在Dynamics AX 2009中,有一个OOTB安全报告,其中列出了每个group及其关联的权限。
对于Dynamics AX 2012,我们拥有代替组的angular色。 在应用程序中可以看到每个angular色拥有哪些权限,但似乎没有OOTB报告来列出这些信息,以便为审计人员提供他们需要的数据。
我们可以编写自定义代码来给我们提供这些信息,但是看起来SOX可能需要现有的解决scheme。
我意识到AX2012还有第二个数据库。 即模型。 戳了一下之后,我发现了一些安全表,并试图find它们之间的关系。 我无法通过谷歌search在这些表格上find任何文档,所以如果有其他人使用这个,请注意可能有很多疏漏和问题。
--use your model database use [AxDbName_Model] go --ensure you don't cause locking when running this script set transaction isolation level read uncommitted go --I got these IDs by comparing the TypeId fields for results with what I saw in the AOT and guessing on relationships. declare @SubRoleType table (Id int, SubRoleDesc nvarchar(32)) insert @SubRoleType (Id, SubRoleDesc) values (133, 'Role / SubRole') , (134, 'Privilege') , (135, 'Duty') , (136, 'Process Cycle') declare @KernelType table (Id int, KernelTypeDesc nvarchar(32)) insert @KernelType (Id, KernelTypeDesc) values (11, 'Class') , (44, 'Table') , (45, 'ServerMethod') --here's the actual code to fetch the security model/ --it could probably be improved to make it hierarchical, but --for our company's purposes we don't seem to require that so --I didn't put any time into investigating that route. ;with permissionsModelCte (ParentId, ItemId, ItemName, ItemTypeId, ItemType, IsEnabled) as ( --duties & privileges (sub role type describes what type of permission this is; this seems to hold all security related groupings of aot objects) select mssr.ROLEHANDLE , mssr.RECID , mssr.SUBROLENAME , mssr.SUBROLETYPE , srt.SubRoleDesc , mssr.ISENABLED from ModelSecuritySubRole mssr left outer join @SubRoleType srt on srt.id = mssr.SUBROLETYPE union --permissions (kernel type defines the related object type; this seems to hold everything in the AOT) select msp.OWNERHANDLE , msp.RECID , msp.OBJECTNAME , msp.KERNELTYPE , 'Permission\' + kt.KernelTypeDesc , msp.ISENABLED from ModelSecurityPermission msp left outer join @KernelType kt on kt.Id = msp.KERNELTYPE ) select msr.Name , pmc.ItemType ChildItemType , pmc.ItemName ChildItemName , pmc.IsEnabled --, pmc.ItemId ChildItemId --interesting for investigating the script, but causes duplicate results , msr.ROLEHANDLE ItemId , pmc.ItemTypeId ChildItemTypeId --, * from ModelSecurityRole msr left outer join permissionsModelCte pmc on pmc.ParentId = msr.ROLEHANDLE --where msr.Name in ('CustInvoiceAccountsReceivableClerk', 'CCIARCollections') where msr.UTILTYPE = 133 --Roles only group by msr.Name , msr.ROLEHANDLE , pmc.ItemName --, pmc.ItemId --see select statement's ChildItemId , pmc.IsEnabled , pmc.ItemType , pmc.ItemTypeId order by msr.Name, pmc.ItemType, pmc.ItemName go