Securing Peace of Mind: the Microsoft Dynamics AX 2012 Security Model
Our customers consistently comment that protecting their business data—for privacy, compliance, and corporate security reasons—is one of their top concerns. In Microsoft Dynamics AX 2012, we’re looking to provide our customers with greater peace of mind by enhancing control over both authentication (who has access Microsoft Dynamics AX) and authorization (what people are allowed to do after they have access).
Microsoft Dynamics AX 2012 introduces new authorization concepts and a flexible authentication model that will make it much easier for you to work with your own customers, partners, and vendors through a web-based portal. Our goal was to provide flexibility in how people access the data they need without compromising on security, while at the same time reducing the administrative overhead of managing those permissions.
Introducing Role-Based Security
One of our primary goals in Microsoft Dynamics AX 2012 was to make security configuration as simple and painless as possible. To achieve this, we adopted a role-based security model, complete with more than 80 predefined roles. At the deepest layers of the application, the approach to making the necessary security decisions remains pretty much the same, but how you manage security—the setup, maintenance, debugging, and troubleshooting—is now significantly easier with the introduction of a role-based security paradigm.
The new model separates the specific permissions, such as access to tables or menu items, from the business processes that users work with every day. Defining and assigning those permissions is now the responsibility of the application developers. Microsoft Dynamics AX provides several features and tools to help developers with this task. Business consultants and partners can then group these developer-defined permissions according to unique business requirements and established processes.
Administrators—especially anyone who’s managed ERP security configuration in the past—will appreciate the ease of the new model, which has cut the time required to configure security by as much as several weeks among some of our Technology Adoption Program (TAP) customers. We spent significant effort and research defining a set of more than 80 baseline role definitions and more than 700 duties and several process cycles, which ship with the product. So, rather than configuring permissions and defining roles from scratch, the administrator’s task is to fine tune existing roles to match your particular organization. For the more day-to-day operational tasks, such as assignment of users to roles, Microsoft Dynamics AX 2012 introduces new features such as “Dynamic Role Assignment,” “User-to-Role-to-Organization Assignment,” and some level of Windows PowerShell-based management.
For developers and ISVs, the new model enables you to deliver applications that are secure by design. Especially in industries with stringent compliance requirements, the ability to build and deploy applications with security in mind and to demonstrate compliance out-of-the-box is a true competitive advantage. We provide an excellent set of tools in the MorphX environment to help you generate permissions and group them into roles so that your applications and add-ins will support straightforward deployment and administration.
Extensible Data Security
Although role-based security will streamline deployment and management, our customers have also asked for finer, more granular control over access to specific data within the organization. Role-based security controls access to data entry points, such as menu items and tables, but the data security allows you to control at a deeper level, based on the attributes of data within a table. For example, an account manager role may have access to the sales order table, but the organizations might seek to limit individual account managers’ access to specific sales orders based on geography, allowing them to view only the sales orders that originate in their region.
Microsoft Dynamics AX 2012 enables organizations to define authorization policies dynamically so that access to business data can be controlled based on sophisticated business rules. This enables you to easily adapt security configurations that give the right people access to the right data—and only the right data—without compromising your organization’s data access policies.
The third major security enhancement in Microsoft Dynamics AX 2012 relates to authentication, which determines who is able to access the ERP solution. With the growing need to integrate more closely across the supply chain, authentication has become a pressing need for organizations that need their suppliers, partners, and customers to be able to directly interface with their ERP. Our new flexible authentication model makes it much easier for external users to securely access ERP data through the Enterprise Portal or other web-based applications.
Building on the Windows Identity Foundation, we’ve extended the authentication model in Microsoft Dynamics AX 2012 by using open-standard application programming interfaces (APIs). This simplifies administration of these external accounts by allowing authentication using Active Directory Federation Services (ADFS), Windows Live ID or other similar methods (e.g. Forms based Authentication), without requiring the external parties to be provisioned in an Active Directory domain.
We’re excited to introduce these enhancements, which dramatically simplify administration, offer greater flexibility and control over data access, and enhance the compliance, security, and privacy of your valuable business data. If you’re developing applications for Microsoft Dynamics AX 2012, we encourage you to become familiar with the new security model and the development tools on the Development Center for MS Dynamics AX on MSDN.
In this interview with Arindam Chatterjee, Principle Program Manager in the AX product team, gives a good insight into some of the consideration behind the improvements in the security model for MS Dynamics AX 2012: