Visit our Focus Rooms Evaluation of Implementation Proposals by Dynamics AX R&D Solution Architecture & Industry Experts Gain further insights on Dynamics AX Industry Solution Offerings Resolution Guidance on Solution Roadblocks Networking Risso 8A Risso 7B Risso 7A Risso 6C Risso 6A/B
NICE,FRANCE LEARN | INSPIRE | INNOVATE TECHNICAL CONFERENCE 2011
A DEVELOPER’S GUIDE TO ROLE-BASED SECURITY (RBS) AND EXTENSIBLE DATA SECURITY (XDS) AMIT KULKARNIPARTH PANDYA SESSION CODE : BRK 223 MICROSOFT DYNAMICS AX R&D MICROSOFT CORPORATION
DISCLAIMER ©2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. Other names and brands may be claimed as the property of others. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. All pre-release product release dates and features specified are preliminary based on current expectations, and are subject to change without notice. Microsoft may make changes to specifications and product descriptions at any time, without notice. Sample code included in this presentation is made available AS IS. THE ENTIRE RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE USER. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS PRESENTATION. Microsoft products are not intended for use in medical, life saving, or life sustaining applications.
Today we will show you… How developers can leverage new concepts in the AX 2012 security framework Role-based security and data security in action How to model security using the new framework How to develop extensible data security policies
Components in action today
Pains and Challenges Needs a simple way to model security for elements shared across business processes Needs a robust mechanism to set and maintain permissions on securable objects Needs to reliably ship and service security artifacts Needs to apply common data security policies without extensive code customization Requires data security policies to be enforced uniformly from all access paths to the application
Security Concepts Overview
With Dynamics AX 2012, you can… Making Security and Simplicity Coexist
Product Demos Role-based Security and Data Security in Action Modeling Forms Security Developing XDS Policies
Fleet Management Business 1.FM Inc. has multiple branches and locations in the states of Washington (WA) and California (CA) 2.FM Inc. sometimes uses vendors to manage its car rentals Marie Branch Manager Chris IT Engineer Terrence Rental Clerk
demo
Demo 1 : Role-based Security and Data Security in Action PersonaPain Points and ChallengesFeatures CoveredResults and Benefits Configuring and managing security is a complicated task Hard to deploy rich data security policies Role definitions Role-tailored experience XDS policy enforcement Customers can choose from a comprehensive set of baseline role definitions Faster and more reliable security implementation Chris
Permissions (20,000+) Permissions (20,000+) Privileges (5777) Privileges (5777) Duties (767) Duties (767) Roles (80) Roles (80) Process Cycle Group of duties for a job function e.g. “Branch Manager” Group of related privileges required for a job function e.g. “Basic Duties” Group of entry points with associated access levels e.g. “View Customer Records” Group of base objects and required permissions e.g. “CustomerTable” Role-based Security Concepts
Controls Read Permission Tables Server Methods Associated Forms Update Permission Create Permission Delete Permission
Menu Items Service Operations Tables Server Methods Controls Entry Points Permissions
demo
Demo 2 : Modeling Forms Security PersonaPain Points and ChallengesFeatures CoveredResults and Benefits Isaac Application Developer Sharing security artifacts with different subsystems Minimum access not in metadata Permissions Auto-Inference Auto-Authorization Privilege, Duties, and Roles Flexible security definition Metadata declares access needed Reduce effort to maintain security Hard to determine why user does not have the expected access to certain resources Debugging Role definitions Faster debugging of permission issues
Extensible Data Security Conceptual Model Role/Application Context Primary Table Constrained Table Query Results
Extensible Data Security Conceptual Model Policy Role Context App Context Primary Table (CustTable) Query
Extensible Data Security : Concepts & Value
demo
Demo 2 : Developing XDS Policies PersonaPain Points and ChallengesFeatures CoveredResults and Benefits Isaac Application Developer RLS only allows rules based on single tables Developing XDS PoliciesDeclarative policies using modeled AX queries Rich data security policies MyConstructs for performance
Policy Enforcement SalesTable Policy P1 (default) Policy P1 (default) Policy P2 (Employee) Policy P2 (Employee) Policy P3 (Vendor) Policy P3 (Vendor) Policy P4 (Customer) Policy P4 (Customer) AND
Runtime Query Augmentation SELECT * FROM SalesTable T2 WHERE T2.amount > 1000 SELECT * FROM SalesTable T2 WHERE T2.amount > 1000 SELECT * FROM SalesTable T2 WHERE (T2.amount > 1000 SELECT * FROM SalesTable T2 WHERE (T2.amount > 1000
Debugging XDS Policies Static void VerifySalesQuery(Args _args) { SalesTable salesTable; XDSServices xdsServices = new XDSServices(); xdsServices.setXDSContext(1, ‘’); //Only generate SQL statement for custGroup table select generateonly forceLiterals CustAccount, DeliveryDate from salesTable; //Print SQL statement to infolog info(salesTable.getSQLStatement()); xdsServices.setXDSContext(2, ‘’); }
Tips for delivering efficient XDS Policies Tables & Queries Minimize constrained tables Choose primary table carefully Reduce joins in policy queries Use XDS constructs to reduce joins Tables & Queries Minimize constrained tables Choose primary table carefully Reduce joins in policy queries Use XDS constructs to reduce joins Policy Context When should the policy apply? default, role, query Policy Context When should the policy apply? default, role, query Out-of-box 11 policies – 3 of whichare enabled by default 7 MyConstruct tables Out-of-box 11 policies – 3 of whichare enabled by default 7 MyConstruct tables Performance Minimal impact on Form load times No Transaction processing impact Performance Minimal impact on Form load times No Transaction processing impact Rich Low-overhead Data Security Policies Rich Low-overhead Data Security Policies
Top Tips For Developing Role-Based Security Complete privilege, duty, and role definitions – Create permissions for all securable objects – Identify entry points that map to similar functionality to create privileges – Group privileges into appropriate duties Debugging – Use the security debug tool to resolve issues with access – Use Tracing events to dump security-related information
What We Showed Today… Queries based on multiple tables and relationships allow for rich declarative data security policies Data security now enforced by the server-side data access stack and applied for all access paths Policies are applied based on role and application context, thereby reducing number of user groups and policies Securable elements can now be part of multiple roles, duties, and/or privileges Auto-Inference and Auto-Authorization ease permission maintenance requirements Permissions and related role definitions are part of the application metadata
Related sessions BRK222 – Deploying and Managing Security using the new Role Based Security model CHK211 – Security: Developing and Administering with the new RBS and XDS Frameworks Q&A ILL204 – Security Model Setup BRK221 – Code Upgrade Tools for Developers
Resources Microsoft Dynamics AX 2012 White Paper: Developing Extensible Data Security Policies – Developing Security for Microsoft Dynamics AX 2012 –
Q&A
Visit our Focus Rooms Evaluation of Implementation Proposals by Dynamics AX R&D Solution Architecture & Industry Experts Gain further insights on Dynamics AX Industry Solution Offerings Resolution Guidance on Solution Roadblocks Networking Risso 8A Risso 7B Risso 7A Risso 6C Risso 6A/B
© 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows 7 and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.