Understanding Native Controls in Dynamics AX 2012/365FO

Alex MeyerDirector of Dynamics AX/365 FO Development and Microsoft MVP

Email: meyer@gofastpath.comBlog: http://d365foblog.comGitHub: https://github.com/ameyer505

Worked in AX/D365FO for over 5 years, specifically around security, audit, and compliance functionality and reporting

Presented at numerous Dynamics Communities User Group events:- User Group Focus- Summit US- Summit Europe- eXtreme365- Various local chapter meetings

Frank VukovitsDirector of Strategic PartnershipsEmail: frank.vukovits@gofastpath.com

Twitter: @fvukovits

Original co-founder of AXUG

Certified Internal Auditor

Certified Information Systems Auditor

Agenda

• AX 2012/D365FO Security Model

• Security Reporting

• Administrative Access

• Segregation of Duties

• Database Log

• Workflows

• Lifecycle Services

• Licensing

• Brief Review of Fastpath Solutions

Security Model

Security Model

• Role Based Security• Hierarchy based (role -> duty -> privilege)

• Pessimistic security model

• Security should follow same testing and deployment as code

• User authentication• Active Directory (Azure Active Directory)

• Active Directory Groups – AX 2012

• Xtensible Data Security (XDS) functionality

Reviewing Security

• Don’t set and forget

• Take a risk-based approach to reviews

• Business Process Owners (BPO) should review access

• Monitor System Administrator (SysAdmin) access

• Update process controls and SOD rules to reflect security changes

Common Security Challenges

• Access security is low priority for project team

• Everyone assigned System Administrator (SysAdmin)

• Security is in the domain of IT/Sys Admin not BPOs

• Expensive customizations in place of security

• No consideration for segregation of duties

• Process controls not part of the design

• Dilution of ‘go-live’ security design

Security Reporting• Who has access?

• No standard user reports

• Security development tool• Available in AX 2012• Launched from AOT, against role, duty, or privilege (Right click > Add-Ins > Security tools)• View related security objects – role -> duty -> privilege -> entry point and access ->

object and access• D365FO has no Security Development Tool• Majority of AX 2012 Security Development Tool features are built into D365FO user

interface (for more information on this see Alex’s blog at http://d365foblog.com)

• Do not rely on security layer name (Inquiry != Inquiry)

• Custom reports• Requires development (AX classes or SQL)• User/Role access (SecurityUserRole/SecurityUserRoleCondition table)

Security Development Tool – AX 2012

Security Reporting – D365FO

Security Reporting – D365FO

Visual Studio -> Dynamics 365 -> Addins -> View Related Objects and Licenses for All Roles

Security Reporting – D365FO

System Administrator Access

• Programmatic role

•Cannot be modified

• Required for AOT access

• Required for code deployment

Segregation of Duties (SOD)

• Have a methodology

• Build ruleset• Needs to be a group effort (BPO, finance, audit)

• Balance preventative vs. productivity

• Don’t forget about process controls

• The goal is a blend of security and controls

Segregation of Duties

• SOD feature exists in AX 2012 & D365FO

• Preventative control that can be overridden with proper mitigation

• No standard ruleset• Must be developed by end user

• Gaps• Analysis performed at duty level, not object level• Privilege to role assignment• Security inherited via AD group• Whitepaper on gap analysis

• https://www.gofastpath.com/blog/fastpath-vs.-dynamics-ax/d365fo-segregation-of-duty-analysis-comparison

Segregation of Duties Rule Setup – AX 2012

Segregation of Duties Rule Setup – D365FO

Database Log

• Risk based approach

• Identify and track critical data points

• Field level

• Reduces performance hit

• Reduces data storage requirements

• Improves reporting performance

• Improves reviewer accuracy

Database Log

• Tracks user, date, time and old/new values for changes

• Limitations• Designed as debugging tool• Performance considerations

• Batch jobs broken down to row by row when database log enabled for a table

• Only tracks changes inside Dynamics

• Changes made in database with AOS service account

• Code changes

• SysAdmin changes

• Maintain audit data

Database Log Setup – AX 2012

Database Log Setup – D365FO

Database Log Inquiry – AX 2012

Database Log Inquiry – D365FO

Workflows

• Powerful and flexible

• Requires developer and workflow expertise• Workflow editor

• Approvals• Journals• Purchase Orders

• Reporting• Tracking Details

Workflow Editor – AX 2012

Workflow Tracking Details – AX 2012

Workflow Editor – D365FO

Workflow Tracking Details – D365FO

Lifecycle Services (LCS)

• Management portal for AX/D365FO environments

• Business process modeler

• Task recorder – upload custom business processes

• License sizing estimator

Lifecycle Services (LCS)

User Licensing• Licensing determined by user ’s access to entry points

• Menu Items• Data Entities• Service Operations

• Each entry point has two properties• ViewUserLicense• MaintainUserLicense

• Depending on access a user has to entry point will determine which license is required

• AX 2012 Licenses• Enterprise• Functional• Task• Self Service

• D365FO License• Operations• Activity• Team Member

Questions?

Fastpath Facts

• Founded 2004

• Staff includes CPAs, CIAs, and CISAs

• 1,300+ Customers across 30+ Countries

• Fastpath Works Across Platforms

Fastpath Assure® – Powered by Microsoft Azure

Audit TrailCritical Data

Change Tracking

SODSegregation of Duties andSecurity Access Reviews

Identity ManagerCompliant User and Emergency

Access Provisioning

Fastpath ensures our customers can confidently answer these three critical questions:

Who has accessto their systems?

What did theydo with that access?

Where are they vulnerable?

Security Designer*Create and Change

Security in Dynamics*D365 for Finance and Operations only

Audit Partners

Demo

Fastpath Demo Links

• SOD, User Access Reviews, and Access Certifications

• Audit Trail

• Identity Manager

Note these demos are for Dynamics AX, but the modules look and feel, along with functionality, is the same with Dynamics 365 F&0

Resources

• Lifecycle Services (LCS) for Finance and Operations

• Security Roles & Licensing Whitepaper

• Role-based Security Use Patterns for Developers

• Microsoft Dynamics AX 2012 R3 Licensing Guide

• Microsoft Dynamics 365 Licensing

• D365FO Security Blog

• D365FO Security Audit Field Manual

• D365FO Resources From Fastpath

• Develop & Implement Least Privilege Security in D365FO

• D365FO Security Matrix

• AX 2012 Security Matrix

Thank you for attending!

Alex Meyer

meyer@gofastpath.com

Frank Vukovits

frank.vukovits@gofastpath.com