Here is the quick overview of security configuration for Microsoft Dynamics AX 2012 Master data management (MDM) feature.
Security ConfigurationMDM requires multiple security settings to work correctly, ensure that the following user accounts have correct privileges.
AOS service account permission for Data Import/Export serviceThe AOS service account that runs import/export must be part of Data Import/Export Framework Users local group. If you get a security exception when validating DIXF, it is mostly likely that AOS user (usually Network Service) is not part of the group. Make sure that you add AOS user to the group in Computer Management. Restart AOS.
Verify: Open Data import/export framework > Setup > Data import/export framework parameters, and then click Validate. If the connection is configured correctly, the box will turn green.
Grant the DIXF service account permission to the SQL Server Master Data Services web service and databaseMaster Data Services Web ApplicationThe Data import/export service account must be configured to have function permissions in Master Data Services so that it can push and pull data and create schemas. To enable these permissions, perform the following procedure: 1. Open the Master Data Services web application.2. Click Users and Group Permissions.3. Add the DIXF service account user.4. Select the DIXF service account user.5. Click Functions.6. Click Edit.7. Assign the following functions:
Best Practices: In a production environment with all entities configured, we recommend that you remove the functions from the service account, and instead assign specific model permissions for reading and writing data to models.
Verify: Log in with the DIXF service account on the local machine, and open the Master Data Services web application and verify that the user has access.
Master Data Services SQL Server databaseAssign the following database roles to the DIXF service account in the Master Data Services database:
Verify: Connect to the Master Data Services database using SQL Server Management Studio and the DIXF service account to validate database connectivity.