D365 Finance & Operations and Dynamics AX Forum

Expand all | Collapse all

Security roles do not work for all users

  • 1.  Security roles do not work for all users

    Posted 10 days ago
    Hello everyone,

    I hope you can help with an issue that's occurring with Dynamics 365 F&O. We have assigned a customized security role to various users. This role includes only standard duties and privileges. When we tested the role we were sure that it worked for all the actions that the users had to do, in this case, they must be able to approve POs and purchase requisitions.

    However, some users began to report that they couldn't do approvals because when they tried to do it, the system showed this message:

    "Function TaxMap.parmSourceDocLineTypeEnumValue has been incorrectly called"

    The standard role to do these actions doesn't work for us because of the security policies that our client has. We tried to modify the role adding the TaxUncommited table, but it only works for one user and not for all of them.

    All the approval users only contain this role and we don't understand the reason why only a few users can do approvals and the others can't.

    Do you know something about this kind of issue and how could it be resolved? Every help will be very grateful.

    ------------------------------
    Lizzeth Arredondo
    GCG - GONZALEZ, CORTINA, GLENDER Y CIA., S.A. DE C.V.
    Col. Polanco Chapultepec
    ------------------------------
    Conference-AXUG_200x200


  • 2.  RE: Security roles do not work for all users

    TOP CONTRIBUTOR
    Posted 9 days ago
    Hi Lizzeth,

    Not sure which version you are on or if this is the same issue, but there is a hotfix on LCS with that exact error.
    Might be worth taking a look.


    ------------------------------
    Christopher Ho Yee
    Altius Consulting
    Richmond BC
    ------------------------------

    Conference-AXUG_200x200


  • 3.  RE: Security roles do not work for all users

    Posted 9 days ago
    Hello Christopher,

    Thanks for your reply. We are working with Microsoft Dynamics 365 for Finance and Operations (version 10.0.4) Update 28.

    We already have that KB installed, so I don't think that it has been the problem. Also, I reviewed your suggestion of adding "Maintain purchase order details" duty, but sadly, I couldn't prove this alternative. Our client doesn't want to use this duty as the approvers don't have to edit the purchase orders that they have to approve.

    But, even if it had worked, we still can't explain why the role works for some users and for others no.

    Regards.

    ------------------------------
    Lizzeth Arredondo
    GCG - GONZALEZ, CORTINA, GLENDER Y CIA., S.A. DE C.V.
    Col. Polanco Chapultepec
    ------------------------------

    Conference-AXUG_200x200


  • 4.  RE: Security roles do not work for all users

    TOP CONTRIBUTOR
    Posted 9 days ago
    Ironically, we are now getting this exact error on an expense report.

    However, have you looked at this blog post for your issue - https://community.dynamics.com/365/supply-chain-management/f/dynamics-365-supply-chain-management-forum/358629/posting-purchase-order-123456-function-taxmap-parmsourcedoclinetypeenumvalue-has-been-incorrectly-called. It is suggested that the "Maintain purchase order details duty" is missing. Maybe this will resolve your issue.

    Meanwhile, the hunt for the source of my issue continues.

    ------------------------------
    Christopher Ho Yee
    Altius Consulting
    Richmond BC
    ------------------------------

    Conference-AXUG_200x200


  • 5.  RE: Security roles do not work for all users

    TOP CONTRIBUTOR
    Posted 9 days ago
    Edited by Alex Meyer 9 days ago
    Lizzeth,

    Can you take a task recording of the process you are wanting the user to perform and post it here or send it privately to me? I can take it and run it through analysis to generate the menu item assignments needed. I also have this blog post on the association between task recordings and security setup here:

    Obtain Menu Items From Dynamics AX 2012 and Dynamics 365FO Task Recordings


    ------------------------------
    Alex Meyer
    Director of Dynamics AX/365 for Finance & Operations Development
    Fastpath
    Des Moines, IA
    ------------------------------

    Conference-AXUG_200x200


  • 6.  RE: Security roles do not work for all users

    Posted 9 days ago
    Alex

    Link is dead, would be interested to read on, thanks.

    Best
    Andreas

    ------------------------------
    Andreas Mörker
    Global Master Data Manager
    SIGVARIS
    ------------------------------

    Conference-AXUG_200x200


  • 7.  RE: Security roles do not work for all users

    TOP CONTRIBUTOR
    Posted 9 days ago
    Andres,

    Link has been fixed, feel free to reach out with any questions.

