permissions (25000+) privileges (5000+) menu items access level securable objects controls tables...
TRANSCRIPT
![Page 1: Permissions (25000+) Privileges (5000+) Menu Items Access Level Securable Objects Controls Tables Etc… Server Methods Artifacts you want to](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cf65503460f949c5cf0/html5/thumbnails/1.jpg)
![Page 2: Permissions (25000+) Privileges (5000+) Menu Items Access Level Securable Objects Controls Tables Etc… Server Methods Artifacts you want to](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cf65503460f949c5cf0/html5/thumbnails/2.jpg)
Dynamics AX 2012 Security - Planning and Developing for an Implementation
Parth PandyaSenior Program ManagerMicrosoft Corporation
BRK321
![Page 3: Permissions (25000+) Privileges (5000+) Menu Items Access Level Securable Objects Controls Tables Etc… Server Methods Artifacts you want to](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cf65503460f949c5cf0/html5/thumbnails/3.jpg)
Disclaimer© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. Other names and brands may be claimed as the property of others.
Microsoft Dynamics AX 2012 R2 is a pre-release product under development. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft. Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. All product release dates and features specified are preliminary based on current expectations, and are subject to change without notice. Microsoft may make changes to specifications and product descriptions at any time, without notice.
Sample code included in this presentation is made available AS IS. THE ENTIRE RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE USER.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS PRESENTATION. Microsoft products are not intended for use in medical, life saving, or life sustaining applications.
![Page 4: Permissions (25000+) Privileges (5000+) Menu Items Access Level Securable Objects Controls Tables Etc… Server Methods Artifacts you want to](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cf65503460f949c5cf0/html5/thumbnails/4.jpg)
Session Focus
Overview of Security
Framework
Security Implementation
phases
Tools and features to develop and
manage security
Key Implementation
Tips
![Page 5: Permissions (25000+) Privileges (5000+) Menu Items Access Level Securable Objects Controls Tables Etc… Server Methods Artifacts you want to](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cf65503460f949c5cf0/html5/thumbnails/5.jpg)
Developing and debugging security artifacts
Model complex security requirements
Challenges in Security
Manage security on an ongoing basis
![Page 6: Permissions (25000+) Privileges (5000+) Menu Items Access Level Securable Objects Controls Tables Etc… Server Methods Artifacts you want to](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cf65503460f949c5cf0/html5/thumbnails/6.jpg)
What’s New In AX 2012AX Security enables
Faster Implementation building upon a comprehensive set of Role definitions Role-tailored User Experience that adapts
to dynamic business requirements Extending ERP functionality to external users without risk to intranet resources Comprehensive Data Security modeled
as per unique business requirements
Making Security and Simplicity Coexist
![Page 7: Permissions (25000+) Privileges (5000+) Menu Items Access Level Securable Objects Controls Tables Etc… Server Methods Artifacts you want to](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cf65503460f949c5cf0/html5/thumbnails/7.jpg)
Overview of security framework
![Page 8: Permissions (25000+) Privileges (5000+) Menu Items Access Level Securable Objects Controls Tables Etc… Server Methods Artifacts you want to](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cf65503460f949c5cf0/html5/thumbnails/8.jpg)
Role-based Security Concepts (Functional Security)
Permissions(25000+)
Roles(80+)
Duties(800+)
Privileges(5000+)
Menu Items
Access Level
Securable Objects
Controls
Tables
Etc…
Server Methods
Artifacts you want to secure“Vehicle Table”
Group of base objects and
required permission
“Read Vehicle Table”
Group entry points/permissions with
associated access levels
“Edit Vehicles Menu Item”
Group of related privileges required
for a job function e.g. “Maintain Vehicles”
Group of duties for a job function e.g.
