department or group they belong to.

So for this entry, I will discuss the security using organization hierarchy. Actually there are white papers available that discusses the following:

• Developing Extensible Data Security Policies
• Securing Data by Dimension Value by Using XDS

For this post though, I will be deviating a little bit from what has been discussed in the white paper.

So you must already know that you can setup what Legal Entities and Operating Units are available for a specific user and role. If not, you can actually do that from System administrator à Common à User à User’s role à Assign organization button.

Know that the organization hierarchy to be used here should have a hierarchy purpose Security.

It’s great that we have an available setup for this, unfortunately this is only limited to Legal Entities, Global Address Book, Budgets, HCM Records, Retail, etc. For the complete list, just check the Security Policies node from the AOT.

For this entry, what I would like to achieve is the limitation of records based on Default Dimension. I will be using the Release Products list as a sample. The Released Products has a parent table called InventTable which contains the field DefaultDimension. We will be filtering the Default Dimension based on the set Operating Unit from the Organization users setup.

Before creating a Security Policy, you will need to have:

• The list of operating units available for the user
• Query to limit the Default Dimension in InventTable

List of Operating Units available for the user

If you will navigate to OMUserRoleOrganization table, you will be able to see the complete list of assigned InternalOrganization record for every user. However, the record here is in reference record id form and it is not yet filtered to the current user’s session.

If you will look for the tables with My* prefixes, you will only see MyDepartments, MyDirectReports, MyLegalEntities, MyPartyUsers and MyRoles. These tables are temptable with XDS method that gets populated according to its RefreshFrequency. We don’t have a My* table that contains the complete list of Operating Units from our Internal Organization, so here’s a sample table that I have created:

It contains the Operating Unit Number, Reference Record Id, and Operating Unit. We will populate this every time a session is created for the current user, this can be done through XDS method:

Query to limit the Default Dimension in InventTable

So now that we already have a list that contains the assigned operating units, let’s attach this to DefaultDimension. You may use the view DimensionAttributeValueSetItemView. Just in case you are working on LedgerDimension, you should use the view DimensionAttributeLevelValueView. So here, I created a very simple query named DefaultDimensionByDept that contains the view and MyInternalOrgForXDS.  I used exist join here to make sure that only default dimensions existing in the setup is accessible. I won’t be including the InventTable here, but technically do that.

Why By Department? Basically you will need to create 1 query for every Operating Unit Type or Custom Dimension – because if we will not put a range here for DimensionAttribute, the behavior will be as if we are using OR filter on dimensions. For example:

Granted Access

Business Unit: 06

Department: 031, 025, 028

Item	Business Unit	Department	Expectation	If query doesn’t have Dimension Attribute filter
Item A	06	031	Accessible	Accessible
Item B		025	Not accessible	Accessible
Item C	06		Not accessible	Accessible

Well, unless you prefer this behavior, you’re free to do it as you please.

Just in case you’re wondering what’s the value of the range for DimensionAttribute, here it is – created from SysQueryRangeUtil:

Creation of Security Policy

The query that we have created above will be used in our security policy. You may create the security policy from the AOT à Security à Policy. Here we have used the DimensionAttributeValueSetItemView as the primary table. Know that whenever you are creating a policy, the primary table that you will set here should be available from your query as well.

As you noticed, I also set here the context type RoleName for role SystemUser. Technically all users of AX has the role SystemUser that’s why I used it here. I don’t think it will work though with SystemAdmin. Now, let’s attach the InventTable under Constrained tables. I used Add table or view by free form expression and set the relation to: DimensionAttributeValueSetItemView.DimensionAttributeValueSet = InventTable.DefaultDimension.

You must be wondering why I attach it this way when in fact I can just attach it directly to the query. Let’s just say that this is one way of doing it, plus I can just create 1 policy and list down all the other tables with DefaultDimension like PurchTable, SalesTable, CustTable, etc. I just find it tedious to create so many queries for every tables with Default Dimension field.

I guess it’s for you to decide how you want to do your own policy. I would just like to emphasize that this code is just in draft mode, and I did not thoroughly test it so it can still be improved a lot.

Hope this helps!

KR, Lyka