    ------------------------------
    Alex Meyer
    Director of Dynamics AX/365 for Finance & Operations Development
    Fastpath
    Des Moines, IA
    ------------------------------

    Conference-AXUG_200x200


  • 8.  RE: Security roles do not work for all users

    Posted 9 days ago
    Works now, thanks a lot!

    ------------------------------
    Andreas Mörker
    Global Master Data Manager
    SIGVARIS
    ------------------------------

    Conference-AXUG_200x200


  • 9.  RE: Security roles do not work for all users

    SILVER CONTRIBUTOR
    Posted 9 days ago

    Hi Lizzeth,

    I am assuming this is not the issue, but wanted to mention it regardless because it has caused issues for us in the past with approvals.. The employee doing the approval (and whoever is submitting) needs employee records that are linked to the user, and it won't work without that link. Again, I don't think this is the issue here, but it's on my checklist when investigating security issues and I thought I'd mention it..

    Thanks.



    ------------------------------
    Kerstin Newman
    Business Analyst
    StarTech.com
    London ON
    ------------------------------

    Conference-AXUG_200x200


  • 10.  RE: Security roles do not work for all users

    Posted 9 days ago
    Hi Kerstin,

    Thank you so much for your response. All the users have an employee assigned. We have also reviewed the Users Groups and the Workflows and we haven't found something that tells us that there's a problem with the assignments in the Workflows or in the Users Groups.

    Kind regards.

    ------------------------------
    Lizzeth Arredondo
    GCG - GONZALEZ, CORTINA, GLENDER Y CIA., S.A. DE C.V.
    Col. Polanco Chapultepec
    ------------------------------

    Conference-AXUG_200x200


  • 11.  RE: Security roles do not work for all users

    Posted 9 days ago
      |   view attached
    Hi Alex,

    Thank you so much for your response. I have already run the task recorder before and analyzed it with the "Security diagnostics for task recordings tool". However, for the users who are occurring on this issue, the system did not show me any missing permissions.


    Anyway, I'm sharing the task recorder file in case that you could help me to find something else.

    Best regards,


    ------------------------------
    Lizzeth Arredondo
    GCG - GONZALEZ, CORTINA, GLENDER Y CIA., S.A. DE C.V.
    Col. Polanco Chapultepec
    ------------------------------

    Attachment(s)

    xml
    Approval Process.xml   14K 1 version
    Conference-AXUG_200x200


  • 12.  RE: Security roles do not work for all users

    TOP CONTRIBUTOR
    Posted 8 days ago
    Lizzeth,

    Was the correct task recording attached? When I run this in the Security Diagnostics for Task Recordings I get this:



    ------------------------------
    Alex Meyer
    Director of Dynamics AX/365 for Finance & Operations Development
    Fastpath
    Des Moines, IA
    ------------------------------

    Conference-AXUG_200x200


  • 13.  RE: Security roles do not work for all users

    Posted 8 days ago
      |   view attached
    Hi Alex,

    Yes, I recorded the simplest way in which a user can access to the PO that he/she has to approve: from the main screen in the "Work items assigned to me" section. That is the recording I shared with you.

    I'm attaching the "long way" to do this.

    I'm very grateful because of your help.

    Regards!

    ------------------------------
    Lizzeth Arredondo
    GCG - GONZALEZ, CORTINA, GLENDER Y CIA., S.A. DE C.V.
    Col. Polanco Chapultepec
    ------------------------------

    Attachment(s)

    xml
    Approval of a PO.xml   17K 1 version
    Conference-AXUG_200x200


  • 14.  RE: Security roles do not work for all users

    Posted 9 days ago
    Hi Lizzeth,

    Are you able to reproduce this issue in a separate environment? Probably with a recent copy of the database? If so, then try to add the system administrator role in the test environment to see if it is security related or a bug in coding. When it continuous as system administrator, it is related to security. Can you also tell which exact duties and/or privileges you have used in your custom role?

    ------------------------------
    kind regards,

    André Arnaud de Calavon
    Solution Architect, Microsoft MVP - Microsoft Dynamics Business Solutions
    ------------------------------

    Conference-AXUG_200x200


  • 15.  RE: Security roles do not work for all users

    Posted 9 days ago
    Hello André,

    This issue occurs in all our environments. We have recently copied the Production database to our UAT environment and the same users had the same problem.

