AOS Security

Applies To: Microsoft Dynamics AX 2012 R3, Microsoft Dynamics AX 2012 R2, Microsoft Dynamics AX 2012 Feature Pack, Microsoft Dynamics AX 2012

The Application Object Server (AOS) can protect the Microsoft SQL Server database from security threats because clients connect to the database only through the AOS. There are several security advantages when you use the AOS. This topic describes AOS security advantages and best practices for the AOS.

AOS Security Advantages

The following table describes security advantages when you use the AOS.

Advantage

Description

No direct access to the SQL Server database.

The client configuration does not store the information that would enable it to connect to the database.

Built-in data encryption based on common standards.

For instance, Microsoft Dynamics AX encrypts the data in communications between the AOS and client tiers.

Flexible authentication.

Authentication to log in to the AOS requires user registration in Microsoft Dynamics AX plus registration in a supportive external system that provides authentication. The list of authentication systems that Microsoft Dynamics AX can interact with includes Active Directory Services and the Claims system of SharePoint. The ability of Microsoft Dynamics AX to interact with a variety of supportive external authentication systems is called flexible authentication.

Authorization.

The AOS has authority to read every Microsoft Dynamics AX table that is in the associated SQL Server database system. A table permissions framework prevents unauthorized Microsoft Dynamics AX users from accessing any table which has its AOSAuthorization property set to a restrictive value. Access to system tables is also restricted.

The AOS also enforces authorization according to the role-based security system.

AOS Connection to SQL Server

When you install the AOS, the setup program asks for a domain account. The AOS must have a domain account that has sufficient user rights and permissions.

The AOS account must be a user in the database and must be assigned to the following database roles:

  • db_ddladmin

  • db_datareader

  • db_datawriter

In addition, the AOS user must have the following user rights and permissions to execute stored procedures in the database:

  • createserversessions

  • createusersessions

See also

How to: Secure an API on the AOS

Application Object Server security and protection

Announcements: New book: "Inside Microsoft Dynamics AX 2012 R3" now available. Get your copy at the MS Press Store.