Dynamics AX 2012 Security - Planning and Developing for an Implementation
Parth PandyaSenior Program ManagerMicrosoft Corporation
BRK321
Disclaimer© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. Other names and brands may be claimed as the property of others.
Microsoft Dynamics AX 2012 R2 is a pre-release product under development. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft. Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. All product release dates and features specified are preliminary based on current expectations, and are subject to change without notice. Microsoft may make changes to specifications and product descriptions at any time, without notice.
Sample code included in this presentation is made available AS IS. THE ENTIRE RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE USER.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS PRESENTATION. Microsoft products are not intended for use in medical, life saving, or life sustaining applications.
Session Focus
Overview of Security
Framework
Security Implementation
phases
Tools and features to develop and
manage security
Key Implementation
Tips
Developing and debugging security artifacts
Model complex security requirements
Challenges in Security
Manage security on an ongoing basis
What’s New In AX 2012AX Security enables
Faster Implementation building upon a comprehensive set of Role definitions Role-tailored User Experience that adapts
to dynamic business requirements Extending ERP functionality to external users without risk to intranet resources Comprehensive Data Security modeled
as per unique business requirements
Making Security and Simplicity Coexist
Overview of security framework
Role-based Security Concepts (Functional Security)
Permissions(25000+)
Roles(80+)
Duties(800+)
Privileges(5000+)
Menu Items
Access Level
Securable Objects
Controls
Tables
Etc…
Server Methods
Artifacts you want to secure“Vehicle Table”
Group of base objects and
required permission
“Read Vehicle Table”
Group entry points/permissions with
associated access levels
“Edit Vehicles Menu Item”
Group of related privileges required
for a job function e.g. “Maintain Vehicles”
Group of duties for a job function e.g.
“Branch Manager”
demoRole-based SecurityAdministration & Experience
Extensible Data Security (XDS) Organizations have complex data filtering needs Filter based on specific records in a given table Filter data in a table based on conditions in another table(s) Ensure that this data filtering is enforced on all paths of access to
the data Enforce data filtering based on context Have a declarative and easy way to specify the filtering
requirementsXDS framework in AX 2012 addresses these scenarios
demoExtensible Data Security
Demo : Securing data using organizational hierarchies
Contoso Group
Main Sales Group
SUSB Departmen
ts
Department Hierarchy
Position Department
Salesperson Main Sales Group
Purchasing Agent Sales (USA)
Sales Manager Sales (UK)
Consultant SUSB Department
Consultant SFRA Department
Project Manager SFRA Department
Before
Sales (USA) Sales (UK)
Consulting
SFRA Departmen
ts
HR Assistant
After
Data Security Policy
Xtensible Data Security (XDS): Overview
The condition by which data is to be
constrained(CustGroup = 20)
Table which contains data to
use as filter.(CustTable)
Table which contains the data to be
filtered/constrained (SalesTable)
Constrained Table
Primary TableQuery
Role/Application
Context
Results
Circumstances to apply this policy(Role = Branch
Manager)
Filtered sales data(When role is Branch
Manger, only sales data with customer
group=20)
When Branch Manager accesses sales table then always filter data sets by
customers in group 20
Xtensible Data Security (XDS): Runtime
Policy: Sales by Customer groupConstrained Table: SalesTablePrimary Table: CustTableRole Context: Branch ManagerQuery: SalesByCustQuery
SELECT *FROM CustTable T1WHERE T1.CustGroup = 20
SELECT *FROM SalesTable T2WHERE T2.amount > 1000
SELECT *FROM SalesTable T2WHERE (T2.amount > 1000
AND EXISTS (SELECT *FROM CustTable T1WHERE T1.CustGroup = 20 AND T1.Recid = T2.Cid))
Developing security
Phases of security implementation
Perform business analysis of job
functions
Complete functional
development
Package securable objects
in security artifacts
Reuse out of the box role
definitions and customize as
required
Define data security policiesTest and Deploy
Phases of security implementation
Perform business analysis of job
functions
Complete functional
development
Package securable objects
in security artifacts
Reuse out of the box role
definitions and customize as
required
Define data security policiesTest and Deploy
Role Design Principles Principles of least privilege Segregation of duties
Manager
Employee
Reports to
Supervisor
Clerk/Agent
Verifier
Source document
VerifyAuthorize
Records
Recording Verification Authorization Managerial review
Clerk/Agent Verifier Supervisor Manager
Phases of security implementation
Perform business analysis of job
functions
Complete functional
development
Package securable objects
in security artifacts
Reuse out of the box role
definitions and customize as
required
