Breaking news from around the world
Get the Bing + MSN extension
Now Available in Community - MBAS 2019 Presentation Videos
Catch the most popular sessions on demand and learn how Dynamics 365, Power BI, PowerApps, Microsoft Flow, and Excel are powering major transformations around the globe. | View Gallery
2019 release wave 2 Discover the latest updates to Dynamics 365Release overview guides and videos Release Plan | Early Access Availability
Ace your Dynamics 365 deployment with packaged services delivered by expert consultants. | Explore service offerings
Connect with the ISV success team on the latest roadmap, developer tool for AppSource certification, and ISV community engagements | ISV self-service portal
The FastTrack program is designed to help you accelerate your Dynamics 365 deployment with confidence.
FastTrack Program | Finance TechTalks | Customer Engagement TechTalks | Talent TechTalks | Upcoming TechTalks
This is a quick post to signal a “worst practice” I’ve see today in a partner’s extension.
This extension needs to save some private data and the partner has decided to use the Service Password table for that scope. The Service Password table is a particular table (ID 1261, present also in NAV) with the following structure:
This table was born in the NAV era for implementing the Service Data Encapsulation pattern. This table stores a key/value pair, where the key is a GUID and the Value is BLOB that contains the encrypted value of the key passed.
Why this is not a best practice in my opinion? Because now we’re in the extensions era, different extensions from different vendors could be installed in a tenant and for handling isolation of data there’s a dedicated system object for that: the Isolated Storage.
The Service Password table (or other similar tables) doesn not guarantee that your data is isolated in your extension scope. You can have an extension A that writes a sensitive encrypted data into this table and maybe an extension B that deletes that data. And if a malicious extension C modify that data or is able to decrypt that data?Where is your security?
In the extension world (and expecially with Dynamics 365 Business Central) for storing sensitive data with your extension you need to start using the Isolated Storage. This is a data storage that provides isolation between extensions, so that you can keep keys/values in one extension from being accessed from other extensions. The isolation is always per-extension and you can set also the scope visibility of the stored data (in order to restrict more the data visibility):
The default value of DataScope is Module if not specified.
This is a small example of what you need to do for saving and retrieving a data from the Isolated Storage:
local procedure IsolatedStorageTest()
if IsolatedStorage.Contains('mykey',DataScope::Company) then
Message('Key value retrieved is %1', keyValue);
This is extremely simple and (more important) secure! If extension A creates the key mykey in the Isolated Storage, no other extensions can access this data.
Please remember this and don’t use standard tables for storing sensitive data.
Business Applications communities