Security For Developers - Part II - Code Access Security

 

As promised, this is the second portion on Security for Developers. If you missed the first part of this series, you can get it HERE.

Today we are going to learn about code access security in Microsoft Dynamics AX 2012. And to start I would like to talk about a little bit about code access security in C#.

In C# (.NET) as well as in AX 2012, we work with security demands. And what is a security demand?

We can probably figure that demands are used to ensure that every caller who calls your code (directly or indirectly) has been granted the demanded permission.

 In a regular environment this happens when demanded for permission; the runtime's security system walks the call stack, by comparing the granted permissions of each caller to the permission being demanded. At this point, like in any high security building in New York City, if any caller in the call stack is found without the demanded permission then a SecurityException is thrown.  In the case of a New York City building, you will be thrown out of the building. Simple ah?

 Well, the same type of process exists in AX 2012 as AX 2012 Code Access Security is used by developers to protect Secured APIs from being invoked by un-trusted code (code that does not originate from the AOT). Code access security does this by verifying the following:

1. The code asserted the appropriate permission on the call stack to use the secured class.
2. The assert (the request to use the secured class) is executed in trusted code and saved in the AOT.
3. The assert is executed on the same tier as the secured class.

In addition, Code Access Security covers the use of secured classes on the server tier only and we don’t need to modify client callas of secured classes, which is cool and scalable.

So here is how this works:

1. Code Access Security must be implemented by the secured class owner and all consumers of the secured class.
2. The owner secures the secured class by implementing a specific type of permission class and calling the demand()  (remember the C# demands above?) method on that class.
3. Each class consumer must explicitly request permission to invoke a secured class by calling the assert() method on the permission class.  (this is where the permissions are compared)
4. Application code will break unless both of these steps are completed. (This is similar to the  SecurityException in .NET)

NOTE: Code Access Security does not guarantee the validity of any data or parameters passed to the secured class. Data validation is still the responsibility of the consumer. 

Now, in AX 2012, there are six groups of protected classes in AX 2012 Code Access Security:

• Direct SQL
• Run-time compilation and execution of X++
• Data-controlled execution of X++
• File handling
• Win32 Interop
• Windows API

The follow first code shows how to consume the TextBuffer class. So, we first need to create a new FileIOPermission object, then pass the file name as a parameter, and then we call the assert() method. The second example shows how to call a CAS-enabled API.

server void MyServerFunction()

{

  // Declare the code access security permission object.

  FileIOPermission fileIOPermission;

  TextBuffer txtb = new TextBuffer();

  Filename filename ="c:\\temp\\myfile.txt";

  // Assert that it is okay to read and write files

  fileIOPermission = new   FileIOPermission(filename, 'rw');

  fileIOPermission.assert();

  // From file will demand CAS permission (read)

  txtb.fromFile(filename); // Read text from file

  // To clipboard will demand CAS permission (write)

  txtb.toClipboard(); // Copy it to the clipboard

  // To file will demand CAS permission (write)

  txtb.toFile(filename); // Write text to file

}

server void callCASEnabledAPI()

{

    DictClass dictClass;

    anytype   retVal;

    str       resultOutput;

    // Variable for the permission class.

    ExecutePermission perm;

    ;

    perm = new ExecutePermission();

    // Grants permission to execute the DictClass.callObject method.

    // DictClass.callObject is protected by code access security.

    perm.assert();

    dictClass = new DictClass(classidget(infolog));

    if (dictClass != null)

    {

        retVal       = dictClass.callObject("toString", infolog);

        resultOutput = strfmt("Return value of is %1", retVal);

        print resultOutput;

        pause;

   }

                // Closes the code access permission scope.

                CodeAccessPermission::revertAssert();

}

In the above example, if permission to use the API is not asserted, the following error is generated:

Request for the permission of type '%1' failed.

 

The following, and sadly, the last example shows how to execute permissions to a direct SQL statement within X++.

static void getCustomersDirectSQL(Args _args)

{

  Connection   userConnection;

  Statement    stmt;

  str     sqlString;

  ;

  userConnection = new Connection();

  stmt = userConnection.createStatement();

  sqlString = 'select * from custTable';

  new SqlStatementExecutePermission(sqlString).assert();

  stmt.executeQuery(sqlString);

  CodeAccessPermission::revertAssert();

}

It is important to remember that these tools are critical when developing our modifications to the system (AX 2012). Now that AX 2012 X++ language is compiled in the IL, we need to take advantage of the .NET CLR code access security when integration internal/external applications with AX 2012.

I hope you enjoyed reading this post and stay tune for my last post of this series about display methods authorizations in AX 2012.

Have a great and safe weekend!

AX 2012 - Security for Developers - Part I

Hi there!

