Inside Microsoft Dynamics AX 2012: Securing Peace of Mind – The Microsoft Dynamics AX 2012 Security Model

Our customers consistently comment that protecting their business data-for privacy, compliance, and corporate security reasons-is one of their top concerns. In Microsoft Dynamics AX 2012, we're looking to provide our customers with greater peace of mind by enhancing control over both authentication (who has access Microsoft Dynamics AX) and authorization (what people are allowed to do after they have access). Microsoft Dynamics AX 2012 introduces new authorization concepts and a flexible authentication model that will make it much easier for you to work with your own customers, partners, and vendors through a web-based portal. Our goal was to provide flexibility in how people access the data they need without compromising on security, while at the same time reducing the administrative overhead of managing those permissions.

Introducing Role-Based Security

One of our primary goals in Microsoft Dynamics AX 2012 was to make security configuration as simple and painless as possible. To achieve this, we adopted a role-based security model, complete with more than 80 predefined roles. At the deepest layers of the application, the approach to making the necessary security decisions remains pretty much the same, but how you manage security-the setup, maintenance, debugging, and troubleshooting-is now significantly easier with the introduction of a role-based security paradigm. The new model separates the specific access permissions, such as access to tables or menu items, from the business processes that users work with every day. Defining and assigning permissions is now the responsibility of the application developers. Business consultants and partners can then group these developer-defined permissions according to unique business requirements and established processes.

We spent significant effort and research defining a set of more than 80 baseline role definitions (along with more than 700 duties and several process cycles), which ship with Microsoft Dynamics AX 2012. So, rather than configuring permissions and defining roles from scratch, the administrator's task is to fine-tune existing roles to match your particular organization. For the more day-to-day operational tasks, such as assignment of users to roles, Microsoft Dynamics AX 2012 introduces new features such as "Dynamic Role Assignment," "User-to-Role-to-Organization Assignment," and some level of Windows PowerShell-based management. Administrators-especially anyone who's managed ERP security configuration in the past-will appreciate the ease of the new model, which has cut the time required to configure security by as much as several weeks among some of our Technology Adoption Program (TAP) customers. This, in turn, means that our customers are able to go live with their business application more quickly than they could in the past, improving their time to value. The new model also means that applications and add-ins created by developers and independent software vendors (ISVs) are secure by design. Especially in industries with stringent compliance requirements, the ability to demonstrate the security of your applications out-of-the-box can truly bring peace of mind.

Extensible Data Security

Although role-based security will streamline deployment and management, our customers have also been asking for finer, more granular control over access to specific data within the organization. Role-based security controls access to menu items and types of data, such as customers or purchase orders, but in the real world, you may need to control access at a more detailed level, such as by geography, company, or division. For example, the account manager role may have access to the sales order information, but many organizations will also seek to limit access based on geography, allowing them to view only the sales orders that originate in their region. Microsoft Dynamics AX 2012 enables organizations to define authorization policies dynamically so that access to business data can be controlled based on sophisticated business rules. This enables you to easily adapt security configurations that give the right people access to the right data-and only the right data-without compromising your organization's data access policies.

Flexible Authentication

The third major security enhancement in Microsoft Dynamics AX 2012 relates to authentication, which determines who is able to access the ERP solution. With the growing need to integrate more closely across the supply chain, authentication has become a pressing need for many of our customers who need their suppliers, partners, and customers to be able to directly interface with their ERP. Our new flexible authentication model makes it much easier for external users to securely access ERP data through the Enterprise Portal or other web-based applications. Building on the Windows Identity Foundation, we've extended the authentication model in Microsoft Dynamics AX 2012 by using open-standard application programming interfaces (APIs). This simplifies administration of these external accounts by allowing authentication using Active Directory Federation Services (ADFS), Windows Live ID or other similar methods (e.g. Forms based Authentication), without requiring the external parties to be provisioned in an Active Directory domain.

We're excited to introduce these enhancements, which dramatically simplify administration, offer greater flexibility and control over data access, and enhance the compliance, security, and privacy of your valuable business data. Also watch the following video featuring Principal Program Manager, Arindam Chatterjee.

Share Your Thoughts

How do regulatory compliance and customer privacy issues shape your organization's data access policies? To what extent are these policies enforced by role rather than by data characteristics?

Other blogs in the Inside Microsoft Dynamics AX 2012 series:

Best Regards


Luke Shave
Sr. Industry Marketing Manager