permissions (25000+) privileges (5000+) menu items access level securable objects controls tables...

Dynamics AX 2012 Security - Planning and Developing for an Implementation

Parth PandyaSenior Program ManagerMicrosoft Corporation

BRK321

Disclaimer© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. Other names and brands may be claimed as the property of others.

Microsoft Dynamics AX 2012 R2 is a pre-release product under development. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft. Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. All product release dates and features specified are preliminary based on current expectations, and are subject to change without notice. Microsoft may make changes to specifications and product descriptions at any time, without notice.

Sample code included in this presentation is made available AS IS. THE ENTIRE RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE USER.

MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS PRESENTATION. Microsoft products are not intended for use in medical, life saving, or life sustaining applications.

Session Focus

Overview of Security

Framework

Security Implementation

phases

Tools and features to develop and

manage security

Key Implementation

Tips

Developing and debugging security artifacts

Model complex security requirements

Challenges in Security

Manage security on an ongoing basis

What’s New In AX 2012AX Security enables

Faster Implementation building upon a comprehensive set of Role definitions Role-tailored User Experience that adapts

to dynamic business requirements Extending ERP functionality to external users without risk to intranet resources Comprehensive Data Security modeled

as per unique business requirements

Making Security and Simplicity Coexist

Overview of security framework

Role-based Security Concepts (Functional Security)

Permissions(25000+)

Roles(80+)

Duties(800+)

Privileges(5000+)

Menu Items

Access Level

Securable Objects

Controls

Tables

Etc…

Server Methods

Artifacts you want to secure“Vehicle Table”

Group of base objects and

required permission

“Read Vehicle Table”

Group entry points/permissions with

associated access levels

“Edit Vehicles Menu Item”

Group of related privileges required

for a job function e.g. “Maintain Vehicles”

Group of duties for a job function e.g.

“Branch Manager”

demoRole-based SecurityAdministration & Experience

Extensible Data Security (XDS) Organizations have complex data filtering needs Filter based on specific records in a given table Filter data in a table based on conditions in another table(s) Ensure that this data filtering is enforced on all paths of access to

the data Enforce data filtering based on context Have a declarative and easy way to specify the filtering

requirementsXDS framework in AX 2012 addresses these scenarios

demoExtensible Data Security

Demo : Securing data using organizational hierarchies

Contoso Group

Main Sales Group

SUSB Departmen

ts

Department Hierarchy

Position Department

Salesperson Main Sales Group

Purchasing Agent Sales (USA)

Sales Manager Sales (UK)

Consultant SUSB Department

Consultant SFRA Department

Project Manager SFRA Department

Before

Sales (USA) Sales (UK)

Consulting

SFRA Departmen

ts

HR Assistant

After

Data Security Policy

Xtensible Data Security (XDS): Overview

The condition by which data is to be

constrained(CustGroup = 20)

Table which contains data to

use as filter.(CustTable)

Table which contains the data to be

filtered/constrained (SalesTable)

Constrained Table

Primary TableQuery

Role/Application

Context

Results

Circumstances to apply this policy(Role = Branch

Manager)

Filtered sales data(When role is Branch

Manger, only sales data with customer

group=20)

When Branch Manager accesses sales table then always filter data sets by

customers in group 20

Xtensible Data Security (XDS): Runtime

Policy: Sales by Customer groupConstrained Table: SalesTablePrimary Table: CustTableRole Context: Branch ManagerQuery: SalesByCustQuery

SELECT *FROM CustTable T1WHERE T1.CustGroup = 20

SELECT *FROM SalesTable T2WHERE T2.amount > 1000

SELECT *FROM SalesTable T2WHERE (T2.amount > 1000

AND EXISTS (SELECT *FROM CustTable T1WHERE T1.CustGroup = 20 AND T1.Recid = T2.Cid))

Developing security

Phases of security implementation

Perform business analysis of job

functions

Complete functional

development

Package securable objects

in security artifacts

Reuse out of the box role

definitions and customize as

required

Define data security policiesTest and Deploy

Role Design Principles Principles of least privilege Segregation of duties

Manager

Employee

Reports to

Supervisor

Clerk/Agent

Verifier

Source document

VerifyAuthorize

Records

Recording Verification Authorization Managerial review

Clerk/Agent Verifier Supervisor Manager



functions

Complete functional

development





required


Privilege“fmRegisterRental”

Role-based Security DevelopmentPermissions

Form – “Rental Form”

Tables“FMRental”

Permission “Delete”

Menu Item“Register Rental”

Access Level “Delete”

Duty/Role“FM Rental Clerk Role”

Auto Inference of Permissions



functions

Complete functional

development





required


Security development approaches

Bottom up (AOT Driven)

Top down (Menu Item Driven)