Roles, duties and privileges security levels cover access to single elements, for example forms, and groups of elements needed to perform a duty. As developers we are responsible for defining more granular security levels by setting access on tables and controls in a form, and/or by associating classes that perform an action with permission (i.e. an action menu item)

In this article I would like to discuss, in detail, form permissions, code access permissions and how to create security policies using the extensible data security (XDS) method.

Form Permissions

Each form in the Application Object Tree (AOT) has a permissions node. It contains either four or five sub-nodes - Read, Update, Create, Delete and Correct. Now, correct is only displayed if a table in the form has Date Effective data.

Further, under the above nodes are four additional nodes - Controls, Tables, Server Methods and Associated Forms. When we add a table to a form data source, this table is automatically added to the Tables node for each of the Permissions sub-nodes.  In addition, each of the nodes under the Tables node has an EffectiveAccess property which sets what access is allowed to the table and the EffectiveAccess property is automatically set based on properties on the data source.  

So, this is where all makes sense, if the data source property AllowDelete is set to No, the EffectiveAccess property is set to Update. If the data source property AllowEdit is set to No, the EffectiveAccess property is set to Read.

NOTE: To set the security access for a form control, we need to set the Securable property on the control to Yes. Then, this control can then be added to the Controls node under each of the permissions nodes.

Code Permissions 

These are a set of custom permissions that are created manually in the AOT under Security > Code Permissions.

For example, action menu items, can use these by setting the LinkedPermissionType property to CodePermission and the LinkedPermissionObject to the name of the code permission. Now, the great benefit about code permissions is that it can be extended to Service operations as well. This can be done by setting the Code Permission property under the Service operation > Operation method > Permissions > Associated Code Permissions node.

The following image depicts an access to post a Free-Text Invoice

Security policies - Developing an XDS Policy 

The following walkthrough will show how to create a security policy that limits users from viewing other user’s prospects. This can be seen a lot in a sales environment, where one sales person does not want the other to see his/her prospects, well who wouldn’t?

So for this example, we are going to use the smmBusRelTable where leads can hopefully become the future buyers of our products.

A lead/prospect is stored in smmBusRelTable, and the employee who is responsible for the prospect is stored in the MainContactWorker field.  In AX 2012, an employee is connected to the current user through the DirPerson and DirPersonUser tables.

There are two stages in creating the XDS policy:

1-      Create the policy query.

2-      Create the security policy.

Creating a Policy Query 

The steps to create the policy query are as follows:

1. In the AOT, create a new query, rename it to HcmWorkerUser.
2. From a second AOT, locate the table Data Dictionary > Tables >  HcmWorker. Drag the table HcmWorker to the Data Sources node of the query.
3. In the property sheet of the Fields node of the HcmWorker_1 data source, set the Dynamic property to Yes.
4. From the second AOT (Press CTRL + D to open a new AOT), locate the table Data Dictionary > Tables > DirPerson.
5. Drag the table DirPerson to the Data Sources node of the HcmWorker_1 data source.
6. In the property sheet for the DirPerson_1 data source, set the Relations property to Yes.
7. In the property sheet for the Fields node of the DirPerson_1 data source, set the Dynamic property to Yes.
8. From the second AOT, drag the table DirPersonUser to the Data Sources node of the DirPerson_1 data source.
9. In the property sheet for the DirPersonUser_1 data source, set the Relations property to Yes.
10. In the property sheet for the Fields node of the DirPersonUser_1 data source, set the Dynamic property to Yes.
11. Right-click the Ranges node of the DirPersonUser_1 data source, and select New Range.
12. In the property sheet for the new range, set the Field property to User, and the Value property to (currentUserId()) as it appears.
13. Save your changes to the query.

Creating a Security Policy 

Follow these steps to create the security policy:

1. In the AOT, expand the Security node.
2. Right-click the Policies node and select New Security Policy.
3. In the property sheet for the security policy, set the Name property to SmmBusRelUser, set the Label property to Limit Prospects by User, set the Primary Table property to HcmWorker, set the Query property to HcmWorkerUser, set the ContextType property to RoleName, set the RoleName property to TradeSalesRepresentative, and set the Enabled property to Yes.
4. Expand the SmmBusRelUser security policy.
5. Right-click the Constrained Tables node and select New > Add table by relation.
6. In the property sheet for the new constrained table, set the Table property to smmBusRelTable, set the TableRelation property to MainContactWorker. Save your changes to the policy.

Now, if you were to login with the name of a sales person, you could see that you will only have access (view) your prospects because when creating the policy query we set the currentUserId() to the value of the query range.  Also, because a user is related in DirPerson and DirPersonUser tables, the policy is able to associate the user id with records in the smmBusRelTable.

That is all for now, and stay tune for the next series of security for developers as I will go in detail on consuming a secured class and setting authorization for display methods.

Until then!



Enterprise Portal authentication in Microsoft Dynamics AX 2012 – Finally something that makes sense!

In AX 2012 there is a new authentication terminology - Pluggable authentication. This type of authentication allows users who are not part of Active Directory access to the AX 2012 Enterprise Portal.

In a nutshell, AX 2012 integrates with SharePoint Pluggable Authentication, which provides authentication to external Enterprise Portal users that are not part of an organization's Active Directory.

Further, Pluggable Authentication provides an administrator three additional forms of authentication in addition to Active Directory:

1.       Active Directory Federated Service: Allows users who are associated with an external Active Directory to access Enterprise Portal.

a.       When an ADFS user is removed from the external Active Directory that user does not have access to Enterprise Portal.

2.       Forms Based Authentication: Allows users to authenticate against a custom database of users.

3.       Live Id: Users can authenticate to Enterprise Portal by using Windows Live Id.

See the following diagram:

For more information on the new Enterprise Portal changes in AX 2012 visit http://msdn.microsoft.com/en-us/library/gg845087.aspx#BKMKPluggableAuth

In addition, Brandon George has a really good post about the new Security Architecture in his blog, Check it out

http://dynamics-ax.blogspot.com/2011/06/microsoft-dynamics-ax-2012-security.html

Take care!

Microsoft Dynamics AX 2012 - Basic Security Concepts

Hi there!

In AX 2012, role based security provides an extensible framework for defining access to the Microsoft Dynamics AX application and data. It changes a little bit from what we know in ax 2009.

In AX 2009, administrators had to, literally, create their own user groups and manually assign users to those groups.  Also, in order give permission to a user group to execute a particular operation, the administrator had to identify objects, such as tables, fields, and menu items that were required for the operation, which was a pain in AX 2009 as identifying these elements was time consuming.

However, in AX 2012, security is role-based, and many security roles are predefined by the application to make the setup portion of it easy for us. Now, it is important to really comprehend this positive change as in role-based security, users are assigned to roles based on their responsibilities in the organization and their participation in business processes.  In fact, AX 2012 introduces duties, which are a group of privileges (See a short definition below). In addition, an administrator no longer has to identify application objects and grant access to those objects. Instead, the administrator grants access to the duties that users in a role perform and that's it.

In addition, in AX 2012 all permissions for all application objects have been grouped into task-based privileges and duties.  This means that an administrator only has grant access to the Maintain sales order duty, which includes all of the permissions that are required to view, create, modify, and delete sales orders.

Another interesting change has been the concept of reusable permissions.  I don’t know if you had the chance to work with multiple companies in AX 2009, but you couldn’t allow user groups could not span multiple companies. As a matter of fact, if the same functional role was required in two companies, an administrator had to create two user groups and so on and so forth. You know where I’m going with this, right?

In terms of record-level-security, this function is still available in AX 2012, but it will be removed in future versions. In ax 2012, the data security framework I used to help secure the data and take security privileges into account. For example, an administrator can grant View access to one subset of Purchase Orders and Edit access to another subset of Purchase Orders.

There are a few definitions about the AX 2012 security terminology I would like to share with you:

A security role represents a behavior pattern that a person in the organization can play. A security role includes one or more duties.

A duty is a responsibility to perform one or more tasks.  A duty includes one or more privileges.

Privileges specify the access that is required to perform a duty.  A privilege includes one or more permissions.

Permissions include the access level to one or more securable objects that are required to perform the function associated with an entry point.

For more information on AX 2012 security you can go to http://technet.microsoft.com/en-us/library/gg731787.aspx

Take Care!

AX 2012 - New Improvements in Data Security

The new version of AX offers many new features to all of us. These go from development improvements to data security, which is the one topic I would like to focus on in this post.

The following are the improvements with regard to data security:

• Role-based security
• Server-enforced security
• Extensible data security framework
• Flexible authentication

Role-based security
Data security is much easier to manage. In AX 2012, users are assigned to roles based on the duties and responsibilities they have and access is granted based on those roles. This change puts an end to the tedious and time-consuming process of assigning users based on application objects. Once set up, role assignments can easily be updated based on the business data.


Server-enforced security
Authorization is performed on the server rather the client, consistently enforcing permissions on protected fields regardless of the type of client. The server sends the client only the information that the user has been granted access to, resulting in increased data security.


AX 2009 did not offer the facility to use data security based on effective date. However, in AX 2012 administrators can specify whether users have access to past, present, or future records with different levels of access, which creates much for flexibility to all the different iteration in the use of data throughout the life of the application.

Further, the new version can also be used to create data security policies based on data contained in a different table.

For example, in previous versions you could not filter sales lines by customer location because those were stored in different tables, but the new version makes that totally possible.

Data security policies are enforced at the server regardless of the type of client used to access the data.

Flexible authentication
Authentication of users by methods other than Active Directory allowing external users to access Dynamics AX without a required domain account.