Security Management Successes and Failures Arbela Technologies Corp
Security Management: Successes and Failures © Arbela Technologies Corp www. Arbela. Tech. com @Arbela. Tech
Agenda • About Security • What is Application Security and why is it important? • Understanding Security Role Structure in Dynamics • Best Practices • What are the typical audit reports? • What do auditors look for? • What data you be aware of? • Managing security the right way • Licensing • Demonstration of D 365 Security © Arbela Technologies Corp www. Arbela. Tech. com @Arbela. Tech 2
About Security: What is Application Security © Arbela Technologies Corp www. Arbela. Tech. com @Arbela. Tech
Application security: Application security is the use of of software, hardware, and procedural methods in a way to protect applications from internal or external threats. © Arbela Technologies Corp www. Arbela. Tech. com @Arbela. Tech 4
How does it affect me? When your software is not configured, anyone can do anything. This results in lost sensitive customer data or financial risk. © Arbela Technologies Corp www. Arbela. Tech. com @Arbela. Tech 5
© Arbela Technologies Corp www. Arbela. Tech. com @Arbela. Tech 6
How can I protect myself: Application security can be enhanced by: • • • Understanding security within the application Having correct requirements Correctly applying security requirements Identify internal controls if they are in the requirements ( these will help you be SOX compliant) Test security Continuous monitoring © Arbela Technologies Corp www. Arbela. Tech. com @Arbela. Tech 7
How can I identify correct requirements? • Model system to conform with existing business processes • Or leverage the system to your business • Is the business willing to change to AX out of box setup is good. Ex. Someone who does payments, manager does setup. Lot of times businesses will have people who do all of those functions. Perhaps a business should let users specialize only in a specific function instead of having access to multiple if possible. © Arbela Technologies Corp www. Arbela. Tech. com @Arbela. Tech 8
© Arbela Technologies Corp www. Arbela. Tech. com @Arbela. Tech 9
AX Security is an integral part of any implementation. It’s not just a last minute rush exercise during deployment! 10
About Security: Understanding Security Role Structure in Dynamics © Arbela Technologies Corp www. Arbela. Tech. com @Arbela. Tech
Role Based Security Structure Role • Highest Level of assignment Duty • Used by Segregation of Duties checker in compliance module Privilege • Lowest level normally used in security design Permission • Table and control level © Arbela Technologies Corp www. Arbela. Tech. com @Arbela. Tech 12
What are Roles? A function that a person does relating to their work title: • AR Payment Clerk - a user who documents accounts receivable payment events and responds to payment inquiries. • AR Manager - a user who reviews customer invoice process performance and enables the customer invoice process. A person can have multiple roles assigned to them! © Arbela Technologies Corp www. Arbela. Tech. com @Arbela. Tech 13
What are Duties? Duties are parts of a business process • A duty can be assigned to more than one role • You can assign related duties to separate roles. These duties are said to be segregated. By segregating duties, you can better comply with regulatory requirements, such as those from Sarbanes-Oxley (SOX) • Segregation of duties helps reduce the risk of fraud, and helps you detect errors or irregularities. © Arbela Technologies Corp www. Arbela. Tech. com @Arbela. Tech 14
What are Privileges? A privilege specifies the level of access that is required to perform a job, solve a problem, or complete an assignment. § A privilege contains permissions to individual application objects, such as user interface elements and tables. For example, the Cancel payments privilege contains permissions to the menu items, fields, and tables that are required to cancel payments. © Arbela Technologies Corp www. Arbela. Tech. com @Arbela. Tech 15
What are Permissions? Permissions are required to run a function including any tables, fields, forms • Each function in Microsoft Dynamics AX, such as a form or a service, is accessed through an entry point. Menu items, web content items, and service operations are referred to as entry points. © Arbela Technologies Corp www. Arbela. Tech. com @Arbela. Tech 16
Role Structure Explained Role Duties Privilege Maintain customer master Edit Customer (cust. Customers. Maintain) Permissions Cust. Table Maintain customer records Delete Cust. Tablefor. Edit Delete AR Manager Inquire into bank accounts master (Bank. Accounts. Inquire) Bank. Account. Balance. View bank account balance Bank. Account. Balance Read Enable credit cards © Arbela Technologies Corp www. Arbela. Tech. com @Arbela. Tech 17
