Ad hoc reporting security

Dynamics AX 4.0

This topic discusses how security is enforced for the ad hoc reporting features, ad hoc reports, and report data in Microsoft Dynamics AX. This topic also describes how to configure security for ad hoc reporting.

Report Builder and Report Manager are the primary features for creating, viewing, and managing ad hoc reports. A report model is a description of the business data and corresponding relationships that users can navigate in an ad hoc report. By default, only Microsoft Dynamics AX administrators have access to these features and data. If a user requires access to ad hoc reporting features, reports, or data, an administrator must add the user to a group with the appropriate permissions as described in this topic.

NoteNote

All security restrictions and permissions set in Microsoft Dynamics AX automatically apply to ad hoc reporting features, reports, and data. Security and permissions are enforced immediately. You do not need to synchronize data or regenerate report models to enforce security restrictions.


When you set up ad hoc reporting in your organization or business, consider the following guidelines and best practices:

  • Create Microsoft Dynamics AX user groups and grant the appropriate permissions for these groups (described later in this topic) before users can access ad hoc reporting features, reports, or data.

  • Set up a precise security policy for ad hoc reporting by setting restrictions on database tables and fields, and by using record-level security filters.

  • Control access to report data on a per-company basis.

  • Grant access to the server hosting Microsoft SQL Server 2005 Reporting Services only to administrators and approved developers.

  • If you configure Microsoft Dynamics AX to publish report models to a shared folder or Universal Naming Convention (UNC) directory on a server, ensure the directory is only accessible by those users who have permission to write to that directory.

  • If users access ad hoc reports from an external-facing Web site or if report models are published to an external-facing Web site, use Secure Sockets Layer (SSL) technology to encrypt data transmission.

  • As a security best practice, periodically change the password associated with the ad hoc reporting domain account (the account set up when you installed the Reporting Services role).

  • Be aware that Reporting Services roles and security are not managed by the Microsoft Dynamics AX installation program or application. Reporting Services roles and security must be managed by an administrator through Microsoft SQL Server 2005 Reporting Services Report Manager.

The following table describes ad hoc reporting keys and menu items that must be enabled in the Microsoft Dynamics AX permissions tree before members of a user group can access the corresponding features, reports, or data.

Key or Menu name

Location in the Permissions tree (when Viewing = Security)

Recommended access level

Details

Report Builder

Basic > Inquiries

View

Enables access to the Report Builder menu. Report Builder is the primary tool for creating and modifying ad hoc reports.

Report Manager

Basic > Inquiries

View

Enables access to the Report Manager menu. Report Manager is the primary tool for viewing and managing reports.

Report Builder options

Basic > Setup

Full control

The Report Builder options menu allows users to select report data for their reports and a report language (if applicable).

Only administrators and approved developers should have access to the following security keys and menu items. If an end user or malicious user gained access to one of these items, that user might be able to generate and publish a report model and thereby view sensitive data they are not intended to view.

Key or Menu name

Location in the Permissions tree (when Viewing = Security)

Recommended access level

Manual Update Options

Model generation options

Model languages

Model Security Key Cache

Reporting Servers (menu item)

Reporting Servers (table)

Reporting Services field cache

Reporting Services role cache

SRS Model Options

Administration > Setup

Full control

To grant access to ad hoc reporting features

  1. From a Microsoft Dynamics AX client, click ( > > > .

  2. On the tab, select a user group and then select a domain.

  3. Click the tab.

  4. In the list box, select the item(s) for which you want to set permissions. Press and hold the CTRL button on your keyboard to select multiple items.

  5. Under , select a permissions level. Once you select a permissions level, the selected item shows a check mark to indicate that permissions have been set.

  6. Click the button to ensure all dependent keys are set and to inherit this permission level to all child tables, forms, and nodes.

  7. Press CTRL+S to save changes.

NoteNote

If you need to set permissions for a group in a different domain, repeat this procedure and select the new domain in step 2.


A secure view is a database view that enforces security on tables when accessed from outside of Microsoft Dynamics AX. The application creates secure views of all data for every table referenced in a report model when the model is generated or updated. When a user accesses report data using Report Builder, security is automatically enforced so users see only the data they are supposed to see (according to their user group membership).

If your organization or business does not intend to use Report Builder, you must generate secure views using the form ( > > ).

ImportantImportant

Database views are stored in the database. By default, only the database administrator, the account for the Application Object Server (AOS), and the Reporting Server domain account have access to secure views. Do not grant users access to secure views. If a user gains access to secure views, the user could view data not intended for that individual.


Show: