Friday, July 20, 2018

D365/AX7 - Manage data access using AOS Authorization


Overview

Some of the database tables might contain some sensitive data which needs to be secured at the additional level to the security roles/privilege. The data such as employee’s personal details and salary details, financial data of the organization etc. should only be allowed to designated personnel of the organization to manage or view. In Microsoft Dynamics AX, this level of security can be imposed on the data by AOS Authorization.
AOS Authorization is a property associated with the TPF i.e. Tables Permission Framework in Dynamics AX, that adds additional level of security to the tables consisting sensitive data, and allows the administrator to manage access to such data.
When an attempt is made to access or to perform any operation on TPF-protected table, the AOS verifies if the user is authorized to perform respective action on the table. If the user does not have the appropriate permissions, the AOS does not complete the operation. These operations could be read, create, update or delete.


AOS Authorization Property

When concerned about how to enable AOS authorization on a table, following are the possible values for the AOS property on the table.
·         None
·         CreateDelete
·         UpdateDelete
·         CreateUpdateDelete
·         CreateReadUpdateDelete

The default value for AOS Authorization property on any table is None. Let’s say if the AOS authorization is set to CreateDelete on a table, then the AOS will authorize and confirm if the user has appropriate permissions for Create and Delete operations on the table. If the required permissions are lacked by the user, the application throws an exception. However, the rest of the operations, i.e. Read and Update are not checked by the AOS.

The AOS performs the authorization of TPF-protected tables by the following table methods.

·         aosValidateDelete
·         aosValidateInsert
·         aosValidateRead
·         aosValidateUpdate


Creating Security Roles for TPF-Protected Tables

Suppose if a report in Dynamics AX contains sensitive data related to an employee along with other basic information. If that sensitive data is maintained by a table which has the property AOS Authorization set to CreateReadUpdateDelete, then the report might not execute successfully by the user if at least Read permission is not granted to the user.
When creating the security privilege for the report getting data from the TPF-protected tables, we need to add the given table to security privilege and specify permissions explicitly for that table.

No comments:

Post a Comment