You can manage access to Microsoft Dynamics AX with Active Directory security groups. But you can only get so far.
A manufacturing client of ours has very specific and extensive needs for Dynamics AX. Of course, they need to provide access to employees but they also need to have dealers, suppliers and other partners to have access. Once in Dynamics AX they need to take advantage of the internal roles to ensure that the right users have the right permissions.
Security groups seem like the best fit from 30,000 feet...both AD and Dynamics AX are part of the Microsoft stack. Microsoft has set it up so that if you are in a specific security group for Dynamics AX , you can authenticate and use Dynamics AX. But they stopped there, close but not close enough to actually use the solution for our client's needs.
Two things in our client's use case preclude them from using groups: the external users and the specific roles within Dynamics AX. They have absolutely no interest in maintaining AD users for these external dealers and suppliers. And they want to take full advantage of Dynamics AX and have different roles within it. The whole idea is to be automated, not have to go in and manually assign permissions once a user has been put into a group.
So, what do you do? EmpowerID. A full IAM suite will give you the three components you need to manage Dynamics AX access correctly.
You need a flexible connector that speaks to Dynamics AX using AIF. Microsoft Dynamics AX Application Integration Framework (AIF) enables companies to integrate and communicate with external business processes and partners through the exchange of XML over various transport media. AIF enables both business-to-business and application-to-application integration scenarios.
EmpowerID's metadirectory gives you an identity store for your external users separate from Active Directory. These users can then be provisioned into Dynamics AX using the connector and given the appropriate permissions and roles. These roles and user lifecycles are managed in EmpowerID.
EmpowerID's RBAC engine gives a flexible and powerful polyarchical role structure. You can manage your roles dynamically and map them to Dynamics AX, giving the exact permissions you need. All role assignments and Separation of Duties (SOD) is managed in EmpowerID so you can attest, certify and automate all of the processes you need to manage access.
So, when do you use groups? When you want to give vanilla roles to a set of users that are all in AD.
When do you use roles? When you want to manage a diverse set of users with a diverse set of access permissions in Dynamics AX. And when you want to automate it without dedicating a help desk person to managing it manually.
Most organizations using Dynamics AX have business, compliance and auditing requirements. They are using it because they need to manage critical business processes and business data. Not using roles to grant correct permissions seems to work against the investment they have made in Dynamics AX.