UA-44032151-3 page contents

Management Reporter 2012 Security Review with AX 2012


Below is a fairly detailed review of how Management Reporter 2012 security (users and user roles) are derived and directly correlate from the users created and security permissions assigned in Microsoft Dynamics AX.

This review will cover the following topics:

•Adding users from AX 2012

•User is assigned an AX 2012 role that does not map to Management Reporter

•Assigning user a viewer role

•Assigning user a generator role

•Assigning user a designer role

•Assigning user an Admin role

•Users with higher ranking security access

•Deleting a user

•How to integrate users in Configuration Console

•Where is the user data stored in the database?

You can download the Management Reporter Integration Guide for Microsoft Dynamics AX 2012 here.

In the guide, the section called Integrating users from Microsoft Dynamics AX 2012 covers all of only two pages. Hopefully this post expands on that and clarify things.

The following table explains how user roles in Microsoft Dynamics AX 2012 are transferred into Management Reporter.

 

Note the last statement that the LedgerViewFinancialStatement privilege for viewers must be added in AX. This post will demonstrate what that looks like. Also, what the guide does not articulate is that if an AX user is assigned to any other role in AX except those shown here, they will not have access to Management Reporter, even for System Administrator. The user name will not appear in the user security list in Management Reporter.

 

Adding users from AX 2012:

Here is what is written in the guide.

What it does not say is how and when the change is reflected in Management Reporter. This will be covered in How to integrate users in Configuration Console section below.

Let’s start by first adding a user called CONTOSO\user5 to Management Reporter which currently does not exist (or appear in the list below).

To add CONTOSO\user5 to Management Reporter, open Microsoft Dynamics AX and add the CONTOSO\user5 as a new user.

User5 is now an AX User, but the user is still not added to Management Reporter.

 

User is assigned an AX 2012 role that does not map to Management Reporter:

If a user is assigned a role that is not recognized as a role in Management Reporter, the user is not added into Management Reporter – even for a System administrator role in AX 2012!

Here, user5 is assigned the System administrator role in AX 2012.

 In Management Reporter, user5 is still not added (because it was not assigned the Security administrator role).

 

Assigning user a Viewer role:

As mentioned in the guide, create a new LedgerViewFinancialStatement privilege.

To find out more about creating security privileges in AX 2012, click here.

Assign LedgerViewFinancialStatement privilege to a new role or to a current role. In this case, a new role also called LedgerViewFinancialStatement is created and assigned the LedgerViewFinancialStatement privilege.

To find out more about creating security roles in AX 2012, click here.

The user5 is assigned to the LedgerViewFinancialStatement role.

Open Configuration Console and wait until everything is fully integrated.

Now open the users list in Management Reporter -> Security. User5 is added as a Viewer.

 

Assigning user a Generator role:

First remove the LedgerViewFinancialStatement role from User5 and then assign the role of Financial Controller instead.

Again wait until everything is fully integrated in the Configuration Console.

Now re-open the users list in Management Reporter -> Security. User5 has the Generator role.

 

Assigning user a Designer role:

In AX 2012, assign user5 with the role of Accounting Manager.

Again wait until everything is fully integrated in the Configuration Console.

Now re-open the users list in Management Reporter -> Security. User5 has the Designer role.

 

Assigning user an Admin role:

The AX 2012 System administrator role does not map into the Administrator role in Management Reporter. So the user needs to be assigned the Security administrator role instead.

Again wait until everything is fully integrated in the Configuration Console.

Now re-open the users list in Management Reporter -> Security. User5 has the Administrator role.

 

Users with higher ranking AX 2012 security access:

As you probably have seen by now, the AX roles with higher ranking security access (so to speak) determines the role in Management Reporter. In the last example, user5’s highest AX Role is Security administrator. Therefore, the role in Management Reporter is Administrator even though user5 is also assigned as Accounting Manager and Financial Controller in AX 2012.

 

Deleting a user:

Here is what is mentioned in the Guide:

That is not entirely correct.

To delete a user that was integrated from AX 2012, you can either:

  • Delete the user from AX 2012.

- OR -

  • Remove all Management Reporter mapped roles for the user.

Below is a demonstration of the second point as the first is obvious.

In Management Reporter -> Security, right-click on user5. The Delete… option is greyed out. You cannot manually delete a user that is integrated from AX 2012.

In AX 2012, remove all roles from user5 that maps to Management Reporter.

Again wait until everything is fully integrated in the Configuration Console.

Now re-open the users list in Management Reporter -> Security. User5 has been deleted in Management Reporter.

 

How to integrate users in Configuration Console:

To integrate users from AX 2012, one would expect to hit a button to activate integration but that does not exist in Management Reporter. As seen in previous examples, in Configuration Console, once everything has been fully integrated, the roles will also be fully integrated.

 

Where is the user data stored in the database?:

The user data is located in the [ManagementReporter] database in the [dbo].[SecurityUser] table.

 

Summary:

Users in AX 2012 are mapped to Management Reporter only by certain roles that is shown in this table here.

Users can be added to Management Reporter by assigning them specific roles in AX 2012. Likewise, users can be deleted from Management Reporter by unassigning those specific roles in AX 2012.

AX roles of higher access determines the role in Management Reporter.

Full integration with AX 2012 occurs regularly and frequently as long as the service is running. There is no specific button to activate integration.

 

***Source information from Terry Choo's blog post found here.

 

Management Reporter 2012 and AX 2012 User Integration VIDEO: [View:https://www.youtube.com/watch?v=KOddMrcASZw&list=PL573AD14DF14A456F&index=1&feature=plpp_video]

 

Comments (1)
  1. AX AD Group Role assignment and MR says:

    Just to add to this, Prior to MR2012 CU11 MR does not understand that an AD Group role assignment in AX is not a user. It therefore imports the group and proceeds to complain it cannot find the AD user, breaking the user integration process until you get rid of the group in AX. MR2012CU11 and above MR now understands that an AD Group role assignment is not a a user and does not import it. But it still does not understand that a role giving access to management reporter can be allocated to a user via the AD group membership and hence the roles assigned by the AD group in the AX users.  

Comments are closed.

Skip to main content