Define data security policiesTest and Deploy
Privilege“fmRegisterRental”
Role-based Security DevelopmentPermissions
Form – “Rental Form”
Tables“FMRental”
Permission “Delete”
Menu Item“Register Rental”
Access Level “Delete”
Duty/Role“FM Rental Clerk Role”
Auto Inference of Permissions
Phases of security implementation
Perform business analysis of job
functions
Complete functional
development
Package securable objects
in security artifacts
Reuse out of the box role
definitions and customize as
required
Define data security policiesTest and Deploy
Security development approaches
Bottom up (AOT Driven)
Top down (Menu Item Driven)
Security Debug Tool
Security Development Tool
demoSecurity Development Tool for AX 2012 (beta)
Security Development Tool Simplifies creation and maintenance of Roles,
Duties and Privileges Guides you in setting menu item access levels Record business process flows and identify the
entry points used Test security workspace and debug X++ code
Phases of security implementation
Perform business analysis of job
functions
Complete functional
development
Package securable objects
in security artifacts
Reuse out of the box role
definitions and customize as
required
Define data security policiesTest and Deploy
Managing security
Managing Security
Manage segregation of duties conflicts Setup automatic role assignment rules Use of ADGroup for ease of management Use flexible authentication for providing
access to external users of the system
Top tips from this session
Build on the Role Based Security FrameworkModel your security using the role based security framework
Express complex data security requirementsModel more complex data requirements using the XDS framework
Use tools for faster development and easier debuggingUse the security development tool for development and debugging of security artifactsPlan for security upgradeUse the security upgrade advisor to plan and execute on upgrade of security settingsSimplify ongoing administration tasksUse features such as dynamic role assignment and segregation of duties to simplify administration
Related Sessions CHK 305: Security Framework in Dynamics AX 2012 Q&A
Resources Security for Microsoft Dynamics AX 2012: http://bit.ly/rREqZB
Whitepaper on developing XDS policies : http://bit.ly/tTsB7K
Security Development Tool and Security Upgrade Advisor Tool: http://informationsource.dynamics.com/
Flexible Authentication Whitepaper: http://go.microsoft.com/fwlink/?LinkID=232522&clcid=0x409
Security Debug Tool: http://msdn.microsoft.com/en-us/library/hh745340.aspx
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Security Development Tool HighlightsPersona Pain Points and Challenges Features Covered Results and Benefits
Identify hidden menu items for a functional role
Main menu viewMark form controls in ribbonDiscover sub-menu itemsRecorder
Reduced effort to maintain security artifactsEasier to test and debug scenarios in security context
Tweak menu item permissions for security role
Reference duty/privilegeSet entry point permissions guided form
Need to logon with different windows account to test roleDebug without System administrator privileges
Test security workspace
Isaac
User Database
User Database
Active Directory
ADFS
Authentication
2
STS (Secur
e Token Servic
e)
Forms-Based Authentication
Provider
Membership Provider(s)
ADFS Provider
Active Directory Provider
Custom STS
Dynamics AX Database
Authorization
AOS (Application Object Server)
3
Flexible Authentication Architecture
Active Directory User
AD Federated User
Forms-Based Authentication User
1Microsoft
SharePoint®(Enterprise Portal)
Management
Chris
IT Engineer
Customization
SimonNandita
Developer Partner
Development
Isaac
ISV
Security Implementation Phases
Policy Context
Roles Duties
Privileges Permissions
Federation Trust Setup
User Authentication
User Management
Segregation of Duty enforcement
Segregation of Duties
Roles Duties
Privileges
Policy Context
Functio
nal S
ecurityD
ataS
ecurityA
uthentication
Security Upgrade
AX 4.0/2009
Access Level
Security Model: Side By Side
Securable Object
Branch Manager
Permissions for CustomerTable
CustomerTable, Read
User
User Group/Domain
Branch Manager/Europ
e
Role
Duty
Privilege
Permission
View Customer Records
Basic Duties
AX 2012
Security Upgrade Steps
3. Create PrivilegesFor missing settings, create custom privileges
1. Export Export legacy security settings from AX 4.0/2009
2. MatchMatch out of box privileges with legacy security settings
5. Generate Custom Rolesthat map to legacy User Groups
4. Review/Fine TuneReview new security suggestions and fine tune
Sourc
e
AX
4,A
X20
09
Ta
rget
AX
2012
Syst
em
s(D
ev, Te
st, Pro
d)
Iterate
Match Process
Advance Buyer (User Group)
CustTable View
ContactPerson
FullContro
l
Advance Buyer (Role)
CustTableView
ContactPersonMaintain
Asset Addition View
Address Format
FullControl
CCMActivePrice View
CustTable View
ContactPerson
Create
Asset Addition
Removed
Not Found
AX 2012
AX 4.0/2009
Exact
Similar
No Privilege
Entry Point
Deprecated
No Entry Point
AssetAdditionView
NA
NA
Create entry point and
privilege, if needed
Create new privilege
Review match
PrivilegeMatches