The security tool in Microsoft Dynamics AX Security 2012 R3 is built to help organizations create and manage secure ERP implementations. Illustrated with MorphX, X++ coding, snapshots, and figures, this chapter intends to provide you with the basics to transform the knowledge to seamlessly implement security configurations into practical steps that are needed to develop an efficient security environment. In this chapter, we will broadly look at:
Introducing the MorphX development tool
Developing a security artifact using AOT
Validating and testing a security privilege
Applying a configuration key
By going through this chapter, you will briefly know the fundamentals and security concepts in the Microsoft Dynamics AX product. The security architecture in the Microsoft Dynamics AX product consists of the infrastructure security and the application security (https://technet.microsoft.com):
The logical view of Microsoft Dynamics AX system architecture
The different blocks in this architecture are as follows:
Infrastructure security: The Microsoft Dynamics AX infrastructure is based on the following features:
Active Directory services
Integrated windows authentication
Computer networking
Secured servers' machine
Application security: Application security has the same features as those listed for infrastructure security and includes the following additional features:
Active Directory users added to Microsoft Dynamics AX and granted access to use the application
Domains that are groups of the company accounts in Dynamics AX
Record-level security to restrict or permit users to access specific fields and tables
Security keys that allow users to access specific forms, reports, or menus
By focusing on application security, we are going to break it down into the following points that should be considered when securing the Dynamics AX server:
Application file server: The application files should be restricted to the application object server domain account
Database server: The database server should be secured using the recommended SQL server security solution
Application Object Server (AOS): The AOS should be restricted to the log directory for only the AOS account directory and the administrator
Enterprise Portal: Securing the Enterprise Portal starts with Microsoft Internet Information Services (IIS) using the Secure Sockets Layer (SSL) and another built-in feature called Business Connector
This is the high-level security architecture of the Microsoft Dynamics AX product that you should gain knowledge about before proceeding to the security features that enable administrators, technical consultants, and programmers to secure the application. We are going step by step to deliver proper experience and practices through this chapter.
Microsoft Dynamics AX includes a set of tools, and one of the most powerful is the MorphX development tool, which you can use to build and modify Microsoft Dynamics AX business applications. With the MorphX tool, you can create, view, modify, and delete the application model elements that contain metadata, structure, properties, and X++ code, such as tables, fields, indexes, relations, methods, and so on.
To illustrate the concept of MorphX, assume that you have the license to Microsoft Dynamics AX and you need to edit and develop any object in the standard ERP package. Therefore, this development tool will help you extend the existing functionality to fit your organization's requirements and needs as used by Microsoft to develop the application modules.
You can access these development tools from the following places:
In the development workspace's Tools menu
In the context menu of elements in Application Object Tree (AOT)
Note
To enable the development mode in Microsoft Dynamics AX 2012, press Ctrl + Shift + W to launch the development workspace.
The following table lists the MorphX tools and their purpose:
The AOT is the main development menu in Microsoft Dynamics AX. It is easy to navigate through the AOT using the arrows keys on the keyboard.
The root of AOT contains element categories such as:
Data Dictionary
Classes
Tables
Forms
Macros
Parts
Data Sets
SSRS Reports
Reports
Note
Before practicing effectively on AOT, understand the naming structure of all elements. There are thousands of elements that exist in AOT.
The elements are arranged alphabetically and named by the following structure:
(Business Area Name) + (Functional Area) + (Action Performed or Type of Content)Ex: CustPaymReconciliationImportBusiness Area: Cust = Customer
Functional Area: PaymReconciliation = Payment Reconciliation
Action Performed: Import = Import
The element categories are shown in the following screenshot:
You can create elements in the AOT node by following the next steps:
Right-click on the element category node.
Select New <Element Type>.
When you create a new element, generated names are automatically given, and you can replace the default name with a new name.
The X++ code editor is a text editor that contains multiple features that you can find in Visual Studio, such as scripting, multiediting, word completion, and so on.
