The Extensible Data Security (XDS) architecture is a feature in D365 Finance and AX 2012 that allows users to complement role-based security by restricting access to table or tables based on policy. This feature evolved from the record-level security that existed in prior versions of Dynamics AX.
Simply put, XDS adds a WHERE (or ON) statement to any SQL SELECT, UPDATE, DELETE, or INSERT operation performed on a table using parameters from another linked table.
In this article, we will talk about everything you need to know about XDS security roles in D365 before you assign roles. It is important to understand the duties and privileges of each to make a careful decision.
Setup - Developing an Extensible Data Security Policy
Before you begin designing XDS regulations, there are a few things you should understand and keep in mind:
- Understand the scenario requirement/use case for why you’re using XDS.
- Determine the constrained and primary tables, then examine the links between them.
- Examine the data access patterns, table size/record counts, and existing indexes for the limited and primary tables.
How to Apply Multiple XDS Policies to the Same Role?
There are different scenarios at the hands of the developers, but we will only talk about one right now to help you understand the level of access each offers. In this case, we want a role to only be able to communicate with customers and vendors that have a group (CustGroup/VendGroup) equal to 10.
The first thing we did was develop a position that grants complete control over both customers and vendors. The following is what the test user sees when assigned this role:
To apply the XDS policies, you must first develop the Customer and Vendor queries.
Then, define security policies for these queries. Some things to consider here:
- The Context String property for each policy is identical. It enables us to assign these policies to the same role.
- The Context Type is RoleProperty, which indicates that the Context String will be utilized to determine which role(s) this applies to
- The Operations attribute is set to AllOperations, which implies that all Reads, Updates, Creates, and Deletes will occur within the context of XDS.
- The primary table in each is the object’s Group table (VendGroup/CustGroup).
- Each policy refers to the associated query (VendorGroupQuery, CustomerGroupQuery).
Then, create a role (FpGroupXDSRole) to which we assign the proper responsibilities; note that we set the Context String to the same string as my security policies. Both XDS policies will apply to this position.
As soon as the user is given this role, it is clear that both policies are successfully implemented.
In the previously mentioned test, we defined the role using the AOT. We also wanted to confirm that a position created through the user interface worked as expected. So, we created a role in D365FO’s Security Configuration area and ensured that the Security Policy Context String remained the same as previously (GroupXDSPolicy).
XDS Policy By Pass Role Scenario Test Role
As an expert, the description given by Microsoft may make you wonder about a few things. As per the description, this role is for security, which raises some questions for me. The description is for XDSPolicy Bypass UT. There is no more information in Microsoft documentation for this.
However, it does suggest opening links to Xbox support instead, and it is not useful. However, we did run a Metadata search in Visual Studio, reverse-engineered various kernel DLLs, and used the cross-reference feature. Initially, there was only one hit: the security role object named XDSPolicyByPassRoleScenarioTestRole.
Please remember to update the cross-references after one or two updates. Updating cross-references for standard application objects leads to a security policy named XDSCustTableOnCustGroup10Policy.
When to Bypass Data Security Policies
This role will affect user behavior by granting pure role-based access permissions without data constraints set in security rules. When will this be useful, and what considerations should be made before assigning such a job to a user in an environment?
Remember that granting access to this role should be the exception. This should be carefully examined, just like when assigning the system administrator role. Do not assign this role unless there is a valid business reason. Some reasons why breaching data security may be valid include:
- Determine whether an XDS security policy causes missing data.
- Temporary access to add new setup records to tables is prohibited by policy.
- An individually designed or created restricted administrator role that requires access to all data, similar to a system administrator.
When possible, use this role in non-production environments. Only when you think there is no other option can you consider assigning the role to a user in a production environment.
Considerations When Applying XDS Data Access Policy By pass Role
If you apply the XDSDataAccessPolicyBypassRole, the user will be able to see all private addresses and contact details despite the settings for the roles in the parameters. If you allow a user to bypass the data security policies, you might violate certain regulations. Not only the European Union but also other countries have data privacy laws that should be followed carefully to prevent possible high fines for privacy breaches.
Whenever you need to, only use this role in non-production settings. Only when you have no other option, in case you assign this role, keep in mind the user will be able to access all private information regardless of the roles specified in the parameters.
Allowing a particular user role to evade data security controls may violate some regulations. Also, right now, almost all countries are quite strict about privacy regulations. So, be aware that you comply with them and be careful when assigning a role.
Bottom Line
Dynamics 365 finance security roles are significant for any organization. So, when you are assigning these roles, make sure you understand as many scenarios as possible. You can find a detailed description of each on the Microsoft website.
However, you still might need the assistance of Microsoft experts at DHRP. We can help you with extensible data security XDS roles while understanding your business security needs. So, reach out, and let’s keep the sensitive data safe.
