AOS Authorization

Hai to all,

in Table Properties AOS Authorization property,we have 5 options.Defaultly it seted as None.when i changed the property i didn’t get any changes.

Could u plz tell me any one for this property.and it have all options end with Delete.what is the main purpose of this property.

am trainee for axapta,is there any main use of this property in our Ax real time projects

Thanks & Regards

AOSAuthorization Property

This property on a table can take any permutation of Create, Read, Update, and Delete (CRUD) values. The default value is None. The value of this property determines which CRUD operations will result in the AOS performing a security authorization check. The security-authorization check verifies that the current user has permission to perform the requested operation on that table. This is based on User Group Permissions. If the user does not have adequate permissions, the authorization check throws an exception.

For example, the UserInfo table has AOSAuthorizationProperty set to CD (Create and Delete). Whenever a Create or Delete operation is requested on that table, the AOS performs the authorization check. It does not do any additional checks for Read or Update operations.

Source (Microsoft: writing Secure X++ Code). You can find more information on page 462 of the book “Inside Microsoft Dynamics AX 2009”

This property is part of Tables Permission Framework (TPF). The Table Permissions Framework (TPF) enables administrators to add an additional level of security to tables that store sensitive data. TPF adds table-level security that verifies access rights no matter the origin of the request.

To enable TPF, an administrator specifies a value for the AOSAuthorizationProperty on a specific table in the AOT. The AOSAuthorizationProperty authorizes Create, Read, Update, and Delete operations. For some tables, it is important to authorize all operations because the data is sensitive. For other tables, you might find it suitable to specify a subset of operations, such as Create, Update, and Delete. In the case when you have specified a subset, the AOS authorizes the Create, Update, and Delete operations, but allows users to perform View operations if they have access to Microsoft Dynamics AX.

For example, consider the following scenario:

  1. Microsoft Dynamics AX and allows users to access data by using the Microsoft Dynamics AX client, Enterprise Portal, the Application Integration Framework, and a third-party application that connects to Microsoft Dynamics AX by using the .NET Business Connector.
  2. The administrator configured a Microsoft Dynamics AX user group called Senior Accountants, and members of this group have access to sensitive data about financial information and trade secrets. One of the database tables that stores this sensitive information is called FinancialResults. This table was added as part of a customization done by a partner after Microsoft Dynamics AX was installed.
  3. In the Application Object Tree (AOT), the administrator configures the FinancialResults table so that the Application Object Server (AOS) must authorize all operations for that table. The administrator specifies the value CreateReadUpdateDelete for the AOSAuthorizationProperty.
  4. Soon thereafter, a malicious user discovers a vulnerability in Contoso’s third-party application that connects to Microsoft Dynamics AX by using the .NET Business Connector. The malicious user connects to the database as a member of the CRM_users group and attempts to read the data in the FinancialResults table.
  5. Before allowing the read operation, the AOS checks to see if the user is a member of the Senior Leadership user group and if members of the group have permission to read the data. The malicious user is not a member of the Senior Leadership group, so the AOS denies the read operation.