Within this post I would like to present a feature that allows you restricting the access to data included in Management Reporter financial reports. A common business scenario where this feature can be applied are situations where business unit/cost center managers shall only have access to the data of the business unit/cost center they are responsible for.
Let’s have a look at the following Income Statement report that shows the total amounts split up by business units to see how the Management Reporter unit security feature can be applied.
Assume that we want to restrict the report data access for Phyllis, the manager of business unit BU001, in a way that she has Access to the Income Statement data of her business unit only. This restriction can be accomplished by setting up a report with a reporting tree that includes the respective users in the unit security column. Because the report includes all business units next to each other in separate columns, the reporting tree elements need additionally to be linked to the respective columns. This is linkage and the unit security setup is illustrated in the next screen-print.
With this setup in place, Phyllis will see the following report, once she opens it.
The security restriction setup does also apply to the Management Reporter drill down functionality in Dynamics AX. That is, if Phyllis wants to see the voucher transaction details that make up a specific amount shown in the report and drills down into the Dynamics AX voucher transactions, she will only see the filtered transactions for her business unit. This system behavior is illustrated in the next screen-print:
A second thing to note here is that the Management Reporter unit restriction does not control whether or not Phyllis can open and access all transaction details through the Dynamics AX client directly. In the example used Phyllis can, for example, log into the Dynamics AX client and access the complete voucher details including the amounts that were recorded for the other business units. Example:
If you have users that can circumvent the Management Reporter unit restriction this way, you have ensure that you also implement the extensible data security framework in Dynamics AX. Otherwise, the unit security feature does not make much sense. Please see the following sites 1 / 2 for additional information on the extensible data security framework.
Report modification 1
Now let’s have a look at some Management Reporter design considerations that you should be aware of when making use of the unit security feature and reporting trees in general. Let’s imagine that the Income Statement report shown previously is modified in a way that also the cost centers that make up a business unit are included in separate report columns. If you follow the same unit restriction setup shown previously also for the sub-elements of the business units …
… users won’t see all details once they open their report. In the example used Phyllis, will see the following data when opening the report:
The data for the cost centers that make up the business unit cannot immediately be identified but rather have to be opened separately by selecting one of the business units. Example:
Report modification 2
Because of the previous data illustration issue, the report is modified once again in a way that the business unit and total columns are now setup as computed columns. (Please see the yellow highlighted section in the next screen-print).
With this setup in place, Phyllis will get the following message once she opens the report.
By selecting one of the cost center elements, she will finally be able to see the data for the selected cost center but not automatically for the other ones without selecting them separately.
Report modification 3
To avoid that the Income Statement report opens with an error message for the business unit / cost center managers, the report design is further modified as follows:
The major difference to the previous setup is that cost center sub-elements that make up the business division are now intended in the reporting tree. This setup finally ensures that Phyllis is able to see all data of the business unit she is responsible for when opening the report.
If Phyllis drills down to the different sub-elements, the report will filter the selected data respectively. Example:
I hope the different examples gave you an impression what to look out for when designing Management Reporter reports that include reporting trees and make use of the unit security feature. The major take away from this post is that setting up the unit security feature in Management Reporter does not make much sense if users can circumvent those restrictions by extracting the data directly from the AX client. To avoid such scenarios you have to ensure that the extensible data security framework is applied concurrently in the AX client.
Pradeep Kumar said:
Hi Ludwig Reinhard,
First of all thanks for such a wonderful post. I am in a similar situation and will be implementing security via Unit Security to secure data access to different Business Unit.
As you suggested i will have to work with XDS to control access to data via Dynamics Client. But this solutions is not dynamics, I mean what if in future we have new business units that means again we will have to go back into development to add a new security policy and publish it with a new Security role.
Please correct me if i am making some mistakes