You can write all the X++ code with the X++ code editor by selecting a node in the AOT and pressing Enter. As shown in the following screenshot, the X++ editor contains two panes (the left-hand side pane and the right-hand side pane). The right pane shows the X++ code for the method selected in the left-hand side pane:
The following table lists the shortcut keys for the X++ code editor:
|
Shortcut keys |
Action |
|---|---|
|
F1 |
Shows the help window |
|
F4 |
Goes to the next error |
|
F5 |
Executes the current element |
|
F7 |
Compiles |
|
F9 |
Toggles a breakpoint |
|
F12 |
Goes to the implementation (drilled down in the code) |
|
Esc |
Cancels the selection |
|
Ctrl + X | |
|
Ctrl + I |
Incremental search |
|
Ctrl + E, C |
Comment selection |
|
Ctrl + E, U |
Uncomment selection |
|
Ctrl + Tab |
Goes to the next method |
|
Ctrl + Shift + Tab |
Goes to the previous method |
|
Alt + R |
Run and editor script |
|
Alt + Shift + arrow keys |
Enables block selection |
|
Ctrl + Alt + Spacebar |
Opens the Label editor |
|
Ctrl + Shift + Spacebar |
Shows the method parameter help |
|
Ctrl + Shift + F9 |
Removes all breakpoints |
The X++ code editor contains a set of editor scripts that you can invoke by clicking on the script icon on the X++ code editor toolbar, or you can type the name of the script + Tab in the editor. You will notice that there are built-in scripts such as:
Send to the file
Send to the mail recipient
Open the AOT for the element related to the method selected
Generate the code for standard code patterns such as the
main,construct, andparmmethods
The X++ compiler is a bottleneck for anything you build or install in your own scenarios across the system modules; just as you should compile any programming language, the X++ compiler can compile your code and produce a lot of information such as compiler errors, compiler warnings, and tasks.
In earlier versions of Microsoft Dynamics AX, the compiling processes were designed in three phases:
Declaration and method signatures.
Metadata validation and p-code generation.
Recompilation of elements that had preliminary errors.
Note
In earlier versions in Microsoft Dynamics AX, the phases were:
1. The compilation happens in the client.
2. Metadata is exchanged from SQL to the client and back to SQL.
3. A long compiling duration happens due to deserialization of metadata in memory cache.
In the Microsoft Dynamics AX 2012 R3 compiler, enhancements have been made from an architectural concept that makes the compiling process more productive and faster than in earlier versions.
Note
In the Microsoft Dynamics AX 2012 R3 compiler, the following processes happen:
The compilation happens on the AOS
Error logs are generated in each AOS
No metadata exchange
X++ execution time during the compilation has been reduced
More available memory and no cache
Note that you can compile X++ code to common intermediate language (CIL) used by .NET Framework to improve the performance.
X++ code is compiled to p-code and the last code is compiled to CIL by following this path: AOT | Add-ins | Incremental CIL generation from X++.
Depending on your process, the performance improvement can be between 0 and 30 percent. Therefore, you will have to test to know whether performance improves by running your process in CIL.
The debugger is a standalone application and is not part of the Microsoft Dynamics AX shell. The debugger allows the debugging of X++ code in any of the following Dynamics AX components:
Microsoft Dynamics AX client (the Tools menu | Options | Development | Debug).
AOS. From AOS, navigate to the MS Dynamics AX server configuration utility | Start | Administrative Tools | Microsoft Dynamics AX 2012 Server Configuration | Create a new configuration. Select the Enable breakpoints to debug X++ code running on this server checkbox.
Business Connector. For enterprise portals, navigate to the MS Dynamics AX server configuration utility | Start | Administrative Tools | Microsoft Dynamics AX 2012 Configuration | Create a new configuration. Select the Enable global breakpoints to debug code running in the Business Connector or client checkbox.
For the debugger to start, a breakpoint must be hit when the X++ code is executed. You set breakpoints using the X++ code editor in the Dynamics AX development workspace. The debugger starts automatically when any component hits a breakpoint.
In AOT, you can use projects to group and structure elements according to your preference. A project is a powerful tool in the AOT because you can collect all the elements you need for a feature in one project. Projects can be opened from the AOT by clicking on the project icon in the toolbar.
When you create a new project, you should decide whether it should be shared among all developers or between private developers. You can use the Drag and Drop feature to move a project from shared to private or vice versa.
You can determine a start up project that opens automatically when Microsoft Dynamics AX is started by specifying a certain project in the options form.
Properties are the backbone of the metadata system; each property is a key and value pair. You can use the property sheet to inspect and modify properties of elements.
By default, the property sheet appears when opening the development workspace. It is automatically updated to show properties for any element selected in the AOT.
The property sheet contains two columns: the key and the value pairs for each property.
In the Categories tab on the property sheet, you will find a lot of information related to the selected element, for example, CreationDate, CreatedBy, CreationTime, ChangedBy, and so on:
Docking the property sheet on either side of the screen is very easy, and this can be done by right-clicking on the title bar.
Also, you will notice that there are elements that have time values and user information at the end of every property sheet, and the read-only properties appear in the gray label editor.
The label editor in Microsoft Dynamics AX 2012 is a text resource that is used throughout the whole product. It is a way to help you know more details about any element (the column header, the name of the form in the window, the help text in the status bar, captions on forms, and texts on Web forms).
You can use the label editor as a useful tool to help you when creating support service on Microsoft Dynamics AX or to know where an error message is produced, and this will give you more information related to the element selected.
Labels are localizable, and this means that they can be translated into most languages, because text resources are kept in a Unicode-based label file that must have a three letter identifier (for example, @SYS1234).
