understanding native controls in dynamics ax 2012/365fo
TRANSCRIPT
Understanding Native Controls in Dynamics AX 2012/365FO
Alex MeyerDirector of Dynamics AX/365 FO Development and Microsoft MVP
Email: [email protected]: http://d365foblog.comGitHub: https://github.com/ameyer505
Worked in AX/D365FO for over 5 years, specifically around security, audit, and compliance functionality and reporting
Presented at numerous Dynamics Communities User Group events:- User Group Focus- Summit US- Summit Europe- eXtreme365- Various local chapter meetings
Frank VukovitsDirector of Strategic PartnershipsEmail: [email protected]
Twitter: @fvukovits
Original co-founder of AXUG
Certified Internal Auditor
Certified Information Systems Auditor
Agenda
• AX 2012/D365FO Security Model
• Security Reporting
• Administrative Access
• Segregation of Duties
• Database Log
• Workflows
• Lifecycle Services
• Licensing
• Brief Review of Fastpath Solutions
Security Model
Security Model
• Role Based Security• Hierarchy based (role -> duty -> privilege)
• Pessimistic security model
• Security should follow same testing and deployment as code
• User authentication• Active Directory (Azure Active Directory)
• Active Directory Groups – AX 2012
• Xtensible Data Security (XDS) functionality
Reviewing Security
• Don’t set and forget
• Take a risk-based approach to reviews
• Business Process Owners (BPO) should review access
• Monitor System Administrator (SysAdmin) access
• Update process controls and SOD rules to reflect security changes
Common Security Challenges
• Access security is low priority for project team
• Everyone assigned System Administrator (SysAdmin)
• Security is in the domain of IT/Sys Admin not BPOs
• Expensive customizations in place of security
• No consideration for segregation of duties
• Process controls not part of the design
• Dilution of ‘go-live’ security design
Security Reporting• Who has access?
• No standard user reports
• Security development tool• Available in AX 2012• Launched from AOT, against role, duty, or privilege (Right click > Add-Ins > Security tools)• View related security objects – role -> duty -> privilege -> entry point and access ->
object and access• D365FO has no Security Development Tool• Majority of AX 2012 Security Development Tool features are built into D365FO user
interface (for more information on this see Alex’s blog at http://d365foblog.com)
• Do not rely on security layer name (Inquiry != Inquiry)
• Custom reports• Requires development (AX classes or SQL)• User/Role access (SecurityUserRole/SecurityUserRoleCondition table)
Security Development Tool – AX 2012
Security Reporting – D365FO
Security Reporting – D365FO
Visual Studio -> Dynamics 365 -> Addins -> View Related Objects and Licenses for All Roles
Security Reporting – D365FO
System Administrator Access
• Programmatic role
•Cannot be modified
• Required for AOT access
• Required for code deployment
Segregation of Duties (SOD)
• Have a methodology
• Build ruleset• Needs to be a group effort (BPO, finance, audit)
• Balance preventative vs. productivity
• Don’t forget about process controls
• The goal is a blend of security and controls
Segregation of Duties
• SOD feature exists in AX 2012 & D365FO
• Preventative control that can be overridden with proper mitigation
• No standard ruleset• Must be developed by end user
• Gaps• Analysis performed at duty level, not object level• Privilege to role assignment• Security inherited via AD group• Whitepaper on gap analysis
• https://www.gofastpath.com/blog/fastpath-vs.-dynamics-ax/d365fo-segregation-of-duty-analysis-comparison
Segregation of Duties Rule Setup – AX 2012
Segregation of Duties Rule Setup – D365FO
Database Log
• Risk based approach
• Identify and track critical data points
• Field level
• Reduces performance hit
• Reduces data storage requirements
• Improves reporting performance
• Improves reviewer accuracy
Database Log
• Tracks user, date, time and old/new values for changes
• Limitations• Designed as debugging tool• Performance considerations
• Batch jobs broken down to row by row when database log enabled for a table
• Only tracks changes inside Dynamics
• Changes made in database with AOS service account
• Code changes
• SysAdmin changes
• Maintain audit data
Database Log Setup – AX 2012
Database Log Setup – D365FO
Database Log Inquiry – AX 2012
Database Log Inquiry – D365FO
Workflows
• Powerful and flexible
• Requires developer and workflow expertise• Workflow editor
• Approvals• Journals• Purchase Orders
• Reporting• Tracking Details
Workflow Editor – AX 2012
Workflow Tracking Details – AX 2012
Workflow Editor – D365FO
Workflow Tracking Details – D365FO
Lifecycle Services (LCS)
• Management portal for AX/D365FO environments
• Business process modeler
• Task recorder – upload custom business processes
• License sizing estimator
Lifecycle Services (LCS)
User Licensing• Licensing determined by user ’s access to entry points
• Menu Items• Data Entities• Service Operations
• Each entry point has two properties• ViewUserLicense• MaintainUserLicense
• Depending on access a user has to entry point will determine which license is required
• AX 2012 Licenses• Enterprise• Functional• Task• Self Service
• D365FO License• Operations• Activity• Team Member
Questions?
Fastpath Facts
• Founded 2004
• Staff includes CPAs, CIAs, and CISAs
• 1,300+ Customers across 30+ Countries
• Fastpath Works Across Platforms
Fastpath Assure® – Powered by Microsoft Azure
Audit TrailCritical Data
Change Tracking
SODSegregation of Duties andSecurity Access Reviews
Identity ManagerCompliant User and Emergency
Access Provisioning
Fastpath ensures our customers can confidently answer these three critical questions:
Who has accessto their systems?
What did theydo with that access?
Where are they vulnerable?
Security Designer*Create and Change
Security in Dynamics*D365 for Finance and Operations only
Audit Partners
Demo
Fastpath Demo Links
• SOD, User Access Reviews, and Access Certifications
• Audit Trail
• Identity Manager
Note these demos are for Dynamics AX, but the modules look and feel, along with functionality, is the same with Dynamics 365 F&0
Resources
• Lifecycle Services (LCS) for Finance and Operations
• Security Roles & Licensing Whitepaper
• Role-based Security Use Patterns for Developers
• Microsoft Dynamics AX 2012 R3 Licensing Guide
• Microsoft Dynamics 365 Licensing
• D365FO Security Blog
• D365FO Security Audit Field Manual
• D365FO Resources From Fastpath
• Develop & Implement Least Privilege Security in D365FO
• D365FO Security Matrix
• AX 2012 Security Matrix
Thank you for attending!
Alex Meyer
Frank Vukovits