“Branch Manager”
![Page 9: Permissions (25000+) Privileges (5000+) Menu Items Access Level Securable Objects Controls Tables Etc… Server Methods Artifacts you want to](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cf65503460f949c5cf0/html5/thumbnails/9.jpg)
demoRole-based SecurityAdministration & Experience
![Page 10: Permissions (25000+) Privileges (5000+) Menu Items Access Level Securable Objects Controls Tables Etc… Server Methods Artifacts you want to](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cf65503460f949c5cf0/html5/thumbnails/10.jpg)
Extensible Data Security (XDS) Organizations have complex data filtering needs Filter based on specific records in a given table Filter data in a table based on conditions in another table(s) Ensure that this data filtering is enforced on all paths of access to
the data Enforce data filtering based on context Have a declarative and easy way to specify the filtering
requirementsXDS framework in AX 2012 addresses these scenarios
![Page 11: Permissions (25000+) Privileges (5000+) Menu Items Access Level Securable Objects Controls Tables Etc… Server Methods Artifacts you want to](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cf65503460f949c5cf0/html5/thumbnails/11.jpg)
demoExtensible Data Security
![Page 12: Permissions (25000+) Privileges (5000+) Menu Items Access Level Securable Objects Controls Tables Etc… Server Methods Artifacts you want to](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cf65503460f949c5cf0/html5/thumbnails/12.jpg)
Demo : Securing data using organizational hierarchies
Contoso Group
Main Sales Group
SUSB Departmen
ts
Department Hierarchy
Position Department
Salesperson Main Sales Group
Purchasing Agent Sales (USA)
Sales Manager Sales (UK)
Consultant SUSB Department
Consultant SFRA Department
Project Manager SFRA Department
Before
Sales (USA) Sales (UK)
Consulting
SFRA Departmen
ts
HR Assistant
After
![Page 13: Permissions (25000+) Privileges (5000+) Menu Items Access Level Securable Objects Controls Tables Etc… Server Methods Artifacts you want to](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cf65503460f949c5cf0/html5/thumbnails/13.jpg)
Data Security Policy
Xtensible Data Security (XDS): Overview
The condition by which data is to be
constrained(CustGroup = 20)
Table which contains data to
use as filter.(CustTable)
Table which contains the data to be
filtered/constrained (SalesTable)
Constrained Table
Primary TableQuery
Role/Application
Context
Results
Circumstances to apply this policy(Role = Branch
Manager)
Filtered sales data(When role is Branch
Manger, only sales data with customer
group=20)
When Branch Manager accesses sales table then always filter data sets by
customers in group 20
![Page 14: Permissions (25000+) Privileges (5000+) Menu Items Access Level Securable Objects Controls Tables Etc… Server Methods Artifacts you want to](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cf65503460f949c5cf0/html5/thumbnails/14.jpg)
Xtensible Data Security (XDS): Runtime
Policy: Sales by Customer groupConstrained Table: SalesTablePrimary Table: CustTableRole Context: Branch ManagerQuery: SalesByCustQuery
SELECT *FROM CustTable T1WHERE T1.CustGroup = 20
SELECT *FROM SalesTable T2WHERE T2.amount > 1000
SELECT *FROM SalesTable T2WHERE (T2.amount > 1000
AND EXISTS (SELECT *FROM CustTable T1WHERE T1.CustGroup = 20 AND T1.Recid = T2.Cid))
![Page 15: Permissions (25000+) Privileges (5000+) Menu Items Access Level Securable Objects Controls Tables Etc… Server Methods Artifacts you want to](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cf65503460f949c5cf0/html5/thumbnails/15.jpg)
Developing security
![Page 16: Permissions (25000+) Privileges (5000+) Menu Items Access Level Securable Objects Controls Tables Etc… Server Methods Artifacts you want to](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cf65503460f949c5cf0/html5/thumbnails/16.jpg)
Phases of security implementation
Perform business analysis of job
functions
Complete functional
development
Package securable objects
in security artifacts
Reuse out of the box role
definitions and customize as
required
Define data security policiesTest and Deploy
![Page 17: Permissions (25000+) Privileges (5000+) Menu Items Access Level Securable Objects Controls Tables Etc… Server Methods Artifacts you want to](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cf65503460f949c5cf0/html5/thumbnails/17.jpg)
Phases of security implementation
Perform business analysis of job
functions
Complete functional
development
Package securable objects
in security artifacts
Reuse out of the box role
definitions and customize as
required
Define data security policiesTest and Deploy
![Page 18: Permissions (25000+) Privileges (5000+) Menu Items Access Level Securable Objects Controls Tables Etc… Server Methods Artifacts you want to](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cf65503460f949c5cf0/html5/thumbnails/18.jpg)
Role Design Principles Principles of least privilege Segregation of duties
Manager
Employee
Reports to
Supervisor
Clerk/Agent
Verifier
Source document
VerifyAuthorize
Records
Recording Verification Authorization Managerial review
Clerk/Agent Verifier Supervisor Manager
