Skip to main content

Notifications

Announcements

No record found.

Microsoft Dynamics AX forum
Suggested answer

How to keep table data concealed

Posted on by

Hi experts,

I have a  custom AX able where i will be storing confidential data which i do not even want Admin to see vi a direct SQL access when they move Axdb across environments or with their sys admin access in the application.

Only authorized sec roles should be able to see data in plain format via the application & no one else not even sys admin could see this.

Please suggest how can i achieve this.

Thanks

Mav

  • Suggested answer
    Mohsin Khalid Profile Picture
    Mohsin Khalid 501 on at
    RE: How to keep table data concealed

    I haven't implemented this but the concept of public key is that two keys are used one key is used for encryption and another key is used for decryption. One key (public key) is used for encrypt the plain text to convert it into cipher text and another key (private key) is used by receiver to decrypt the cipher text to read the message.

    So in your scenario you will encrypt data on every insert into that table with the first key and provide a script to decrypt the output that takes the private key and decrypt. Private key will be known to those specific users only and not be in the system, this way you will not have to deal with test and prod scenarios and at all levels the data will stay encrypted.

  • Sergei Minozhenko Profile Picture
    Sergei Minozhenko 23,083 on at
    RE: How to keep table data concealed

    Hi Mav,

    Could you, please, share more information on why data has to be in AX? Even if you close access by roles, AX DB itself store unencrypted data. Maybe you can store this data in separate DB which will have limited access and you can query data from AX client if needed or create a rest api service on top of it..

    Azure SQL offers some features in that area docs.microsoft.com/.../security-overview

  • Mav Profile Picture
    Mav on at
    RE: How to keep table data concealed

    Auditors 1st look for what  prevention controls in place .

    Hence was looking more from how do we prevent sys admin to access it.

    change tracking is more of reactive approach and although provide some defense but not 100% satisfactory response for auditors.

    Thanks

    Mav

  • nmaenpaa Profile Picture
    nmaenpaa 101,148 on at
    RE: How to keep table data concealed

    "One can always monitor via change log if sys admin granted themselves or change their sec roles.".

    Or, one can just directly monitor who looked at the credit card information? Would this provide the output that the auditors need?

    In both cases, system administrators can technically access the data, and it would leave a trace.

  • Mav Profile Picture
    Mav on at
    RE: How to keep table data concealed

    I think with modern audit controls one of the key factor is to ensure that not even sys admin can access restricted data failing which company’s would fail these industry audits.

    One can always monitor via change log if sys admin granted themselves or change their sec roles.

    I think if anyone can provide me with an example in ax showing how hash key works , how credit card information is concealed from admins and how to use transparent data encryption framework in sql , example of encryption /decryption in ax2012 r3 then that info along with some policy of removing sensitive data when moving prod dB to non prod would allow me to achieve this objective .

  • nmaenpaa Profile Picture
    nmaenpaa 101,148 on at
    RE: How to keep table data concealed

    Remember that Admin can grant any roles to themselves. How do you plan to manage giving sufficient access to some users, but prevent Admin from granting such access to users (their own user)?

    This question should be answered before investing any time in the implementation. 

  • Mav Profile Picture
    Mav on at
    RE: How to keep table data concealed

    Please share example for reference.

  • Mohsin Khalid Profile Picture
    Mohsin Khalid 501 on at
    RE: How to keep table data concealed

    Hi Mav;

    I would go for a public private key approach, meaning data is stored in sql encrypted and the private key is not stored in the system. Each user (assuming upper management) have a private key to decrypt data.

    To achieve it think of it this way, the user executes a script and the script asks for the private key, if correct key is inserted the data is decrypted for their viewership.

  • Mav Profile Picture
    Mav on at
    RE: How to keep table data concealed

    Hi Experts,

    Anyone any idea for achieving this data concealment from admin via sql dB and application.

    If hashing /hashkey can achieve this then  Any example within ax where it stores hashkey

  • Mav Profile Picture
    Mav on at
    RE: How to keep table data concealed

    Hi Dr Ludwig,

    Data has to be in Ax :-(

    Thanks

    Mav

Helpful resources

Quick Links

Replay now available! Dynamics 365 Community Call (CRM Edition)

Catch up on the first D365 Community Call held on 7/10

Community Spotlight of the Month

Kudos to Saurav Dhyani!

Congratulations to the June Top 10 community leaders!

These stars go above and beyond . . .

Leaderboard

#1
André Arnaud de Calavon Profile Picture

André Arnaud de Cal... 287,914 Super User

#2
Martin Dráb Profile Picture

Martin Dráb 225,549 Super User

#3
nmaenpaa Profile Picture

nmaenpaa 101,148

Leaderboard

Featured topics

Product updates

Dynamics 365 release plans