Microsoft Dynamic AX 2009 : Configuration and Security - Security Framework (part 3) - Security Coding

11/16/2013 2:56:14 AM

3. Security Coding

In this section we cover the Trustworthy Computing features of Dynamics AX, focusing on how they affect security coding. We describe table permissions, code access security, impersonation in batch execution, and the best practice rules for ensuring deployment-wide compliance.

Table Permissions

The table permissions framework provides security for tables that reside in the database and are available through the AOT. Annotating specific create, read, update, and delete operations on tables, combined with assigning user group permissions on tables, enables the AOS to authorize individual user permissions on tables.

The AOSAuthorization property specifies the operations that can be performed on a table when combined with user permissions set on the User Group Permissions form. Figure 5 shows the table property form and values for AOSAuthorization.

Figure 5. Table property form

The AOSAuthorization property is an enumeration with the possible values described in Table 1.

Table 1. AOSAuthorization Values
NoneNo AOS authorization validation is performed (default value).
CreateDeleteCreate and delete authorization validation is performed on the AOS.
UpdateDeleteUpdate and delete authorization validation is performed on the AOS.
CreateUpdateDeleteCreate, update, and delete authorization validation is performed on the AOS.
CreateReadUpdateDeleteAll operations are validated on the AOS.

To secure the database tables even further, you must have a set of data manipulation language (DML) validation routines at the AOS server location when inserting, reading, updating, or deleting records from the database tables. The following four system-defined methods are included in the Override Method group to support the routine validation, located in the AOT under Data Dictionary\Table\Methods:

  • AOSValidateDelete

  • AOSValidateInsert

  • AOSValidateRead

  • AOSValidateUpdate

Table 2 describes the behavior of the AOS when authorizing an authenticated user on a table, including the user group permissions setting and the AOSAuthorization property value.

Table 2. AOSAuthorization Property Values
  Property Value
User Group Access ValueNo accessSuccessFailureFailureFailureFailure
Full controlSuccessSuccessSuccessSuccessSuccess

Code Access Security

The code access security (CAS) framework provides methods that can make dangerous APIs more secure against invocation attempts by nontrusted code (code that doesn’t originate in the AOT). If you extend the CodeAccessPermission class, a derived class can determine whether code accessing the API is trusted by checking for the appropriate permission.

If the API executes on the server tier, the impact of malicious code that could exploit the API is more severe in a shared environment, so you must secure the API. To secure a class that executes on the server tier, follow these steps:

Derive a class that can’t be extended from the CodeAccessPermission class.

Create a method that returns the class parameters.

Create a constructor for all the class parameters that store permission data.

Override the CodeAccessPermission::isSubsetOf method to compare the derived permission class with CodeAccessPermission to determine the existence of the required permissions for invoking the API you want to secure.

Override the CodeAccessPermission::copy method to return a copy of an instance of the class created in the first step. This step helps prevent the class object from being modified and passed to the API that is being secured.

Call the CodeAccessPermission::demand method before executing the API functionality that you’re securing. The method checks the call stack to determine whether the permission required to invoke the API has been granted to the calling code.

Additional information about code access security and securing APIs is available in the Microsoft Dynamics AX 2009 SDK.

Batch Jobs

Dynamics AX 2009 introduces a new and more secure type of batch framework that is completely server bound. Rather than having to start a client and open the Batch Processing form, you can now schedule a batch job so that the server automatically picks up and executes it at a given time.

A batch job can be composed of multiple batch tasks that can be executed in sequence or in parallel. For a batch task to run on the server using the new batch framework, the job must use the runAs function. When this type of batch processing is used, the user who initiates the batch processing can’t interact with the batch task or view its output. In addition, the task must not access any client-side resources while executing.

Dynamics AX 2009 also continues to support batch processing that doesn’t use the runAs function and requires the client to execute. And if you need to, you can easily update old batch-enabled classes to use the runAs function.


When you move batch tasks to the runAs function, you must ensure that there are no additional Dynamics AX application runtime interactions.

To identify possible runtime interactions, use any of the following approaches:

  • Perform a manual code review.

  • Identify transition exceptions in the Infolog by converting the X++ class to a server-bound batch job (as in the following syntax example), submitting the X++ class for batch processing, and checking the Infolog for transition exceptions.

  • Identify client/server interactions using the client/server trace by submitting the unmodified X++ class for batch processing and checking the client/server trace for client/server interactions.

If you discover any runtime interactions, you should eliminate them by refactoring the application logic involved. When the class is ready to use the runAs function, you must override a method shown to return true, as shown here.

public boolean runsImpersonated()
return true;


Batch jobs in Dynamics AX 2009 can contain a mixture of legacy and new batch tasks. The tasks that use the new framework automatically execute on the server, whereas the legacy tasks require the batch processing form on the client to be running.

Best Practice Rules

The Best Practice tool can help you validate your application logic and ensure that it complies with the Trustworthy Computing initiatives. The rules that apply to Trustworthy Computing are grouped under General Checks\Trustworthy Computing in the Best Practice Parameters dialog box, as shown in Figure 6. The Best Practice Parameters dialog box is accessible from Tools\Options.

Figure 6. Best Practice Parameters dialog box with Trustworthy Computing rules
  •  Microsoft Dynamic AX 2009 : Configuration and Security - Licensing and Configuration
  •  Microsoft Dynamic AX 2009 : Configuration and Security - IntelliMorph
  •  Microsoft Dynamic AX 2009 : Reflection APIs (part 3) - Treenodes API
  •  Microsoft Dynamic AX 2009 : Reflection APIs (part 2) - Dictionary API
  •  Microsoft Dynamic AX 2009 : Reflection APIs (part 1) - Table Data API
  •  Microsoft Dynamic AX 2009 : Reflection System Functions
  •  Microsoft Enterprise Library : Banishing Validation Complication - Diving in With Some Simple Examples (part 4)
  •  Microsoft Enterprise Library : Banishing Validation Complication - Diving in With Some Simple Examples (part 3)
  •  Microsoft Enterprise Library : Banishing Validation Complication - Diving in With Some Simple Examples (part 2)
  •  Microsoft Enterprise Library : Banishing Validation Complication - Diving in With Some Simple Examples (part 1)
    Most View
    Microsoft Surface RT – A Cleverly Designed Tablet
    SQL Server 2012 : SQL Server Security Overview
    Nuance Dragon Dictate For Mac 3 - Speech Recognition Software
    Acer Aspire V5 Touch – Best Of All Worlds
    Windows Server 2008 and Windows Vista : Item-Level Targeting (part 7) - Item-Level Targeting Controls, Common Item-Level Targeting Scenarios
    The Real 3D Experience
    ASRock Z77 Extreme4 Motherboard
    Sinclair ZXS1 Kits (Part 1)
    Windows Vista : Sending and Receiving Faxes (part 2) - Working with Fax Cover Pages, Receiving Faxes
    Windows 8 : Managing BitLocker and other policy-based mobility tools (part 4) - Configuring policy settings for offline files
    Popular Tags
    Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8 BlackBerry Android Ipad Iphone iOS
    Top 10
    Review : Acer Aspire R13
    Review : Microsoft Lumia 535
    Review : Olympus OM-D E-M5 Mark II
    TomTom Runner + MultiSport Cardio
    Timex Ironman Run Trainer 2.0
    Suunto Ambit3 Peak Sapphire HR
    Polar M400
    Garmin Forerunner 920XT
    Sharepoint 2013 : Content Model and Managed Metadata - Publishing, Un-publishing, and Republishing
    Sharepoint 2013 : Content Model and Managed Metadata - Content Type Hubs