Saturday, 7 April 2012

Microsoft Dynamics AX 2012 Security

Security architecture of AX 2012

All the customers consistently comment that protecting their business data for privacy, compliance, and corporate security reasons is one of their top concerns. Microsoft Dynamics AX 2012 provides with greater peace of mind by enhancing control over both authentication (who has access Microsoft Dynamics AX) and authorization (what people are allowed to do after they have access).

Microsoft Dynamics AX 2012 introduces new authorization concepts and a flexible authentication model that will make it much easier for you to work with your own customers, partners, and vendors through a web-based portal. The aim is to provide flexibility in how people access the data they need without compromising on security, while at the same time reducing the administrative overhead of managing those permissions.

Introducing Role-Based Security

Microsoft Dynamics AX 2012 was to make security configuration as simple and painless as possible. To achieve this, Microsoft has adopted a role-based security model, complete with more than 80 predefined roles. At the deepest layers of the application, the approach to making the necessary security decisions remains pretty much the same, but how you manage security—the setup, maintenance, debugging, and troubleshooting—is now significantly easier with the introduction of a role-based security paradigm.

The new model separates the specific permissions, such as access to tables or menu items, from the business processes that users work with every day. Defining and assigning those permissions is now the responsibility of the application developers. Microsoft Dynamics AX provides several features and tools to help developers with this task. Business consultants and partners can then group these developer-defined permissions according to unique business requirements and established processes.

Administrators, especially anyone who’s managed ERP security configuration in the earlier versions will appreciate the ease of the new model, which has cut the time required to configure security. Microsoft has spent significant effort and research defining a set of more than 80 baseline role definitions and more than 700 duties and several process cycles, which ship with the product. So, rather than configuring permissions and defining roles from scratch, the administrator’s task is to fine tune existing roles to match your particular organization. For the more day-to-day operational tasks, such as assignment of users to roles, Microsoft Dynamics AX 2012 introduces new features such as “Dynamic Role Assignment,” “User-to-Role-to-Organization Assignment,” and some level of Windows PowerShell-based management.

For developers and ISVs, the new model enables you to deliver applications that are secure by design. Especially in industries with stringent compliance requirements, the ability to build and deploy applications with security in mind and to demonstrate compliance out-of-the-box is a true competitive advantage. Microsoft provides an excellent set of tools in the MorphX environment to help you generate permissions and group them into roles so that your applications and add-ins will support straightforward deployment and administration.

Extensible Data Security


Although role-based security will streamline deployment and management, customers have also asked for finer, more granular control over access to specific data within the organization. Role-based security controls access to data entry points, such as menu items and tables, but the data security allows you to control at a deeper level, based on the attributes of data within a table. For example, an account manager role may have access to the sales order table, but the organizations might seek to limit individual account managers’ access to specific sales orders based on geography, allowing them to view only the sales orders that originate in their region.

Microsoft Dynamics AX 2012 enables organizations to define authorization policies dynamically so that access to business data can be controlled based on sophisticated business rules. This enables you to easily adapt security configurations that give the right people access to the right data—and only the right data—without compromising your organization’s data access policies.

Flexible Authentication


The third major security capability in Microsoft Dynamics AX 2012 relates to authentication, which determines who is able to access the ERP solution. With the growing need to integrate more closely across the supply chain, authentication has become a pressing need for organizations that need their suppliers, partners, and customers to be able to directly interface with their ERP. The flexible authentication model makes it much easier for external users to securely access ERP data through the Enterprise Portal or other web-based applications.

Building on the Windows Identity Foundation, Microsoft has extended the authentication model in Microsoft Dynamics AX 2012 by using open-standard application programming interfaces (APIs). This simplifies administration of these external accounts by allowing authentication using Active Directory Federation Services (ADFS), Windows Live ID or other similar methods (e.g. Forms based Authentication), without requiring the external parties to be provisioned in an Active Directory domain.

Microsoft Dynamics AX 2012 security features are dramatically simplify administration, offer greater flexibility and control over data access, and enhance the compliance, security, and privacy of your valuable business data.


Security architecture

Microsoft Dynamics AX, you can more easily customize security to fit the needs of your business. The following diagram provides a high-level overview of the security architecture of Microsoft Dynamics AX.

The concept of security roles in AX 2012 is :
·         Security roles represent a behavior pattern that a person in the organization can play.
·         A security role includes a defined set of application access privileges.
·         A security role can be defined as a group of duties for a job function.
·         System administrators can limit the data that users can access by applying data security policies. administrators can also control the level of access that users in the role have to current, past, or future records.
·         Users are assigned to one or more security roles. Each user must be assigned to at least one security role to have access to Microsoft Dynamics AX.
·         Examples of security roles: Shipping Clerk, Accounts Receivable Clerk, System Administrator.


When you understand the security architecture of Microsoft Dynamics AX, you can more easily customize security to fit the needs of your business. The following diagram provides a high-level overview of the security architecture of Microsoft Dynamics AX.






By default, only authenticated users who have user rights in Microsoft Dynamics AX can establish a connection. Microsoft Dynamics AX uses integrated Windows authentication to authenticate Active Directory users. If you configure Microsoft Dynamics AX to use a different authentication provider, users are authenticated by that provider.
 
After a user connects to Microsoft Dynamics AX, access is determined by the duties and privileges that are assigned to the security roles that the user belongs to.

Authorization is the control of access to the Microsoft Dynamics AX application. Security permissions are used to control access to individual elements of the application: menus, menu items, action and command buttons, reports, service operations, web URL menu items, web controls, and fields in the Microsoft Dynamics AX client and Enterprise Portal for Microsoft Dynamics AX.

In Microsoft Dynamics AX, individual security permissions are combined into privileges, and privileges are combined into duties. The administrator grants security roles access to the application by assigning duties and privileges to the roles


Authorization is used to grant access to elements of the application. By contrast, data security is used to deny access to tables, fields, and rows in the database. Use the extensible data security framework to control access to transactional data by assigning data security policies to security roles. Data security policies can restrict access to data, based on the effective date or based on user data, such as the sales territory or organization. For more information about how to use data security policies in Microsoft Dynamics AX, see Apply conditions to security role assignments.

In addition to the extensible data security framework, record-level security can be used to limit access to data that is based on a query. However, because the record-level security feature is becoming obsolete in a future release of Microsoft Dynamics AX, we recommend that you use data security policies, instead.

Additionally, the Table Permissions Framework helps protect some data. Data security for specific tables is enforced by Application Object Server (AOS).

 

1 comment:

  1. This is axapta ERP blog for Technical and functional fields and includes Microsoft Dynamics Axapta tutorials and Dynamics Axapta Coverage. This blog also contains x++ code help for Ax developer and solution of technical and functional daily issues. This blog is specific for Microsoft dynamics programming. Enterprise portal, SharePoint services, business connectors and Enterprise Resource Planning applications and sql database.It will help to get Microsoft Business Solutions.

    http://daynamicsaxaptatutorials.blogspot.com/

    ReplyDelete