This recipe will help to manually adjust the roles for specific users. This is discussed in detail from the role perspective in Chapter 10, Setting Up and Managing Security.
Roles equate to a set of duties and privileges to system functionality. The concept of a role is to simplify the process of configuring user security by providing preconfigured roles that we simply assign to the users.
This is repeated in Chapter 10, Setting Up and Managing Security, but the role has an impact on licensing. Moreover, it unclear from the system whether the roles you assigned are functional or enterprise.
If we used the Active Direct Import wizard, we may have already assigned roles to the user.
You will need to use this method under the following conditions:
- You need to control the roles for the users by legal entity (or hierarchy)
- You need to have added the user manually
This is done from the Users list page, which is found by navigating to System administration | Common | Users | Users.
Roles can be assigned to a user by performing the following steps:
- Open the Users list page and locate the required user.
- Click on Edit or double-click on the user, as shown in the following screenshot:
We can chose to assign new roles, remove existing roles, assign organizations, and edit roles.
Removing a role is straightforward. Highlight the role and click on Remove. The user doesn't have to be logged out for this to happen, but will need to log off to see the effects of any change to the user's security.
We can assign roles to the user by performing the following steps:
- Click on Assign roles, which will show a list of all the available roles as shown in the following screenshot:
- Check each role checkbox depending on the role the user should be a member of and click on OK. This closes the form and updates the User details form.
When a user logs in to AX, they do so with a default company (synonymous with legal entity in this context, but the term company is used), set either by the user option or the client configuration.
Once this is established, the system applies the privileges associated with the user's role in that company. If the role was granted to that company in a hierarchy, the privileges are also applied.
Setting up different roles for each company (Legal entity) is discussed in the next section.
We should also assign organizations to the users. In this context, organization actually means legal entity or company in general terms. This feature provides the ability to assign the role to a section in our organizational structure (which means one or more legal entities).
In large organizations, a manager in one company might have less number of or no rights in another. Where this is the case, you can state for which companies the role applies.
By default, the role is assigned to all legal entities within your organization.
When AX is configured, you will create organization hierarchies, in which you define your organizational structure. This structure can place legal entities as children of a parent company (for example, a group company).
You can also configure your organizational structure to include the role security. If this is the case, the roles can be applied to nodes within the structure. Otherwise, this form simply lists all legal entities.
The structure in this example is as follows:
On the user details form, click on Assign organisations:
The default is Grant access to all organisations, which means all legal entities. To assign the role to a specific legal entity or sections of our organizational structure, choose Grant access to specific organisations individually.
The role can be assigned based on individual legal entities (the list in given in the preceding screenshot), or use the organizational structure designed for this purpose. This is preferable as we can then leverage the investment made in the organization's structure and get further benefits if this structure changes. If the structure is moved, the user's security is also updated.
In the following example, we shall use the structure by performing the following steps as it utilizes most of the features:
- Select Grant access to specific organisations individually.
- For the Select organisation hierarchy option, change this to the organizational structure you intend to use (which will be the most likely option). If you only have All legal entities in the list, no hierarchy has been published with the security role. An example is shown in the following screenshot:
Note
Although security can only be applied to a legal entity, you will see that hierarchy is not restricted to legal entities, and this case also includes business units. The reason is that you can place legal entities as children of a business unit (for example, you acquire a new company and want one of your business units to operate it).
- Select the node you wish to grant the role to.
- Choose Grant on a parent company to grant the user rights to the role in that company, and not in any child legal entity in the hierarchy. It is added, as shown in the following screenshot:
Tip
Notice that Hierarchy is empty. Therefore, choosing Grant on a business unit makes no sense. Business units are not a data security boundary (you can't log in to a business unit). You would only use the business unit if it has (or is likely to have) legal entities as children and then choose Grant with children.
- Highlight the new assignment and click on Revoke to remove the assignment.
- Reselect the node and choose Grant with children; it again adds a single entry, as shown in the following screenshot:
If another legal entity is placed as a child of this legal entity in the Organisation hierarchy, the user will inherit this role in that legal entity also.
The same follows for adding access to business units (which is okay if we have child entities that are legal entities). To remove access, select the entry to be removed and click on Revoke.
In Chapter 10, Setting Up and Managing Security, we will discuss security in more detail. Assigning roles to users is fine for a single, one-off adjustment or to make a short-term fix to the security, but for larger organizations, it will more likely be done from the perspective of the role.
For more information on security, please see Chapter 10, Setting Up and Managing Security