Best Practices, Tips and Tricks for Implementing XDS (Extensible Data Security) policies
Here are some best practices, tips and tricks to consider while creating XDS policies to meet your data security needs:
- While XDS policies are a very powerful tool to meet your data security needs at all entry paths to the Server, do not expect to be able to secure every table in the system unless you’re willing to pay a big performance penalty. Strategically target the tables you want to protect.
- Reduce the number of joins you are adding to the query when applying the XDS policies. As you add more joins, the performance will degrade.
- One trick to reduce the number of joins is to use ‘MyConstructs’ in the policy query. They are temporary tables of type TempDB and are populated using a table method called XDS(). This method is available for developers to write X++ logic to populate the temporary table. After the temporary table is populated, subsequent policy queries will use the temporary table.
- In MyConstructs, you have the ability to refresh the data either PerSession or PerInvocation. Unless required otherwise, choose the per session caching for optimal performance
- Test the XDS policies for performance on a large volume of data before putting it to production use.
- XDS policies offer three levels of control. You can apply based on a particular security role, apply it to more than one security roles or on the basis of an application context that is secured by code or on metadata in the case of queries. You can use these knobs to fine tune and control when the XDS policy is applied
- Besides the three levels mentioned above, another knob is the operation. The XDS policy can be applied for a given operation. For eg. you might choose to filter when a select operation is done on a table, but perhaps not when the update is done. This is configurable in the XDS policy metadata. The choices of operation(s) for which the policy can be applied are Select, Insert, Update, Delete , (Insert, Update and Delete) or All operations
Detailed instructions on development and debugging of XDS can be found in a whitepaper that can be found her: http://www.microsoft.com/en-us/download/details.aspx?id=3110
XDS is a powerful mechanism that allows the ability to express and implement complex data security needs. Hopefully, some of these best practices and suggestions will help in your implementation of XDS policies. As always, feedback is welcome.