Monday, October 27, 2014

Read-only DocuRef form for Auditors

The most common problem encounters while auditing period in companies is not to allow auditors to attach or delete attachments from DocuRef form. However, there is no out of the box role in AX, but it can be achieved with small customizations and by applying the modified duplicated copy of system role and privilege.

Step 1


Make duplicate copy of “SystemUser” role and “DocumentHandlingEssentials” privilege. In my case, I have duplicated with the name “MySystemUser” and MyDocumentHandlingEssentials”.

Step 2

In “MyDocumentHandlingEssentials” remove all entry points accept “DocuView”.

Step 3

Now assign “MyDocumentHandlingEssentials” privilege to “MySystemUser” role and make sure “DocumentHandlingEssentials” is not overriding it.

Step 4

Now go to “DocuView” form and change the “NeedPermission” property for both “New” and “Delete” command buttons to “Delete”.



You are done with the changes, now assign this customized “MySystemUser” to Auditor user and remove the default “SystemUser” role.



Note: In some AX builds you may find a privilege with name “ClientEssentials”, it too contains all “DocuRef” entry points, so if you find one in your build, apply the same process of duplicating and removal of all “DocuRef” related entry points from it.

2 comments:

  1. There is a fundamental problem with this solution. In AX 2012 R2/R3 the System User role cannot be removed from a user without causing errors. It would be better to make a copy of the System User role to store as an archive, but change the System User Role directly to remove the delete permissions.

    In addition, I have found there are many other forms and roles that have direct permission overrides to the delete permission on the DocuRef table. So only changing the System User Role will not be enough for some users who are assigned multiple roles. For example, there are elements within the Purchasing Agent Role that override the permissions dictated in the System User Role and it's associated Duties ("Document Handling Essentials" & "Client Essentials").

    To anyone reading this in the future: For AX 2012 R3, I suggest going to the DocuRef table in the AOT and right clicking the table node. Select Add-ins > Security > Related security roles. This will give you a full list of all the objects that have "Full Control" access to the DocuRef table.

    ReplyDelete
  2. Is there any alternate you got for making attachment as non-editable for specific users.

    ReplyDelete