The security model in SCM is role-based. This is similar to the way in which we produce the solution design, where we design processes alongside the role that would perform them. The security model is designed using roles and duties, which in turn have the required privileges. The phrasing of a functional requirement would be written as The service order clerk will create new service orders. The role is Service order clerk, while the duty is Create new service orders. The duty implies that the user needs to have a create privilege on the service order table.

Whenever a solution is designed, even independent software vendor (ISV) solutions, we will have roles and duties in mind so that we can create security elements when the solution is written. So far, we haven't created any security elements so that we could focus on the recipes' tasks.

This does not mean...

You can find the code files for this chapter on GitHub at https://github.com/PacktPublishing/Extending-Microsoft-Dynamics-365-Finance-and-Supply-Chain-Management-Cookbook-Second-Edition/blob/master/Chapter%2010.axpp.

Privileges are normally created for each menu item (display, output, or action) for an access level. Every menu item should be in a privilege, but you can add more than one menu item to a privilege if they must never be assigned different permissions, such as menu items that point to the same form. This is the most granular level and will be grouped into duties and roles later.

Since the privilege assigns the access level, we will usually have two: one that provides a view only and one that maintains (full) access rights.

We will need an SCM project open in Visual Studio to complete this recipe.

A duty is a collection of one or more privileges. The paradigm is that we are creating a list of duties that the role will perform and, therefore, add the required privilege in order for the role to be able to perform that duty.

It is common to have only one privilege in duty, but more can be added; for example, the setup forms may be added to one duty.

Duty names are suffixed with a verb to denote the action the duty will allow the role to perform; common suffixes include Maintain, Inquire, and Approve. In order to determine the correct suffix, look at the standard duties and suffix your duties using the same naming convention.

To create a duty, follow these steps:

1. Choose to add a new item...

A role is a collection of duties and privileges. The role is what we associate with a user, which can be done automatically based on the employee's information, such as their position in the company. Security roles should be thought of in terms of the personas that first appeared with Dynamics AX 2012. This change intends to move the thinking away from creating groups of functionality to designing the roles based on how the organization is structured. For example, a sales manager would be in a sales manager role, which will have duties assigned to it. The duties have privileges, which in turn give access to the sales manager in order to perform that role.

In our case, we could consider that they have three roles: vehicle management supervisor, vehicle service supervisor, and vehicle service entry clerk. When defining these roles, we do so by defining...

The term security policies is a slight misnomer. It is also known under a more accurate term of Extensible Data Security (XDS). It is an evolution of record-level security that was deprecated from AX 2012: you could still do this, but it wasn't a recommended approach.

In this scenario, we will create a policy that only allows access to vehicles of the truck type. We will have a team that only has access to trucks when creating service orders.

To create a role, follow these steps:

1. Choose to add a new item to the project.
2. In the Add New Item dialog, select Data Model from the left-hand list and Query from the right.
3. Enter ConVMSVehicleTruckPolicy in the Name field and click on Add.
4. In...