![Page 19: Permissions (25000+) Privileges (5000+) Menu Items Access Level Securable Objects Controls Tables Etc… Server Methods Artifacts you want to](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cf65503460f949c5cf0/html5/thumbnails/19.jpg)
Phases of security implementation
Perform business analysis of job
functions
Complete functional
development
Package securable objects
in security artifacts
Reuse out of the box role
definitions and customize as
required
Define data security policiesTest and Deploy
![Page 20: Permissions (25000+) Privileges (5000+) Menu Items Access Level Securable Objects Controls Tables Etc… Server Methods Artifacts you want to](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cf65503460f949c5cf0/html5/thumbnails/20.jpg)
Privilege“fmRegisterRental”
Role-based Security DevelopmentPermissions
Form – “Rental Form”
Tables“FMRental”
Permission “Delete”
Menu Item“Register Rental”
Access Level “Delete”
Duty/Role“FM Rental Clerk Role”
Auto Inference of Permissions
![Page 21: Permissions (25000+) Privileges (5000+) Menu Items Access Level Securable Objects Controls Tables Etc… Server Methods Artifacts you want to](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cf65503460f949c5cf0/html5/thumbnails/21.jpg)
Phases of security implementation
Perform business analysis of job
functions
Complete functional
development
Package securable objects
in security artifacts
Reuse out of the box role
definitions and customize as
required
Define data security policiesTest and Deploy
![Page 22: Permissions (25000+) Privileges (5000+) Menu Items Access Level Securable Objects Controls Tables Etc… Server Methods Artifacts you want to](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cf65503460f949c5cf0/html5/thumbnails/22.jpg)
Security development approaches
Bottom up (AOT Driven)
Top down (Menu Item Driven)
Security Debug Tool
Security Development Tool
![Page 23: Permissions (25000+) Privileges (5000+) Menu Items Access Level Securable Objects Controls Tables Etc… Server Methods Artifacts you want to](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cf65503460f949c5cf0/html5/thumbnails/23.jpg)
demoSecurity Development Tool for AX 2012 (beta)
![Page 24: Permissions (25000+) Privileges (5000+) Menu Items Access Level Securable Objects Controls Tables Etc… Server Methods Artifacts you want to](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cf65503460f949c5cf0/html5/thumbnails/24.jpg)
Security Development Tool Simplifies creation and maintenance of Roles,
Duties and Privileges Guides you in setting menu item access levels Record business process flows and identify the
entry points used Test security workspace and debug X++ code
![Page 25: Permissions (25000+) Privileges (5000+) Menu Items Access Level Securable Objects Controls Tables Etc… Server Methods Artifacts you want to](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cf65503460f949c5cf0/html5/thumbnails/25.jpg)
Phases of security implementation
Perform business analysis of job
functions
Complete functional
development
Package securable objects
in security artifacts
Reuse out of the box role
definitions and customize as
required
Define data security policiesTest and Deploy
![Page 26: Permissions (25000+) Privileges (5000+) Menu Items Access Level Securable Objects Controls Tables Etc… Server Methods Artifacts you want to](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cf65503460f949c5cf0/html5/thumbnails/26.jpg)
Managing security
![Page 27: Permissions (25000+) Privileges (5000+) Menu Items Access Level Securable Objects Controls Tables Etc… Server Methods Artifacts you want to](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cf65503460f949c5cf0/html5/thumbnails/27.jpg)
Managing Security
Manage segregation of duties conflicts Setup automatic role assignment rules Use of ADGroup for ease of management Use flexible authentication for providing
access to external users of the system
![Page 28: Permissions (25000+) Privileges (5000+) Menu Items Access Level Securable Objects Controls Tables Etc… Server Methods Artifacts you want to](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cf65503460f949c5cf0/html5/thumbnails/28.jpg)
Top tips from this session
Build on the Role Based Security FrameworkModel your security using the role based security framework
Express complex data security requirementsModel more complex data requirements using the XDS framework
Use tools for faster development and easier debuggingUse the security development tool for development and debugging of security artifactsPlan for security upgradeUse the security upgrade advisor to plan and execute on upgrade of security settingsSimplify ongoing administration tasksUse features such as dynamic role assignment and segregation of duties to simplify administration
![Page 29: Permissions (25000+) Privileges (5000+) Menu Items Access Level Securable Objects Controls Tables Etc… Server Methods Artifacts you want to](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cf65503460f949c5cf0/html5/thumbnails/29.jpg)
Related Sessions CHK 305: Security Framework in Dynamics AX 2012 Q&A
