I recently posted a video of a new project I have been working on to help with security testing in D365FO. I am now ready to officially release the D365FO Security Test Workspace solution in a Beta state for testing and feedback so I wanted to give an overview of how it works, how to set it up, and the features it offers.
Microsoft’s Answers to Security Testing
In AX 2012, the Security Development Tool had to the ability to launch a test workspace for any role, duty, or privilege in the system. This functionality sat in the AOT and required a user be assigned the SysAdmin role to function. There were some limitations though in that you could not launch this for multiple security levels at once and there was no functionality to be able to pull in a user’s current access as a starting point.
Then go to Open the Security Test Workspace menu button:
In D365FO, there was no official feature for this type of security testing however there was a hidden feature you could enable by installing a Visual Studio extension called ‘View with Role Set’. I’ve actually written about this feature before. This solution had the ability to launch a test workspace for any combination of roles you wanted, as well as had the ability to pull in a user’s current role assignments as a starting point where you could then modify them to see the result. However there were gaps in this solution as well as you could not launch a test workspace at a duty or privilege level. Also, Microsoft seems to have broken this functionality in recent versions where you will get this error message if you try and launch the application:
My Answer to Security Testing – D365FO Security Test Workspace
My idea was to combine the best of both the AX 2012 Security Development Tool and the D365FO View with Role Set solutions. The D365FO Security Test Workspace solution offers the following features:
- Can take any combination of roles, duties, and privileges and create a ‘mock’ security role out of it
- Can pull in current user role assignments and then assign additional roles, duties, or privileges to that or revoke any current user roles
- The user executing the tool does not need any access to D365FO (the deployable package comes with its own least privilege role to assign to your service user)
The setup process for the tool is as follows:
- Create an app registration for our external application to authenticate to your AAD -> D365FO instances
- Links to help
- Set up Azure Active Directory Applications in System Administrator -> Setup -> Azure Active Directory Applications
- Navigate to the D365FO Security Test Workspace GitHub page
- Either download the latest pre-built release or clone the entire project locally and build it yourself
- If not a current Fastpath customer, you need to download and install the deployable package into your D365FO environment
- Assign the AMSecurityRoleTest role to the service account user tied to the Azure Active Directory Applications
In the D365FO Security Role Test Workspace solution:
- Go to File -> Setup Connection
The following parameters are from the App Registration created in Azure:
- Active Directory Client App ID
- Active Directory Tenant
- Environment URL
- App Secret
The Service User is the user you want to assign the test security for.
The Web Browser drop down is what web browser you want to launch the test workspace in (I recommend having this be a separate browser from your normal browser so you can log in as your service user and save the credentials, this will make the security testing a much smoother process).
The Service Operation Endpoint allows you to select which endpoint you would like to utilize to create the mock security. If you are a current Fastpath customer that owns the Security Designer module you can utilize the FPSecurityDesignerServiceGroup\FpSecurityDesignerService. Otherwise you will need to set this as the AMSecurityRoleTestWorkspaceServiceGroup\AMSecurityRoleTestWorkspaceService.
Using the D365FO Security Test Workspace
Once the connection information is setup, to start using the application select either Role, Duty, or Privilege from the Security Layer Type area and then click the Load Security Layers button. This will make a live call to your D365FO environment and pull in the current security layers for that type. You can then select any security layers you would like and move them from the Available Security Layers side to the Assigned Security Layers side.
If you select the Role security layer type, the Load User Roles button will also be enabled. Using the Users drop down you can select any currently enabled user in your D365FO environment and click the Load User Roles button to pull in their currently assigned roles. You can then modify their access further by adding additional roles, duties, or privileges or removing any of their currently assigned roles.
Note: This process does not impact any current user access or user role assignment
Once you are ready to test your combination of security, click on the Launch Test Workspace button. This button performs the following tasks:
- Removes any current role named ‘Security Role Test Workspace’
- Creates a new role named ‘Security Role Test Workspace’
- Assigns the roles, duties, and privileges listed in the Assigned Security Layers area to this ‘Security Role Test Workspace’ role
- Assigns the ‘Security Role Test Workspace’ role to the user designated in the Service User connection parameter
- Removes any other roles assigned to the Service User, except the following:
- Any Fastpath role (Fastpath Assure, Fastpath Audit Trail, Fastpath Identity Manager, Fastpath Quantification, Fastpath Security Designer)
- Opens the browser you selected in your connection information and navigates to the following URL:
You can now test your security configuration in a live D365FO environment.
Once you are done testing you can come back into the D365FO Security Test Workspace application and ‘reset’ your environment by clicking on the Remove Security Test Role button. This will perform the following actions:
- Revoke the ‘Security Role Test Workspace’ role from your Service User
- Remove the ‘Security Role Test Workspace’ role from your environment
I hope this application makes testing your security in a live environment a slightly easier process. If you have questions, comments, or suggestions for the application feel free to reach out to me at any of the following: