AXUG Summit 2012 - Pre-Game Warm up Post

Well I trust everyone is getting ready and excited for the upcoming AXUG Summit 2012, set to kick off the week of October 15th in Seattle! There are a lot of great training oppurtunities, as well as knowledge sharing sessions. Find the full details from the agenda.



This year is going to be a land mark year I believe for the conference with so much great content. There are a lot of people interesting in Dynamics AX 2012 as well as plenty of customers looking to extend their value and knowledge base for Dynamics AX 2009.



First up for me, as the above image implies, I will be putting on a training session for the AXUG Academy around Organizational BI for AX 2012. This will cover topics, including AX-SSRS report development, Cubes, Role Centers, Contextual BI and more!



Following that I will have a session specifically around using Microsoft Dynamics AX 2012 to Create a System of Engagement. As the name implies, which I first wrote about with "Creating a System of Engagement with Microsoft Dynamics AX 2012", I will go into how topics like BI as well as Role Based modeling, can be used to truly have more than just a system of record. Instead we move beyond the mere transactional concept and think in terms of truly engaging the users with AX 2012. This means having this type of thought process from the start of the implementation, through to on-going support post go live!

All-in-all this AXUG Summit is set to be the best one yet. I will also be live covering the different sessions, sitting on panel discussions for different sessions around BI and AX, and more. If your going to be there, make sure and connect with me!

That's all for this warm up post, however check back soon as I finalize the series on XDS, going back to BI basics, as well as wrap up the Office 2013 mini-series. Further there is more exciting news around the cloud, and other topics like TypeScript that we need to cover. Till Next Time!
Follow Me @:
    

"Visit the Dynamics AX Community Page today!"

Using XDS to Secure data via the Organization Model (Part 1) - AX 2012

Recently, I posted an article that covered the resources for helping one understand the options, and how best to model a companies organization within Microsoft Dynamics AX 2012. You can find that article here.: A question around Organization Modeling for AX 2012

As promised, this post kicks off that two part series, in where I will dive into the use of XDS for securing data within AX 2012.



Before we dive right into securing data, based on the organizational model within AX 2012, first it's important to understand the parts that will make up our solution to this. Keep in mind, that the focus for Microsoft Dynamics AX 2012, is always to model more and code less!

With that in mind, and referencing the above image the are we are talking about focusing on is the Data Security area. This is where deny takes place, where as above it in the authorization section, in which we do role based modeling of security, grant takes focus.

For the sake of this post, and it's focus around data security, lets assume then that you already have your role based modeling of security petty much complete. With that assumption aside, our focus for this effort is around the Data Security Policies. This is where we will live, and what objects we created will have context.

As mentioned in previous post, Query Elements are meant to be a re-usable API in AX 2012. They are considered modeling elements, vs. custom code elements.

The idea, is that we create a modeling query used to represent the policy, in what we want to deny. In doing this we then, as stated above, start with a query. For example, if we wanted to model a query that limited prospects, by inbound user id, then that would be the target of our query.

Lets then look at the start of this example query. Since we want to constrain the Prospects from the Sales & Marketing module, we need to first target the smmBusRelTable. Since we want to constrain these for the inbound user id, lets assume responsibilities have been modeled and we have a "Sales Rep" responsibility tied to prospects.



With having this, then we need to add to our query, the smmResponsibilitiesEmplTable table. This is joined to the smmBusRelTable by RefTableId & RefRecId as a 1:n join type in the query design. Further, since we are targeting the "Sales Rep", we add to our ranges, the ResponsibilityId field, and add for the value: Sales Rep.



The next trick we need to focus on, is then having the query take us from the Worker associated with the responsibility for the the prospect, to the user id. This assumes, then that User's are associated with employee's of type workers via user relations. In that assumption, we can make the connection from smmResponsibilitiesEmplTable -> HcmWorker -> DirPerson -> DirPersonUser.



Now that we have achieved this, we next need to focus on our final range for the DirPersonUser table. That being of the user field. For the value that we supply for the range, it is a function: (currentUserid())



Now that we have this supplied, our query is ready to be set for the basis of a Security Policy. That is the next element of focus, in modeling security with XDS, a security policy. Doing this, we create a security policy, set our constraint properties, and finally enable the policy.