    When we added the system administrator role they could approve the POs and Purchase Requisitions without problems, but just with that role.

    The customized role we have created for the approval users contains only these duties:

    • Approve purchase order
    • Approve purchase requisitions
    • Approve vendor invoices
    All of them are the native duties of D65.

    Thank you so much for your response.

    Regards,

    ------------------------------
    Lizzeth Arredondo
    GCG - GONZALEZ, CORTINA, GLENDER Y CIA., S.A. DE C.V.
    Col. Polanco Chapultepec
    ------------------------------

    Conference-AXUG_200x200


  • 16.  RE: Security roles do not work for all users

    Posted 8 days ago
    Hi Lizzeth,

    Have you also tried applying the default AP roles in the UAT environment?

    ------------------------------
    kind regards,

    André Arnaud de Calavon
    Solution Architect, Microsoft MVP - Microsoft Dynamics Business Solutions
    ------------------------------

    Conference-AXUG_200x200


  • 17.  RE: Security roles do not work for all users

    Posted 8 days ago
    Hi André,

    We did not find any AP role that included the "Approve purchase order" duty. We tried with the "Purchasing manager" role and the "Purchasing agent", though. Both of them work, but unfortunately, our client has very strict control of the security across the legal entities and they did not accept to use the standard roles of the system.

    We tried to use the standard duties and privileges as much as was possible, and in this case, the standard duties we used were the three I mentioned above.

    Kind regards,

    ------------------------------
    Lizzeth Arredondo
    GCG - GONZALEZ, CORTINA, GLENDER Y CIA., S.A. DE C.V.
    Col. Polanco Chapultepec
    ------------------------------

    Conference-AXUG_200x200


  • 18.  RE: Security roles do not work for all users

    Posted 9 days ago
    Are there any workflows associated with the PO approval process? Similar to Kerstin's comment, we have had issues with either the user not being an "employee" or not being in the workflow. 

    ------------------------------
    Victoria LeVine
    AXON
    Scottsdale AZ
    ------------------------------

    Conference-AXUG_200x200


  • 19.  RE: Security roles do not work for all users

    Posted 9 days ago
    Hello Victoria,

    Yes, all the approvals process have a Workflow. We were managing Users Groups, but we thought that it might be the issue and then we change the workflow to a specific user, although we had reviewed before that all our users were in that User Group and that they had an employee assigned. After we did that the problem persisted.

    Regards,

    ------------------------------
    Lizzeth Arredondo
    GCG - GONZALEZ, CORTINA, GLENDER Y CIA., S.A. DE C.V.
    Col. Polanco Chapultepec
    ------------------------------

    Conference-AXUG_200x200


  • 20.  RE: Security roles do not work for all users

    D365UG/AXUG ALL STAR
    Posted 8 days ago
    Hi Lizzeth,

    I am still on 2012, but I had a similar error.  Do you grant users to specific organizations?  I found that I needed my users who processed POs to be granted to all organizations.  I thought it had to do with how we set up vendors, but just thought I'd share that tidbit to see if helps.  Is there any other setting that you assign a user besides the security role?  Their worker record, purchase requisition permissions, and organization assignments can also come into play for access to functions.

    Best regards,
    GG Rowe
    Planar Systems

    ------------------------------
    GG Rowe, PMP
    IT Applications and Project Manager
    Planar Systems Inc.
    Beaverton OR
    ------------------------------

    Conference-AXUG_200x200


  • 21.  RE: Security roles do not work for all users

    Posted 8 days ago
    Hi GG Rowe,

    Thank you so much for your reply.

    Yes, all the users have access only to specific organizations, even those ones who can do the approvals.

    On the other hand, all the organizations share the same vendor catalog. Also, all the users have an employee assigned and we have reviewed the flow lots of times and we have not detected anything that we could have been doing wrong.

    Apart from that, I can not see any other setting that is different or that could affect the behavior of the security roles.

    Best regards,

    ------------------------------
    Lizzeth Arredondo
    GCG - GONZALEZ, CORTINA, GLENDER Y CIA., S.A. DE C.V.
    Col. Polanco Chapultepec
    ------------------------------

    Conference-AXUG_200x200


  • 22.  RE: Security roles do not work for all users

    TOP CONTRIBUTOR
    Posted 8 days ago
    Lizzeth,

    Is there any XDS policy set on the role in question? This would have the potential to have some users having access to certain items while others do not.