![Page 30: Permissions (25000+) Privileges (5000+) Menu Items Access Level Securable Objects Controls Tables Etc… Server Methods Artifacts you want to](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cf65503460f949c5cf0/html5/thumbnails/30.jpg)
Resources Security for Microsoft Dynamics AX 2012: http://bit.ly/rREqZB
Whitepaper on developing XDS policies : http://bit.ly/tTsB7K
Security Development Tool and Security Upgrade Advisor Tool: http://informationsource.dynamics.com/
Flexible Authentication Whitepaper: http://go.microsoft.com/fwlink/?LinkID=232522&clcid=0x409
Security Debug Tool: http://msdn.microsoft.com/en-us/library/hh745340.aspx
![Page 31: Permissions (25000+) Privileges (5000+) Menu Items Access Level Securable Objects Controls Tables Etc… Server Methods Artifacts you want to](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cf65503460f949c5cf0/html5/thumbnails/31.jpg)
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
![Page 32: Permissions (25000+) Privileges (5000+) Menu Items Access Level Securable Objects Controls Tables Etc… Server Methods Artifacts you want to](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cf65503460f949c5cf0/html5/thumbnails/32.jpg)
Security Development Tool HighlightsPersona Pain Points and Challenges Features Covered Results and Benefits
Identify hidden menu items for a functional role
Main menu viewMark form controls in ribbonDiscover sub-menu itemsRecorder
Reduced effort to maintain security artifactsEasier to test and debug scenarios in security context
Tweak menu item permissions for security role
Reference duty/privilegeSet entry point permissions guided form
Need to logon with different windows account to test roleDebug without System administrator privileges
Test security workspace
Isaac
![Page 33: Permissions (25000+) Privileges (5000+) Menu Items Access Level Securable Objects Controls Tables Etc… Server Methods Artifacts you want to](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cf65503460f949c5cf0/html5/thumbnails/33.jpg)
User Database
User Database
Active Directory
ADFS
Authentication
2
STS (Secur
e Token Servic
e)
Forms-Based Authentication
Provider
Membership Provider(s)
ADFS Provider
Active Directory Provider
Custom STS
Dynamics AX Database
Authorization
AOS (Application Object Server)
3
Flexible Authentication Architecture
Active Directory User
AD Federated User
Forms-Based Authentication User
1Microsoft
SharePoint®(Enterprise Portal)
![Page 34: Permissions (25000+) Privileges (5000+) Menu Items Access Level Securable Objects Controls Tables Etc… Server Methods Artifacts you want to](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cf65503460f949c5cf0/html5/thumbnails/34.jpg)
Management
Chris
IT Engineer
Customization
SimonNandita
Developer Partner
Development
Isaac
ISV
Security Implementation Phases
Policy Context
Roles Duties
Privileges Permissions
Federation Trust Setup
User Authentication
User Management
Segregation of Duty enforcement
Segregation of Duties
Roles Duties
Privileges
Policy Context
Functio
nal S
ecurityD
ataS
ecurityA
uthentication
![Page 35: Permissions (25000+) Privileges (5000+) Menu Items Access Level Securable Objects Controls Tables Etc… Server Methods Artifacts you want to](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cf65503460f949c5cf0/html5/thumbnails/35.jpg)
Security Upgrade
![Page 36: Permissions (25000+) Privileges (5000+) Menu Items Access Level Securable Objects Controls Tables Etc… Server Methods Artifacts you want to](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cf65503460f949c5cf0/html5/thumbnails/36.jpg)
AX 4.0/2009
Access Level
Security Model: Side By Side
Securable Object
Branch Manager
Permissions for CustomerTable
CustomerTable, Read
User
User Group/Domain
Branch Manager/Europ
e
Role
Duty
Privilege
Permission
View Customer Records
Basic Duties
AX 2012
![Page 37: Permissions (25000+) Privileges (5000+) Menu Items Access Level Securable Objects Controls Tables Etc… Server Methods Artifacts you want to](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cf65503460f949c5cf0/html5/thumbnails/37.jpg)
Security Upgrade Steps
3. Create PrivilegesFor missing settings, create custom privileges
1. Export Export legacy security settings from AX 4.0/2009
2. MatchMatch out of box privileges with legacy security settings
5. Generate Custom Rolesthat map to legacy User Groups
4. Review/Fine TuneReview new security suggestions and fine tune
Sourc
e
AX
4,A
X20
09
Ta
rget
AX
2012
Syst
em
s(D
ev, Te
st, Pro
d)
Iterate
![Page 38: Permissions (25000+) Privileges (5000+) Menu Items Access Level Securable Objects Controls Tables Etc… Server Methods Artifacts you want to](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cf65503460f949c5cf0/html5/thumbnails/38.jpg)
Match Process
Advance Buyer (User Group)
CustTable View
ContactPerson
FullContro
l
Advance Buyer (Role)
CustTableView
ContactPersonMaintain
Asset Addition View
Address Format
FullControl
CCMActivePrice View
CustTable View
ContactPerson
Create
Asset Addition
Removed
Not Found
AX 2012
AX 4.0/2009
Exact
Similar
No Privilege
Entry Point
Deprecated
No Entry Point
AssetAdditionView
NA
NA
Create entry point and
privilege, if needed
Create new privilege
Review match
PrivilegeMatches