The above we see the correct security policy, and that it is further constraining the SalesQuotationTable as well as the SalesQuotationLine table. Further, the following is the properties of the above listed security policy object.



With the above enabled, and not having anything supplied for the ContextType, this policy is not enabled for anyone, and will deny access to the Prospects & Quotation tables based on the query we modeled. Meaning anyone that does not have a Sales Rep responsibility association for a prospect will not see that prospect when access AX 2012 from the Rich Client, EP, Reporting or service integration. Only users with System Administration role can see everything.

This would mean, that most likely you would want to at least apply this by Security Role, say Sales Rep that you had modeled. Then this policy would only deny access by the modeled query, for the specific user id's, when having the Sales Rep Security role applied to their user id.

Another point about security policies is that the intersection of multiple policies is what is shown. Where as in the grant focused authorization of role based security modeling, that will take the sum of all granted rights, for all applied security roles. Security policies, all that are enabled, must fully be satisfied. This means you could enable overlapping security policies that have adverse affects on what is trying to be achieved. Therefore, like all things, use caution.

Having the above base knowledge, and walk through for using data security policies to deny access to specific data, we can then move forward with part II of this focus, with using the organization model relating to released products, to model security against.

That's all for today's post, I hope you find it useful. Check back soon as more to come, including part II of this post, more on BI and the System of Engagement, as well as upcoming AXUG Summit coverage. Till Next Time!
Follow Me @:
    

"Visit the Dynamics AX Community Page today!"

A question around Organization Modeling for AX 2012

I hope that you have had a productive week thus far, filled with all things Microsoft Dynamics! As promised earlier this week, I wanted to post today about a specific question that came from my post on AX 2012 - Understanding & Extending the Organization Model.



The question posed by a reader of that post, is around the modeling of their organization for business units, and associating released products to specific Business Units.

Lets take this possed question a little further, and assume that the business unit association is desired to limit the use of released products.



Since released products, with AX 2012 out-of-the-box, are legal entity specific entities, that is the level of separation that comes as offered. Further out-of-the-box, with configuration, you can have business units used as financial dimensions. Meaning that we could then associate a released product, within a legal entity, to a business unit.



Having this association however, would not by itself limit the use of products, for users of AX, that work within specific business units. We have added something new here right? We can associate business units with released products, as financial dimensions. However the new element that we need to try and achieve is limiting the released products in a legal entity by business unit.

Now let us think about this. We could easily jump right into code driven design, that would allow for releasing products to business units, within legal entities. But why do that? The idea with Microsoft Dynamics AX 2012 is to model more and code less.

Our secret to success in this endeavor then, would be to think in terms of modeling. This includes having Organizational modeling that has an operating model, that gives us legal entities, with business units under them. Further having the financial dimensions modeled and configured so that business units are used as financial dimensions. Finally, we need to model security with the use of Extensible Data Security Framework (XDS).



Now with this, I must warn that there are very specific warnings when using XDS for modeling security. The idea is that it would only be used with Master Data elements, according to best practice. With that warning in mind, my next post on this topic will go into greater detail of how this can be achieved with modeling, and minimum code. Till Next Time!
Follow Me @:
    

"Visit the Dynamics AX Community Page today!"

AX 2012 - Query Elements, a reusable API

I hope everyone is doing well, as we launch full on into our Dynamics Spring! I love it when the time changes here in America, and we are able to enjoy longer hours in the sun. I'm a spring-summer-fall guy, which really means I love being out in the sun. With that said, I wanted to talk with you today, about Query Element Objects, within the AOT for Microsoft Dynamics AX 2012.



Query node objects, in AX 2012 has received some major overhauls, with giving us the ability to now offer having use, for example, and more complex outer joins, as well as non-exist joins. These kinds of improvements, along with others helps lend themselves to the use of Query Elements from the AOT for a multiple use scenario's. This is where the concept of the Query Element, being slated as a reusable API comes into play. Before we continue forward with that concept, there are some really nice resources from MSDN on this topic I think it's important to share. Mostly, how to create and make use of query elements.: How to: Create Queries by Using the AOT [AX 2012].