The structure of the label file is very simple:
@<Label File Identifier><Label ID><Label Text>
Tip
Downloading the example code
You can download the example code files from your account at http://www.packtpub.com for all the Packt Publishing books you have purchased. If you purchased this book elsewhere, you can visit http://www.packtpub.com/support and register to have the files e-mailed directly to you.
You can create new label files using the Label File Wizard, and you can access it directly from the Label Files node in the AOT or from the Tools menu | Wizards | Label File Wizard.
The concept of a cross-reference tool is very simple; if you have two elements (X and Z) and you want to know which one is in use by the other one, with cross-reference you can determine which elements are in use and which elements out of use.
These relationships between objects or elements are being recorded, so it is easy for you to track changes you or others made previously on all elements, so to keep yourself updated with this information, you must update the cross-reference tool regularly to ensure accuracy. This update will take several hours because it also compiles the entire AOT.
Note
To update the cross-reference tool, go to Tools menu | Cross-reference | Periodic | Update.
When the cross-reference tool is updating, it scans all metadata and X++ code.
To preview the whole list of cross-referenced elements, open the AOT, expand the SystemDocumentation node, and then click on Enums and xRefKind.
By pressing Ctrl + F from any node in the AOT, a Find window appears. It contains most of the useful tools to search for anything in Microsoft Dynamics AX application.
The Find tool contains multiple tabs such as Date, Advanced, Filter, and Properties.
For the Date tab, you can specify a range of dates for your search, such as the modified date and who they were modified by.
In the Advanced tab, you can specify more advanced settings for your search, such as the layer to search, the size range of elements, the type of element, and the tier on which the element is set to run.
On the Filter tab, you can write a more complex query by using X++ and type libraries.
The Properties tab appears when All nodes is selected in the Search list. You can specify a search range for any property. Leaving the range blank for a property is a powerful setting when you want to inspect properties; it matches all nodes, and the property value is added as a column in the results.
The results appear at the bottom of the dialog box as they are found.
The Find tool searches the selected node and related subnodes in the AOT, and if you want to search several nodes, you can mark the Use selection checkbox; by unmarking this feature, you will disable this feature.
Table browser is just a standard form that uses IntelliMorph to view and edit data in tables. You can use this helpful tool in numerous scenarios, such as debugging, validating data, modifying, cleaning data, and so on.
The table browser tool is implemented in X++, and you can find it in the AOT under the name SysTableBrowser.
To open the table browser:
Locate the table that you want to view in the AOT.
Right-click on the table and then navigate to Add-Ins | Table browser. Alternatively, you can right-click on the table and select Open.
The table browser displays data from all fields in the table.
In Microsoft Dynamics AX 2012 R3, the table browser tool can be used to run SQL statements by entering the SQL statement in the textbox and just clicking on the Execute button to run the SQL against the data source.
You can use the Autoreport field group to make it easy for you to find the values you are looking for in tables that have many fields.
The best practice tool is embedded in the compiler, and its main function is to detect defects and risky code patterns in the X++ code. It is used when making customizations in the application and it is useful to decrease the time and cost that occurs when implementing the application or for any maintenance of the system.
It is the MorphX version of a static code analysis tool that allows any developer to run an analysis of his or her code and application model to ensure that it conforms to a set of predefined rules (400 rules) by displaying deviations from the best practice tool in the compiler output window.
Note
To turn off the best practices tool, go to Tools menu | Options | Development | Compiler and set the Diagnostic Level value below 4.
The majority of the 400 rules focus on errors and warnings, and the best practice tool allows you to suppress errors and warnings and identify the deviation as reviewed and accepted.
To identify a suppressed error or warning, place a line containing the following before the deviation:
//BP Deviation Documented.
Reverse engineering is a general process of analyzing a specific technology to know how it was designed or how it operates. One of the best known tools in the world is located in Microsoft Dynamics AX as UML.
UML is a general modeling language in the field of software engineering, which is designed to provide a standard way to visualize the design of the system.
In Microsoft Dynamics AX 2012, you can generate UML Visio models from your existing metadata or an entity relationship data model and see how they relate to each other in a visualization mode. You must have Visio 2007 or higher to use the reverse engineering tool.
To open this tool, from the Tools menu, select Reverse engineer; then select the model type as Visio UML Data model.
This tool deals with projects, so you will have to select either Private project, Shared project, or Perspective.
When you click on the OK button, all the elements in the selected project generate a Visio document that opens automatically, and any relationships between any elements will be easily visible to you.
