Using windows AD groups for user management in Dynamics AX 2012


Ax 2012 has an interesting feature for user management. Instead of importing the users one by one and administering in the AX environment you can simply create a user for the Active Directory  group in the AX. The system will automatically create an AX user  for every member of the group when (s)he tries to access the system. This is a dynamic process, the user rights will be adjusted according to the current group membership at each logon. If a user is added to or removed from an AD group the changes will be applied the next logon.

If the user who is logged on once is removed from every AD group that has access to the system, we will get a little unintuitive result. The system will not delete the user from the database (good so far), but the user will not be in any role in the system, not even in the default System User role. So (s)he will be able to log on, but nothing will work:

This is the User screen of an auto imported user (watch the user ID)

And this is, what the user sees from the system once removed from every user group:

This process has quite a few advantages.

  • The main being, that this process takes the burden of user management form the administrators of the AX system. Instead of having to manage hundreds of users they will have to manage a relatively few groups, and management usually means only creating the group and assign the role membership  to the groups.
  • It will also increase the security of the system, as every functions that related to the authentication (who you are) are managed in their natural place the AD. Ax has only take care of the authorization (OK, given who you are, what are you allowed to do) related to the AX system.
  • In enterprises it is quite common to have a central user rights management system, usually connected to the HR system. The majority of these systems handle AD groups, but I have not heard one that has an agent handling AX.

 

The only disadvantage of this is, that the users automatically created by the system will have an id starting with $, see above. The other fields like user name and alias are created correctly. 

Because AX seems to be tracking the version of the AD object and modify the user effective roles only if it detects a change there is an interesting side effect you should be aware of (tested it on 2012 CU3). Suppose you have an existing user in the AX and the AD (i.e. the user already logged on to AX). You create a group in the AD and add the user to the group. If you create a user from the AD group in the AX and assigns the roles to it, the user will not get the permissions from the role. What you should do instead is:

  • Create the AD group empty
  • Add the group to the AX
  • Put the member to the group after the AX user is already created.

It will work fine.

Designing the structure of the groups and roles is very project dependent. What was working for us is:

  • Create a group that will contain all the users of the AX system. Create the AX user for the group, only the default System User role should be assigned to it.
  • Create an AD group and the corresponding AX user per role.
  • And let the AD admins administer your group membership.

 Illés

 

Comments (13)

  1. Christian Jung says:

    Hi, nice overview. One question: do you know a way to changed the generated user id during the creation of the user? I mean a method where I can hook in?

  2. I have not tried to do that. It will be very hard to debug as it is triggered be external event, and it might very well be in the kernel..

  3. AX developer says:

    Can you provide steps.Is it supporting to Ax 2012 R2 ?

  4. AX developer says:

    Hi,Suppose we having AD user group Finance.So in Ax using import wizard we imported users belongs to AD User Finance.For this user Account Type is Active Directory user.Only by default system user role assign to each user.Then Created manually AD User group Finance and set Account Type as Active directory group.After that assign Finance role to the AD user group Finance.The tried to open ax with one of the user which belongs to AD user group Finance.But that role is not applying to that user.

    I am missing any steps ?

  5. AX developer says:

    Hi,As you mention above,I create only AD user group.Not created/Imported users inside AD user group and when i am trying to open ax then it is showing message "unable to open ax" like that.I am testing this on ax 2012 R2.Please guide me.

  6. Hi,

    It should work in R2 as well. The only differencew that I did not import the users but used autoimport via the group. Have no idea, I will test in my R2 test environment-

  7. AX developer says:

    Thanks.what mean by auto import via the group ?.Please check and let me know that is helpful for me.

  8. AX developer says:

    Also it is good for me if you provide steps which you followed in 2012 CU3 that will be easy to understand.

  9. Chris Tilley says:

    Hi Ax Developer,

    Your post is rather old so you are probably not facing this issue anymore but just in case someone else is:

    I think you have are almost right but have just misunderstood a step.  

    Where you say you added all users to the Active Directory group 'Finance' then imported to AX all members of that group, what you actually need to do is import ONLY the Active Directory group itself as an AX User.  You then assign the Finance Active Directory Group to AX Security roles as you have described.

    AX Then manages the creation of users who connect and are a member of that Finance group you have created.  It may have not worked because you manually imported each user when you do not need to – I haven't tested this.

    Try the below:

    Step 1:  Create Active Directory Group – e.g. AXFinanceProduction

    Step 2:  Add Users to created Active Directory Group using Users and Computers

    Step 3: in AX create an AX User corresponding to the Active Directory Group (I used the import wizard)

    Step 4: Assign created AXFinanceProduction user to required security roles.

    Try and log in with one of the members of the AD group and hopefully all should work for you.

    Chris

  10. lga says:

    Chris,

    We have done the steps above and the users have logged on.   Now we have found they need more access. When applying the additional roles to the AD group they are not getting the updated permissions.   What am I missing?

  11. Madhu Babu Rapolu says:

    In Dynamics AX 2012 R3 CU9, if there are user records with type Active Directory group, it seems Security test workspace will not work in Security Development Tool. You get below error:

    "The security test workspace is not available when you have users of type AD group in your environment".

    So the Development or Test environments should not have AD groups setup as users.

    1. Vavani says:

      My environment is AX 2012 R3 with CU8 – automatic AX user creation works OK. However, in some cases sometimes UID is funky characters such as $7A50, $432D … etc. Most of the time however though same as AD network alias. I don’t like these funky IDs. Anybody has any idea how I can stop creating funky AX UIDs?

  12. Vavani says:

    My environment is AX 2012 R3 with CU8 – automatic AX user creation works OK. However, in some cases sometimes UID is funky characters such as $7A50, $432D … etc. Most of the time however though same as AD network alias. I don’t like these funky IDs. Anybody has any idea how I can stop creating funky AX UIDs?