D365 Finance & Operations and Dynamics AX Forum

Expand all | Collapse all

Sensitive Bank Account Duties not working as expected

  • 1.  Sensitive Bank Account Duties not working as expected

    TOP CONTRIBUTOR
    Posted 22 days ago
    We need to restrict the visibility of customer and vendor bank account numbers from some users.  I am attempting to use the following duties:

    View sensitive customer bank information
    View sensitive vendor bank information

    I've created new roles for users that need to see other customer and vendor data but have specifically excluded these duties, however the users in question are still able to see the bank accounts on the customer and vendor main screen under the payment fasttab and in the bank account menu item.  Browsing the roles with these duties in the security configuration, I am fairly certain that the users are not getting this access through another role.

    Can anyone help me with how to do this?  Also, what should the desired outcome look like?  Blank field, masked field, hidden field?

    I've had success setting up a deny permission on the Federal Tax ID field, but would prefer to use the out of the box duties.

    ------------------------------
    Mark Schurmann
    Accounting Systems Manager
    Automobile Protection Corp
    Norcross GA
    ------------------------------
    Conference-AXUG_200x200


  • 2.  RE: Sensitive Bank Account Duties not working as expected

    Posted 22 days ago
    Assigning  view privilege does not mean you/users are not going to see those vendor or customer at all.  With view privilege you can still see the screen but wont be able to edit anything on that screen. If you  dont want user to see anything on this form then dont give them access.

    What roles are assigned to those users who sees these form even after excluding these privileges ? Are those custom role or standard role ?

    ------------------------------
    Sukrut Parab
    Hitachi Solutions America, Ltd.
    Irvine
    ------------------------------

    Conference-AXUG_200x200


  • 3.  RE: Sensitive Bank Account Duties not working as expected

    TOP CONTRIBUTOR
    Posted 22 days ago
    Microsoft went out of their way to setup duties around "sensitive" data.  The customer bank account number is displayed on the main customer screen on the payment tab.  I expect that the customer bank account number is "sensitive" data and only users that have been granted this duty would be able to see it.  We have many users that need to access and edit the customer screen.  Only a select few should be able to see or edit the customer bank account.  What does this duty do if it is not to restrict access to other users?

    ------------------------------
    Mark Schurmann
    Accounting Systems Manager
    Automobile Protection Corp
    Norcross GA
    ------------------------------

    Conference-AXUG_200x200


  • 4.  RE: Sensitive Bank Account Duties not working as expected

    Posted 22 days ago
    I just checked duty View sensitive customer bank information and it used privilege CustBankAccountsTPFView which has read access given to  3 fields , which is going to  show these fields to users.

    I am not sure if you are using standard roles or customized one but you have to  troubleshoot  if  assigned roles has something in it which is  showing them these fields , if you did not assigned these duties to those roles.


    ------------------------------
    Sukrut Parab
    Hitachi Solutions America, Ltd.
    Irvine
    ------------------------------

    Conference-AXUG_200x200


  • 5.  RE: Sensitive Bank Account Duties not working as expected

    TOP CONTRIBUTOR
    Posted 22 days ago
    They are custom roles and do not have the sensitive data duties assigned.

    ------------------------------
    Mark Schurmann
    Accounting Systems Manager
    Automobile Protection Corp
    Norcross GA
    ------------------------------

    Conference-AXUG_200x200


  • 6.  RE: Sensitive Bank Account Duties not working as expected

    MICROSOFT MVP
    Posted 20 days ago
    Hi Mark,

    The standard duties and privileges do have access to all fields on the customer and customer bank account tables. You have to create privileges or override table permissions on the role itself to restrict access to the sensitive fields to persons who are not allowed to see them.
    If you created a new privilege yourself, then also the fields are initially visible, unless you override table permissions.

    ------------------------------
    kind regards,

    André Arnaud de Calavon
    Solution Architect, Microsoft MVP - Microsoft Dynamics Business Solutions
    ------------------------------

    Conference-AXUG_200x200


  • 7.  RE: Sensitive Bank Account Duties not working as expected

    TOP CONTRIBUTOR
    Posted 20 days ago
    Sorry, I'm still confused.  The "Sensitive" data duties are standard.  If all of the roles, standard or custom, have access to the fields underlying the "Sensitive" data, what is the purpose of the "Sensitive" data duties?

    ------------------------------
    Mark Schurmann
    Accounting Systems Manager
    Automobile Protection Corp
    Norcross GA
    ------------------------------

    Conference-AXUG_200x200


  • 8.  RE: Sensitive Bank Account Duties not working as expected

    MICROSOFT MVP
    Posted 20 days ago
    Hi Mark,

    I can understand your confusion. In my opinion it would make sense to have standard duties which initially don't have access to sensitive fields. Other duties can complement then. When you create new privileges yourself, then initially, you don't have access to fields marked as sensitive using the Table Permissions Framework. You do have access to e.g. the default bank account field on the customer and vendor master. (This to clarify the confusion if you read my previous reply and combine it with this new reply).
    In the case, you have your own privilege without access the sensitive fields, you can add the privilege or duty granting this access.

    If you now look at the current implementation of 'Not set' and 'Deny', then there is a gap preventing Microsoft and ISV's to deliver your requirement out of the box. If you grant e.g. view access on a bank account number, you also have to deny update access to prevent making updates. The combination of 'View' set to grant and 'Update' to deny is not possible within Visual Studio. If you have a deny somewhere it has priority above granting a certain permission.
    I do think for this reason, it is currently up to an implementation how to configure the security.

    ------------------------------
    kind regards,

    André Arnaud de Calavon
    Solution Architect, Microsoft MVP - Microsoft Dynamics Business Solutions
    ------------------------------

    Conference-AXUG_200x200


If you've found this thread useful, dive deeper into User Group community content by role