A security artifact is an architect of a security system within an entire system or application environment. In Microsoft Dynamics AX 2012, the security system contains the following artifacts (ordered by hierarchy):
Policies: Security policies are a set of security roles that control the working environment
Security role: This represents the scope of work for every person in the organization
Duties: These are responsibilities that perform tasks for a specific business objective or process cycle, and they contain a set of application process privileges
Privileges and permissions: These are a group of access rights granted to users
The following screenshot shows the security artifacts that you can develop from the AOT to build your security environment:
The first step is to control access to the data in any form in the AOT; if you open any form in the AOT, you can set permissions to CRUD:
Create
Read
Update
Delete
These types of permission are set automatically for tables that are used in the form (CRUD; this function is called auto-inference. Auto-inference configures table permissions in a form (CRUD), and the system automatically adds or updates the (CRUD) nodes by navigating to AOT | Forms | <FormName> | Permissions.
You can set up the permission manually, and you can do this not only for a form, but also for several AOT elements that include:
Services | <ServiceName> | Operations | <OperationName>
Reports | <ReportName>
Parts | Info Parts | <InforPartName>
Forms | <FormName>
Web | Web Files | Web Controls | <WebControlName>
Privileges are a set of permissions that provide access to a securable object. It is the second step after specifying permissions when developing a security artifact.
Using the auto-inferred table permissions and securing menu items with privileges, you can control access to the data in a form.
In the preceding screenshot, the AccountDistCustFreeInvoiceMaintain privilege contains an entry point, AccountingDistCustFreeInvoice. This is a menu item that points to a form.
In the Properties tab, the AccessLevel value is set to Delete, and this means that when a user accesses the form through this particular menu item, the security framework in MS Dynamics AX will be under the Permissions | Delete node in this form and will grant access to the tables that are listed under that node.
In this example, you will notice a relation between the privileges, entry points, and permissions that determine the user access permissions if they access this privilege through a security role.
Note
The menu items in the AOT act as a higher layer of abstraction for a form, reports, and so on, and it contains a complete list of the items that can be presented in a menu.
Each menu item has the following security properties:
Create permissions
Read permissions
Update permissions
Correct permissions
Delete Permissions
These properties can refer to the nodes under this: AOT | Forms | <FormName> | Permissions.
Entry points refer to a programming object that is at the start of an application functionality and can be directly associated with privileges.
Entry points can be referred to a lot of object types, such as form, job, info part, query, report, SSRS report, and class.
For example, for an entry point referring to a menu item that is referring to a form, permissions are defined in the AOT node as Permissions | Form | Menu Item | Entry Point (on a privilege).
The following figure (Developer Network on http://msdn.microsoft.com) illustrates the sequence of using auto-inferred permission:
As a security best practice, you have to check the following:
After you implement the data security structure in Microsoft Dynamics AX 2012, you will want to make sure that you make accurate changes. For the testing process, you need to do the following:
Create a role by navigating to AOT | Security | Roles.
In the AOT, assign the appropriate duty or privilege to the new role.
Create a test user account (such as
axtest3) by going to System Administration | Common | Users | Users.Assign the user to a role by going to System administration | Setup | Security | Assign users to roles.
Start the application with a command line or shortcut that is similar to the following (wrapped lines):
%windir%\system32\cmd.exe /c runas /savecred /user:mywindowsdomain\axtest3 "C:\Program Files (x86)\Microsoft Dynamics AX\6.0\Client\Bin\Ax32.exe"
Configuration keys allow administrators to set the security for a user group by minimizing access to a user group to reduce the potential attacks.
The benefit of the configuration key is to protect sensitive data in the database and prevent users from changing code and objects in the application.
Configuration keys are applied for the following:
Tables
Fields
Views
Menus
Menu items
Form controls
Indexes
Extended data types
Report controls
The following screenshot shows the configuration keys:
To create a configuration key, follow these steps:
Expand the Data Dictionary node in the AOT.
Right-click on the Configuration Keys node and select New Configuration Key.
Right-click on the configuration key and click on Properties.
Rename the configuration key by modifying the Name property.
Right-click on the object and click on Create in the shortcut menu.
Right-click on the object and click on Save in the shortcut menu.
Note
When you disable a table in the configuration key that is listed in the AOT in Microsoft Dynamics AX 2012, you must decide whether to manually delete the data that is in the table or not. In the earlier versions of Microsoft Dynamics AX, when you disable a table in the configuration key, the table is dropped from the SQL Server and all the data is deleted. This change happened in AX 2012.
Through out this chapter, you got a solid introduction to the MorphX development tools. Now, you can use each development feature in a smooth and fast way. Besides developing a security artifact by creating privileges and permissions and assigning them to each other, you are now able to validate, test, and debug the security privileges and roles that you created previously. This is a good start that will make you go through the advanced topics coming next.
In the next chapter, we will learn about the fundamentals of security coding using X++, code access security, security debugging, security in display and edit methods, and the Table Permissions Framework.
