Management Reporter Security

Are you confused by how user roles in AX 2012 are integrated with Management Reporter roles? Have problems adding or deleting users in Management Reporter? Get your answers here.

In the last couple of weeks I have been asked by AX developers about Management Reporter Security. Mainly, they were stumped by how assigning different roles to users in Management Reporter does not quite turn out as they had expected. Both times I felt I could only give a partial answer. Thus, I decided to do a little experiment to find out the truth once and for all… or until Microsoft comes up with the next Rollup I suppose!

In this topic, I will cover:

Management Reporter is able to integrate with different flavours of Microsoft Dynamics but in this topic I will cover integration with Microsoft Dynamics AX 2012 only, and only for up to RU5, simply because that is what is available to me for my experiment!

You can download the Management Reporter Integration Guide for Microsoft Dynamics AX 2012 here.

In the guide, the section called Integrating users from Microsoft Dynamics AX 2012 covers all of only two pages. Hopefully this blog post expands on that and clarify things.

The following table explains how user roles in Microsoft Dynamics AX 2012 are transferred into Management Reporter.

MRRoles

Note the last statement that the LedgerViewFinancialStatement privilege for viewers must be added in AX. I will demonstrate that. Also, what it does not say is that if the user is assigned to any other role in AX except those shown here, they will not have access to Management Reporter, even for System Administrator. Yes, the user name will not even show up in the user security list in Management Reporter!

Adding users from AX 2012

Here is what is written in the guide.MRAddingUsers

What it does not say is how and when the change is reflected in Management Reporter. This will be covered in How to integrate users in Configuration Console.

Firstly I am going to add a user called CONTOSO\user5 to Management Reporter which currently does not exist.

User5DoesNotExist

To add CONTOSO\user5 to Management Reporter, fire up Microsoft Dynamics AX and add the CONTOSO\user5 as a new user.

AddUser5

User5 is now an AX User, but he is not added to Management Reporter yet.

User5Added

User is assigned an AX 2012 role that does not map to Management Reporter

If a user is assigned a role that is not recognised as a role in Management Reporter, the user is not added into Management Reporter – even for a system administrator role in AX 2012!

Here, user5 is assigned the System Administrator role in AX 2012.

User5SystemAdmin

In Management Reporter, user5 is still not added.

user5SysAdminNotAddedInMR

Assigning user a Viewer role

As mentioned in the guide, create a new LedgerViewFinancialStatement privilege.

To find out more about creating security privileges in AX 2012, click here.

CreateLedgerViewFinancialStatementPrivilege

Assign LedgerViewFinancialStatement privilege to a new role or to a current role. In this case I created a new role also called LedgerViewFinancialStatement and assigned the LedgerViewFinancialStatement privilege to it.

To find out more about creating security roles in AX 2012, click here.

AddPrivilegeToViewerRole

Assign user5 the LedgerViewFinancialStatement role.

user5AXLedgerViewFinancialStatement

Open Configuration Console and wait until everything is fully integrated.

AddVIewerFullyIntegrated

Now open the users list in Management Reporter -> Security. User5 is added as a Viewer.

user5MRViewer

Assigning user a Generator role

Remove the LedgerViewFinancialStatement  role from User5 and assign the role of Financial Controller instead.

user5AXFinancialController

Again wait until everything is fully integrated in the Configuration Console.

Now re-open the users list in Management Reporter -> Security. User5 has the Generator role.

user5MRGenerator

Assigning user a Designer role

In AX 2012, assign user5 with the role of Accounting Manager.

user5AXAccountingManager

Again wait until everything is fully integrated in the Configuration Console.

Now re-open the users list in Management Reporter -> Security. User5 has the Designer role.

user5MRDesigner

Assigning user an Admin role

The AX 2012 system administrator role does not map into the Administrator role in Management Reporter. So the user needs to be assigned the Security Administrator role instead.

user5AXSecurityAdmin

Again wait until everything is fully integrated in the Configuration Console.

Now re-open the users list in Management Reporter -> Security. User5 has the Administrator role.

user5MRAdmin

Users of higher access

As you probably have seen by now, the AX roles of higher access (if you like) determines the role in Management Reporter. In the last example, user5’s highest AX Role is Security Administrator. Therefore the role in Management Reporter is Administrator even though user5 is also assigned as Accounting Manager and Financial Controller in AX 2012.

user5AXSecurityAdmin

Deleting user

Here is what is mentioned in the Guide:

MRDeletingUsers

That is not entirely correct.

To delete a user that was integrated from AX 2012, you can either:

  1. Delete the user from AX 2012.
  2. Remove all Management Reporter mapped roles for the user.

I will demonstrate the second point as the first is obvious.

In Management Reporter  -> Security, right-click on user5. The Delete… option is greyed out. You cannot manually delete a user that is integrated from AX 2012.

CannotDeleteUser5

In AX 2012, remove all roles from user5 that maps to Management Reporter.

user5AXRemoveRolesAgain wait until everything is fully integrated in the Configuration Console.

Now re-open the users list in Management Reporter -> Security. User5 has been deleted in Management Reporter.

user5MRDeleted

How to integrate users in Configuration Console

To integrate users from AX 2012, one would expect to hit a button to activate integration but that does not exist in Management Reporter. As seen in previous examples, in Configuration Console, once everything has been fully integrated, the roles will also be fully integrated.

While doing this experiment, data integration happens every minute, and full integration happens every 5 minutes.

AddVIewerFullyIntegrated

Where is the user data stored in the database?

The user data is located in the [ManagementReporter] database in the [dbo].[SecurityUser] table.

Summary

Users in AX 2012 are mapped to Management Reporter only by certain roles that is shown in this table here.

Users can be added to Management Reporter by assigning them specific roles in AX 2012. Likewise, users can be deleted from Management Reporter by unassigning them specific roles in AX 2012.

AX roles of higher access determines the role in Management Reporter.

Full integration with AX 2012 occurs regularly and frequently as long as the service is running. There is no specific button to activate integration.

I hope this clarifies Management Reporter Security roles and integration process.

9 thoughts on “Management Reporter Security

  1. Thanks Terry.

    Very useful Information.Helped me troubleshoot a real time issue and understand how this works.

    Kamaraju

  2. Do you know if there’s any way to restrict certain designer users from editing certain reports in MR? Besides applying passwords, I’d like to restrict User 1 to only design Report A and not be able to design report B. But User 2 needs the ability to design both A and B.

  3. Users with privileges don’t seem to be coming across , there is one particular user but the other has not synced. any ideas to force or troubleshoot.

Leave a Reply

Your email address will not be published.