Are you confused by how user roles in AX 2012 are integrated with Management Reporter roles? Have problems adding or deleting users in Management Reporter? Get your answers here.
In the last couple of weeks I have been asked by AX developers about Management Reporter Security. Mainly, they were stumped by how assigning different roles to users in Management Reporter does not quite turn out as they had expected. Both times I felt I could only give a partial answer. Thus, I decided to do a little experiment to find out the truth once and for all… or until Microsoft comes up with the next Rollup I suppose!
In this topic, I will cover:
- Adding users from AX 2012
- User is assigned an AX 2012 role that does not map to Management Reporter
- Assigning user a viewer role
- Assigning user a generator role
- Assigning user a designer role
- Assigning user an admin role
- Users of higher access
- Deleting user
- How to integrate users in Configuration Console
- Where is the user data stored in the database?
Management Reporter is able to integrate with different flavours of Microsoft Dynamics but in this topic I will cover integration with Microsoft Dynamics AX 2012 only, and only for up to RU5, simply because that is what is available to me for my experiment!
You can download the Management Reporter Integration Guide for Microsoft Dynamics AX 2012 here.
In the guide, the section called Integrating users from Microsoft Dynamics AX 2012 covers all of only two pages. Hopefully this blog post expands on that and clarify things.
The following table explains how user roles in Microsoft Dynamics AX 2012 are transferred into Management Reporter.
Note the last statement that the LedgerViewFinancialStatement privilege for viewers must be added in AX. I will demonstrate that. Also, what it does not say is that if the user is assigned to any other role in AX except those shown here, they will not have access to Management Reporter, even for System Administrator. Yes, the user name will not even show up in the user security list in Management Reporter!
Adding users from AX 2012
Here is what is written in the guide
What it does not say is how and when the change is reflected in Management Reporter. This will be covered in How to integrate users in Configuration Console.
Firstly I am going to add a user called CONTOSOuser5 to Management Reporter which currently does not exist.
To add CONTOSOuser5 to Management Reporter, fire up Microsoft Dynamics AX and add the CONTOSOuser5 as a new user.
User5 is now an AX User, but he is not added to Management Reporter yet.
User is assigned an AX 2012 role that does not map to Management Reporter
If a user is assigned a role that is not recognised as a role in Management Reporter, the user is not added into Management Reporter – even for a system administrator role in AX 2012!
Here, user5 is assigned the System Administrator role in AX 2012.
In Management Reporter, user5 is still not added.
Assigning user a Viewer role
As mentioned in the guide, create a new LedgerViewFinancialStatement privilege.
To find out more about creating security privileges in AX 2012, click here.
Assign LedgerViewFinancialStatement privilege to a new role or to a current role. In this case I created a new role also called LedgerViewFinancialStatement and assigned the LedgerViewFinancialStatement privilege to it.
To find out more about creating security roles in AX 2012, click here.
Assign user5 the LedgerViewFinancialStatement role.
Open Configuration Console and wait until everything is fully integrated.
Now open the users list in Management Reporter -> Security. User5 is added as a Viewer.
Assigning user a Generator role
Remove the LedgerViewFinancialStatement role from User5 and assign the role of Financial Controller instead.
Again wait until everything is fully integrated in the Configuration Console.
Now re-open the users list in Management Reporter -> Security. User5 has the Generator role.
Assigning user a Designer role
In AX 2012, assign user5 with the role of Accounting Manager.
Again wait until everything is fully integrated in the Configuration Console.
Now re-open the users list in Management Reporter -> Security. User5 has the Designer role.
Assigning user an Admin role
The AX 2012 system administrator role does not map into the Administrator role in Management Reporter. So the user needs to be assigned the Security Administrator role instead.
Again wait until everything is fully integrated in the Configuration Console.
Now re-open the users list in Management Reporter -> Security. User5 has the Administrator role.
Users of higher access
As you probably have seen by now, the AX roles of higher access (if you like) determines the role in Management Reporter. In the last example, user5’s highest AX Role is Security Administrator. Therefore the role in Management Reporter is Administrator even though user5 is also assigned as Accounting Manager and Financial Controller in AX 2012.
Deleting user
Here is what is mentioned in the Guide:
That is not entirely correct.
To delete a user that was integrated from AX 2012, you can either:
- Delete the user from AX 2012.
- Remove all Management Reporter mapped roles for the user.
I will demonstrate the second point as the first is obvious.
In Management Reporter -> Security, right-click on user5. The Delete… option is greyed out. You cannot manually delete a user that is integrated from AX 2012.
In AX 2012, remove all roles from user5 that maps to Management Reporter.
Again wait until everything is fully integrated in the Configuration Console.
Now re-open the users list in Management Reporter -> Security. User5 has been deleted in Management Reporter.
How to integrate users in Configuration Console
To integrate users from AX 2012, one would expect to hit a button to activate integration but that does not exist in Management Reporter. As seen in previous examples, in Configuration Console, once everything has been fully integrated, the roles will also be fully integrated.
While doing this experiment, data integration happens every minute, and full integration happens every 5 minutes.
Where is the user data stored in the database?
The user data is located in the [ManagementReporter] database in the [dbo].[SecurityUser] table.
Summary
Users in AX 2012 are mapped to Management Reporter only by certain roles that is shown in this table here.
Users can be added to Management Reporter by assigning them specific roles in AX 2012. Likewise, users can be deleted from Management Reporter by unassigning them specific roles in AX 2012.
AX roles of higher access determines the role in Management Reporter.
Full integration with AX 2012 occurs regularly and frequently as long as the service is running. There is no specific button to activate integration.
I hope this clarifies Management Reporter Security roles and integration process.