    ------------------------------
    Alex Meyer
    Director of Dynamics AX/365 for Finance & Operations Development
    Fastpath
    Des Moines, IA
    ------------------------------

    Conference-AXUG_200x200


  • 23.  RE: Security roles do not work for all users

    Posted 8 days ago
    Hi Alex,

    There's no XDS policy. We created the new role from zero and we assigned the duties one by one, so we can discard that a policy has been inherited from a "father" role.

    I can't see any information in the "Security policy context string" box neither, and we don't have access to the AOT as we are on the cloud.

    ------------------------------
    Lizzeth Arredondo
    GCG - GONZALEZ, CORTINA, GLENDER Y CIA., S.A. DE C.V.
    Col. Polanco Chapultepec
    ------------------------------

    Conference-AXUG_200x200


  • 24.  RE: Security roles do not work for all users

    TOP CONTRIBUTOR
    Posted 4 days ago
    Edited by Alex Meyer 4 days ago

    Lizzeth,

    After reviewing the task recording I have some feedback.

    The first recording you sent points to the WorkflowWorkList form, this form is unique in that because of its design it has to handle workflows from all over the system. When this happens within AX, Microsoft has a couple different options to handle security. Sometimes they do it in code (like when deleting an address) but in this case they actually do it in data.

    The datasource for this form is the WorkflowWorkItemTable, on this table is actually a column named MenuItemName. This column is used to determine which menu item should be used for this particular workflow (they are all of type Display). Which workflows a user's sees on this page is based on which menu items they are assigned. So for example, if you assign the user Read permission to the PurchReqTable menu item display, they would be able to see Purchase Requisition workflows.



    In my test environment I had workflows surrounding travel expenses instead of purchase orders but the process is the same. So first thing I did was to assign Read permission to the WorkflowWorklistAssignedToMe and the TrvExpenses menu item displays (which is the menu item tied to the workflow in the WorkflowWorkItemTable). When I did this for the user I was presented with the below, but what about the workflow action drop down?


    After some further digging in the X++ code I found that this drop down is dynamically generated based on the workflow record selected. To handle this Microsoft assigns a 'dummy' name for the drop down items WorkflowAction1, then WorkflowAction2 and so on.



    But behind the scenes, all of these processes are controlled by menu item actions. If you search for workflow in the menu item actions area of the AOT you get a good idea of how many there are.


    So for example, if I wanted to my test user to be able to Approve the travel requisition workflow from above I can look in this list for one that would tie to this action, in this case the TrvWorkflowRequisitionApprove menu item action.

    If I do this, this user now has the ability to approve this workflow.


    You could do the same thing for the other options in the Workflow drop down for this particular workflow type: Cancel, Delegate, Resubmit, Return, Submit

    So overall this user is assigned just 3 menu items:

    Menu Item Display:
    WorkflowWorkListAssignedToMe - Read
    TrvExpenses - Read

    Menu Item Action:
    TrvWorkflowRequisitionApprove - Delete

    A couple final thoughts:
    - The user above still needs to be assigned the correct user group to actually approve the request, just because their security gives them access to the button does not mean they are assigned the necessary permission within the workflow to do that
    - When doing security testing, I've found this process to be easiest: https://alexdmeyer.com/2017/08/29/how-to-simulate-the-security-development-tool-in-dynamics-365fo-view-with-role-set/

    Feel free to reach out with any questions you may have.

    ------------------------------
    Alex Meyer
    Director of Dynamics AX/365 for Finance & Operations Development
    Fastpath
    Des Moines, IA
    ------------------------------

    Conference-AXUG_200x200


  • 25.  RE: Security roles do not work for all users

    TOP CONTRIBUTOR
    Posted 4 days ago
    If you wanted to use out of box privileges, it looks like the following have access to submit purchase orders:


    And for purchase requisitions:


    ------------------------------
    Alex Meyer
    Director of Dynamics AX/365 for Finance & Operations Development
    Fastpath
    Des Moines, IA
    ------------------------------

    Conference-AXUG_200x200


If you've found this thread useful, dive deeper into User Group community content by role