Security Debug Tool

Security Development Tool

demoSecurity Development Tool for AX 2012 (beta)

Security Development Tool Simplifies creation and maintenance of Roles,

Duties and Privileges Guides you in setting menu item access levels Record business process flows and identify the

entry points used Test security workspace and debug X++ code



functions

Complete functional

development





required


Managing security

Managing Security

Manage segregation of duties conflicts Setup automatic role assignment rules Use of ADGroup for ease of management Use flexible authentication for providing

access to external users of the system

Top tips from this session

Build on the Role Based Security FrameworkModel your security using the role based security framework

Express complex data security requirementsModel more complex data requirements using the XDS framework

Use tools for faster development and easier debuggingUse the security development tool for development and debugging of security artifactsPlan for security upgradeUse the security upgrade advisor to plan and execute on upgrade of security settingsSimplify ongoing administration tasksUse features such as dynamic role assignment and segregation of duties to simplify administration

Related Sessions CHK 305: Security Framework in Dynamics AX 2012 Q&A

Resources Security for Microsoft Dynamics AX 2012: http://bit.ly/rREqZB

Whitepaper on developing XDS policies : http://bit.ly/tTsB7K

Security Development Tool and Security Upgrade Advisor Tool: http://informationsource.dynamics.com/

Flexible Authentication Whitepaper: http://go.microsoft.com/fwlink/?LinkID=232522&clcid=0x409

Security Debug Tool: http://msdn.microsoft.com/en-us/library/hh745340.aspx

http://bit.ly/rREqZB

http://bit.ly/rREqZB

http://bit.ly/tTsB7K

http://bit.ly/tTsB7K

http://informationsource.dynamics.com/

http://go.microsoft.com/fwlink/?LinkID=232522&clcid=0x409

http://go.microsoft.com/fwlink/?LinkID=232522&clcid=0x409

http://msdn.microsoft.com/en-us/library/hh745340.aspx

http://msdn.microsoft.com/en-us/library/hh745340.aspx

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Security Development Tool HighlightsPersona Pain Points and Challenges Features Covered Results and Benefits

Identify hidden menu items for a functional role

Main menu viewMark form controls in ribbonDiscover sub-menu itemsRecorder

Reduced effort to maintain security artifactsEasier to test and debug scenarios in security context

Tweak menu item permissions for security role

Reference duty/privilegeSet entry point permissions guided form

Need to logon with different windows account to test roleDebug without System administrator privileges

Test security workspace

Isaac

User Database

User Database

Active Directory

ADFS

Authentication

2

STS (Secur

e Token Servic

e)

Forms-Based Authentication

Provider

Membership Provider(s)

ADFS Provider

Active Directory Provider

Custom STS

Dynamics AX Database

Authorization

AOS (Application Object Server)

3

Flexible Authentication Architecture

Active Directory User

AD Federated User

Forms-Based Authentication User

1Microsoft

SharePoint®(Enterprise Portal)

Management

Chris

IT Engineer

Customization

SimonNandita

Developer Partner

Development

Isaac

ISV

Security Implementation Phases

Policy Context

Roles Duties

Privileges Permissions

Federation Trust Setup

User Authentication

User Management

Segregation of Duty enforcement

Segregation of Duties

Roles Duties

Privileges

Policy Context

Functio

nal S

ecurityD

ataS

ecurityA

uthentication

Security Upgrade

AX 4.0/2009

Access Level

Security Model: Side By Side

Securable Object

Branch Manager

Permissions for CustomerTable

CustomerTable, Read

User

User Group/Domain

Branch Manager/Europ

e

Role

Duty

Privilege

Permission

View Customer Records

Basic Duties

AX 2012

Security Upgrade Steps

3. Create PrivilegesFor missing settings, create custom privileges

1. Export Export legacy security settings from AX 4.0/2009

2. MatchMatch out of box privileges with legacy security settings

5. Generate Custom Rolesthat map to legacy User Groups

4. Review/Fine TuneReview new security suggestions and fine tune

Sourc

e

AX

4,A

X20

09

Ta

rget

AX

2012

Syst

em

s(D

ev, Te

st, Pro

d)

Iterate

Match Process

Advance Buyer (User Group)

CustTable View

ContactPerson

FullContro

l

Advance Buyer (Role)

CustTableView

ContactPersonMaintain

Asset Addition View

Address Format

FullControl

CCMActivePrice View

CustTable View

ContactPerson

Create

Asset Addition

Removed

Not Found

AX 2012

AX 4.0/2009

Exact

Similar

No Privilege

Entry Point

Deprecated

No Entry Point

AssetAdditionView

NA

NA

Create entry point and

privilege, if needed

Create new privilege

Review match

PrivilegeMatches

permissions (25000+) privileges (5000+) menu items access level securable objects controls tables...

Documents