Best Practice: What are the typical audit reports? © Arbela Technologies Corp www. Arbela. Tech. com @Arbela. Tech
Audit Reports – Users and Roles © Arbela Technologies Corp www. Arbela. Tech. com @Arbela. Tech 19
Audit Reports – Changes to User Role Assignments © Arbela Technologies Corp www. Arbela. Tech. com @Arbela. Tech 20
Audit Reports – Changes to security © Arbela Technologies Corp www. Arbela. Tech. com @Arbela. Tech 21
Best Practice: What do auditors look for? © Arbela Technologies Corp www. Arbela. Tech. com @Arbela. Tech
Auditors look for: Any changes that happened in the system that are NOT documented for Approval © Arbela Technologies Corp www. Arbela. Tech. com @Arbela. Tech 23
Auditors look for: © Arbela Technologies Corp www. Arbela. Tech. com @Arbela. Tech 24
Audit Reports – Changes to User Role Assignments Users that may not exist as employee? © Arbela Technologies Corp www. Arbela. Tech. com @Arbela. Tech 25
Best Practice: What should you be aware of? © Arbela Technologies Corp www. Arbela. Tech. com @Arbela. Tech
Source Code • Security is stored in the source code of Dynamics • All changes made through the UI will not apply to source code! • UI changes only create data and is not stored in the back end of AOT like in AX 2012 © Arbela Technologies Corp www. Arbela. Tech. com @Arbela. Tech 27
Best Practice: Managing security the right way © Arbela Technologies Corp www. Arbela. Tech. com @Arbela. Tech
Access types Read Update GRANT UNSET Create Delete DENY © Arbela Technologies Corp www. Arbela. Tech. com @Arbela. Tech
Source Code • Read – Grant • Update = Grant • Create = Deny • Delete= Unset • What’s the effective access? They can read/update but not create. If you Deny access, that means you are overriding any granting. © Arbela Technologies Corp www. Arbela. Tech. com @Arbela. Tech 30
Best Practice – Do not affect other roles Role AR Manager Duties Privilege Maintain customer master Edit Customer (cust. Customers. Maintain) Maintain customer records Duplicate Duty Remove Original and replace with new privilege Duplicate Privilege and replace with permission Maintain customer master revoke View Customer (cust. Customers. Maintain) Permissions Cust. Table Delete Cust. Table View customer records READ AR Sr Manager © Arbela Technologies Corp www. Arbela. Tech. com @Arbela. Tech 31
Best Practice – Be careful of shared access Role Duties Privilege Inquire into Payment Journal Views Payment Journal Duties Privilege Permissions Cust. Paym. Journal Read AR Manager Inquire into Payment Journal Views Payment Journal Permissions Cust. Paym. Journal Read AR Sr Clerk © Arbela Technologies Corp www. Arbela. Tech. com @Arbela. Tech 32
Best Practice: Licensing © Arbela Technologies Corp www. Arbela. Tech. com @Arbela. Tech
Activity Team Member OPERATIONS © Arbela Technologies Corp www. Arbela. Tech. com @Arbela. Tech 34
Team Members is a named user subscription designed for users who are not tied to a particular function, but who require basic Dynamics 365 functionality. This license includes read access as well as some write access for select light tasks across all Dynamics 365 No transactions or access to setups © Arbela Technologies Corp www. Arbela. Tech. com @Arbela. Tech 35
Activity intended for users who may be heavy users of the application, but do not require the use rights of a full user. Dynamics 365 for Operations Activity use rights include all Team Member user rights as well as the right to: (i) To approve all Activity related transactions (ii) Create or edit the items related to warehousing, receiving, shipping, orders, vendor maintenance, and all budgets © Arbela Technologies Corp www. Arbela. Tech. com @Arbela. Tech 36
Operations Intended for users whose work requires use of the feature rich business applications functionality. Examples of full users are sales people, customer service representatives, finance employees, controllers, supply chain managers, etc. These type of functions trigger Operations license. © Arbela Technologies Corp www. Arbela. Tech. com @Arbela. Tech 37
Best Practices – Know your licenses • Based on access and not what users can do vs what they are actually doing. • Based on the access each user has to entry points (menu items etc) in the system. Each entry point has two separate user license properties, View. User. License and Maintain. User. License. • This is why you see typically see view or maintain rights in the application © Arbela Technologies Corp www. Arbela. Tech. com @Arbela. Tech 38
Licensing and impact Use view permissions to monitor your licenses © Arbela Technologies Corp www. Arbela. Tech. com @Arbela. Tech 39
Demonstration © Arbela Technologies Corp www. Arbela. Tech. com @Arbela. Tech
T H A N K Y O U www. arbelatech. com © Arbela Technologies Corp www. Arbela. Tech. com @Arbela. Tech 41
- Slides: 41