In previous versions of AX, assigning security keys was the main task for a developer. With AX 2012’s role-based security, developers play a much bigger role when creating new elements. Permissions are now assigned on the AOT elements and are grouped together in Privileges. ThesePrivileges are then gathered in Duties which define a role.
The new security framework is based on RDPP:
- Roles: a group of duties specific to a function (accountant, mechanic, clerk, manager, …)
- Duties: a group of related privileges needed for a specific task (sales order entry, approve expenses, order picking etc,
- Privileges: a group of entry points (mostly menu items) needed for a specific action (create sales order lines, set up HRM parameters, start a picking route, …)
- Permissions: a group of base objects each with the required level of access (update salesTable, update HRMParameters, …)
Developers are responsible to provide the appropriate privileges and permissions. An administrator can define roles and duties based on the privileges and permissions -and link users to roles
Standard, out-of-the box roles, duties, privileges and permissions are available to secure all functionallity in Ax2012!Previous versions had … no out-of-the-box security configured roles.
Other facts:- SecurityKeys are no longer used
- Companies are replaced by legal entities
- Domains are replaced by organisations
- Users groups no longer used in a security context
- External users (without an Active Directory -account!) can log on to the Enterprise Portal
The new version of AX offers many new features to all of us. These go from development improvements to data security, which is the one topic I would like to focus on in this post.
The following are the improvements with regard to data security:
- Role-based security
- Server-enforced security
- Extensible data security framework
- Flexible authentication
Role-based security
Data security is much easier to manage. In AX 2012, users are assigned to roles based on the duties and responsibilities they have and access is granted based on those roles. This change puts an end to the tedious and time-consuming process of assigning users based on application objects. Once set up, role assignments can easily be updated based on the business data.
Server-enforced security
Authorization is performed on the server rather the client, consistently enforcing permissions on protected fields regardless of the type of client. The server sends the client only the information that the user has been granted access to, resulting in increased data security.
AX 2009 did not offer the facility to use data security based on effective date. However, in AX 2012 administrators can specify whether users have access to past, present, or future records with different levels of access, which creates much for flexibility to all the different iteration in the use of data throughout the life of the application.
Further, the new version can also be used to create data security policies based on data contained in a different table.
For example, in previous versions you could not filter sales lines by customer location because those were stored in different tables, but the new version makes that totally possible.
Data security policies are enforced at the server regardless of the type of client used to access the data.
Flexible authentication
Authentication of users by methods other than Active Directory allowing external users to access Dynamics AX without a required domain account.