AX 2012 and the use of the new Extensible Data Security Framework
With the release of Microsoft Dynamics AX 2012, we have a new framework in which we can make use of that will allow us to secure data across shared tables. In past versions of Dynamics AX, this was handled with record level security. With AX 2012, record level security still exists actually, but only to support backwards compatibility for upgrades to the latest version.
To help jump start the understanding, and how to develop extensible data security policies using this new framework, Microsoft has released a white paper that talks through the concepts, the ideas and examples for using this new framework to address the needs of such shared table data security requirements.
A direct link to that white paper can be found here.: Microsoft Dynamics AX 2012 White Paper: Developing Extensible Data Security Policies
From the paper:
"The extensible data security framework is a new feature in Microsoft Dynamics® AX 2012 that enables developers and administrators to secure data in shared tables such that users have access to only the part of the table that is allowed by the enforced policy. This feature can be used in conjunction with role-based security (also supported in Microsoft Dynamics AX 2012) to provide more comprehensive security than was possible in the past.
Extensible data security is an evolution of the record-level security (RLS) that was available in earlier versions of Microsoft Dynamics AX. Extensible data security policies, when deployed, are enforced, regardless of whether data is being accessed through the Microsoft Dynamics AX rich client forms, Enterprise Portal webpages, SSRS reports, or .NET Services."
As you can see this is the evolution of the record level security, and offers a lot more than was possible in the past. Looking at this a little bit, we see that the framework is made up of some basic parts.: Constrained Tables, Primary Tables, Policy Queries and finally policy Context.
The basic concept for using the framework is modeling query on the given target, or primary table. Then creating a policy than is constrained against other tables or view objects, and finally setting the context in which the policy is applied.
What's important to note, is right in the very start of this white paper, performance concerns are listed. Rightfully so, as this will add clauses to the WHERE or ON section of a given query against a SQL table. What's also important to understand, that unlike record level security, which does this within the AOS, this is actually targeted at the SQL Server execution level. A great improvement, but anytime the SQL query, or fetching or resultsets is added to on the where, the possibility of affecting performance, purely from the index usage and joins caused, can have wide ranging impacts.
To this end, as part of this white paper there is a section entitled: "Developing efficient extensible data security policies". This section is a must in understanding BP when creating such scope, and how best to avoid performance impacts. The key points to take away from that section, minus the entire amount of information is very important contained within it, is: Use Indexes correctly, and be aware that with the some of the super normalized datasets in AX 2012, complex joins can occur that can have a negative impact on performance.
With all of this pointed out, and stated, Extensible Data Security (XDS) in AX 2012 is very powerful, and like all things, when proper design and planning are in place, this can be a powerful tool, mixed with the new Role Based security that can empower the requirement needs for enabled secured access to shared tables among users.
That's all for now, check back soon as more to come. Till next time!