With that noted, lets take a look at where all queries are used within AX 2012 and see for ourselves what makes a query element, truly a reusable API. First up, we have the obvious, in which I've talked to in the past on this blog. Specifically I'm making reference to using a query element as the source of a dataset for modeled approach to an AX-SSRS report.



In talking in terms of reporting & BI, having the query as the basis for a reports dataset is the desired, "modeled solution" for report design. In this, as I point out in the past post, the query is the source for the data of the report, and the control of the report is the ranges that one setups from the query.

Moving right along with this concept, we also have seen - in past articles, where query objects can be used as the source of OData feeds for PowerPivot based reports.



In this, we can create a query element in the AOT, that we reference and make use of from the Document Data Sources form that we find under Document Management for an instance of AX 2012. In doing this, we are then able to enable, and publish this query as an OData feed, through the out-of-the-box ODataQueryService. Doing this, we are able to apply and make use of security from within the context of AX, yet offer the flexibility and power, that a tool like Microsoft PowerPivot brings to users and it's nature for creating ad-hoc reports. I've seen in the past, partners training users, even on AX 2012 - to create views that go directly to the database. There is no reason for this, and you should never do such. Instead, make the correct choice with the use of query elements and consume those as your OData feeds for PowerPivot needs.



As we continue to move on with this discover process of what really makes a query element a reusable API, lets look at something else we have talked to in the past on this blog. That is the creation and use of Document Services for AX 2012.



As shown in the above image, referenced from the above post, the use of a query as the basis and start of a document service is critical to understand. There are some key point specific's around certain settings for query elements that are used as the basis for document services, however it does start with the design or use of a query element from within the AOT. The image above is showing the context menu, when you right click on a query element, and what kicks off the AIF Document Service Wizard

The above are just a few examples, in which we can easily speak to and say that query elements truly are a reusable API for AX 2012. Some other area's include: Workflow design, Basis for an RDP class (ie: CustAgingReport), View datasources that themselves are sources for perspectives and cubes, modeling security with XDS, ListPage designs, Cue's, and more!

With the power of Query elements in AX 2012, when you start to look at what all they are the basis of, you should really ask yourself when doing in design work - Can a Query Element be used here? If so, does one already exist, or should I create a new query element? How can it be used throughout my instance of AX 2012? It's a true statement, in that Query Elements are reusable API's for AX 2012, and understanding there value, use cases, and design aspects will help you get the most out of your AX 2012 investment.

That's all for this post, I hope you have a great productive wed, and check back soon as more to come! Till Next Time!
Follow Me @:
    

"Visit the Dynamics AX Community Page today!"

Freaky Tech Friday - The Killing Zone

Well Ghosts and Ghouls, it seems you dare to return for the last and final Freaky Tech Friday post of this years haunting season. It came from Another Platform, didn't drive you away. Entering The Abyss of Integration didn't drive you mad, and your survived Attack of the Zombie Processes. Now let us enter, The Killing Zone.



This tale, is one of great suspense, and danger, focused around the fact that if the new design patterns, thought processes and concepts that come as part of AX 2012 are not fully understood and used, you will not make it out of the Killing Zone alive. You will end up dead! Or at least at a dead end with your Dynamics AX, and it's ROI. This is an easy place to survive if your new the the Dynamics AX world, however for those of us that have been working with the product since it earlier days, to quote "The Times, they are a changing".

To this point, they have changed, with so many different things to understand. One hot topic I keep talking about is around Workflows in AX 2012, and how it should be used to model business processes. There are several other area's however, from how you integrat with AX, making use of the SysOperations Framework, vs. RunBasebatch, and even planning for the new delcrative engine that empowers the new option for configuration needs that a customer might have for it's products.



I've not spent much time on this topic yet, however the new configurator within AX 2012 is based on Microsoft Solver Foundation technology, which is a declarative based decision engine, vs. the current Product Builder, rules based engine. Not to get to deep on this specific topic, as it well deserves many, many post.

Some Area's that need special attention, if you are to avoid having your final resting place be within the killing zone, are.:

• XDS vs. RLS - Record Level Security still exists in AX 2012, and is meant to support upgrades. However any new scope, should not use RLS, but instead make use of the new Extensible Data Security Framework
• RunBaseBatch & RunBaseReport - Again, here we have these in place and still used by out-of-the-box scope from Microsoft. With that, any new development should use the SysOperations Framework, or Business Operations Framework. It is true that this framework ends up, specifically for Batch using the underlying batch classes. However those are clearly marked as legacy code and will be ripped out in the next version as replaced. This is why it's important to use the new Design Concept and not get trapped into old habbits.
• Avoid the .Net BC - This is important one to really understand and take advantage of. For any new scope the .Net BC Should not be used. Instead the focus should be around services development in AX 2012, for internal and external of AX consumption and usage.

There are a lot of other, specific's that can trap you into falling into the killing Zone, and killing your chances of maximizing your ROI, and getting some great new use cases that come as part of what is offered now in AX 2012.

There are cases, specifically related to upgrades from older to version of AX to AX 2012, that you have to use the older concepts. As the value is not there maybe to change a bunch of code, as part of the upgrade, just to use the new frameworks. However, before AX 7 takes shape for such cases, those area's will have to be addressed. Also, when upgrading is the focus, still keep in mind that anything new, or anything that must change, should change and use the new concepts, vs. the older ones.

Well Ghosts and Ghouls, take heed to these warnings, and avoid having the killing zone be your final resting place. That's all the haunting post for this season of terror, stay safe and if you dare return, we shall be waiting here, ready to scare you next year.

Tell next time!

"Visit the Dynamics AX Community Page today!"

AX 2012 and the use of the new Extensible Data Security Framework

With the release of Microsoft Dynamics AX 2012, we have a new framework in which we can make use of that will allow us to secure data across shared tables. In past versions of Dynamics AX, this was handled with record level security. With AX 2012, record level security still exists actually, but only to support backwards compatibility for upgrades to the latest version.



To help jump start the understanding, and how to develop extensible data security policies using this new framework, Microsoft has released a white paper that talks through the concepts, the ideas and examples for using this new framework to address the needs of such shared table data security requirements.

A direct link to that white paper can be found here.: Microsoft Dynamics AX 2012 White Paper: Developing Extensible Data Security Policies

From the paper:
"The extensible data security framework is a new feature in Microsoft Dynamics® AX 2012 that enables developers and administrators to secure data in shared tables such that users have access to only the part of the table that is allowed by the enforced policy. This feature can be used in conjunction with role-based security (also supported in Microsoft Dynamics AX 2012) to provide more comprehensive security than was possible in the past.

Extensible data security is an evolution of the record-level security (RLS) that was available in earlier versions of Microsoft Dynamics AX. Extensible data security policies, when deployed, are enforced, regardless of whether data is being accessed through the Microsoft Dynamics AX rich client forms, Enterprise Portal webpages, SSRS reports, or .NET Services."

As you can see this is the evolution of the record level security, and offers a lot more than was possible in the past. Looking at this a little bit, we see that the framework is made up of some basic parts.: Constrained Tables, Primary Tables, Policy Queries and finally policy Context.

The basic concept for using the framework is modeling query on the given target, or primary table. Then creating a policy than is constrained against other tables or view objects, and finally setting the context in which the policy is applied.

What's important to note, is right in the very start of this white paper, performance concerns are listed. Rightfully so, as this will add clauses to the WHERE or ON section of a given query against a SQL table. What's also important to understand, that unlike record level security, which does this within the AOS, this is actually targeted at the SQL Server execution level. A great improvement, but anytime the SQL query, or fetching or resultsets is added to on the where, the possibility of affecting performance, purely from the index usage and joins caused, can have wide ranging impacts.

To this end, as part of this white paper there is a section entitled: "Developing efficient extensible data security policies". This section is a must in understanding BP when creating such scope, and how best to avoid performance impacts. The key points to take away from that section, minus the entire amount of information is very important contained within it, is: Use Indexes correctly, and be aware that with the some of the super normalized datasets in AX 2012, complex joins can occur that can have a negative impact on performance.

With all of this pointed out, and stated, Extensible Data Security (XDS) in AX 2012 is very powerful, and like all things, when proper design and planning are in place, this can be a powerful tool, mixed with the new Role Based security that can empower the requirement needs for enabled secured access to shared tables among users.

That's all for now, check back soon as more to come. Till next time!


"Visit the Dynamics AX Community Page today!"