Security. Audit. Compliance. Mark Polino CPA.CITP.CFF, CGMA, Microsoft MVP Dynamics Credentialed Professional Naked and Afraid: Re-implementing Dynamics GP Security

Disclaimers Naked and Afraid. – It’s a Discovery Channel TV show – AND how many feel when told they are responsible for GP security. Despite the title, no one will be naked during this presentation. You are allowed to be afraid.

Overview The world is an insecure place. Being responsible for GP security can be scary. Many companies don’t have confidence in their GP security setup. It can make you feel Naked and Afraid. Every firm can benefit from another look at security.

GP Security Overview GP security – Dynamics GP Security (GP) – SSRS (AD) – Management Reporter (AD) – GP Workflow (AD) – Web Client (AD + GP) – Other Products (?) (GP) – Dynamics GP Users, (AD) – Active Directory Users

Where to Start? Start with GP Security – It’s the most complicated. – It’s the core.

GP Security Review Role based. Access to windows, reports, posting, etc. are rolled up into tasks. Tasks are combined into Roles. Roles are assigned to users.

Security Process Design Review Apply Test Adjust

Process - Design Design Review Apply Test Adjust

Security Design Security is more comprehensive and less vulnerable when it is designed. Designed security is easier to audit. Security design can reduce audit costs by giving auditors a roadmap to test from.

What’s in a Role? Security often incorrectly starts by assigning users to roles. Roles with overlapping tasks are NOT recommended. Default Roles often have overlapping tasks. Default Roles and their tasks documentation. [Free]

Role Assignment

Recommendation: A Task Based Approach Take a task based approach to creating new roles. A task should be everything needed for a discreet operation. Default Tasks are generally well designed. Default Tasks generally include everything required for a specific operation. Need to be combined into new roles.

Task Assignment

Tasked Based Recommendations Use a tool to figure out what tasks should belong to each role. [Free] Add roles or tasks as required. Don’t use or modify existing roles or tasks. Assign roles to users. Can be phased.

GP Security Matrix

Power User Tips PowerUser is not a role. It’s is an override. Power Users DO NOT appear on GP reports. If you must have a power user, manually create a SuperUser role. [Free]

‘sa’ Tips ‘sa’ is really only required for installation. [Free] ’sa’ is not required to add users [Free]

Process - Review Design Review Apply Test Adjust

Review Look for segregation of duties issues in role creation. (Role Conflicts) Watch for segregation of duties issues when assigning multiple roles to a user. (User Conflicts) [Paid] Security matrix should have signoff

Process - Apply Design Review Apply Test Adjust

Set/Adjust Security Create new Roles. Apply Tasks to new Roles based on matrix. Assign Roles to users. Temporarily preserve existing roles. Can be phased.

Process - Test Design Review Apply Test Adjust

Test Use reporting to review that security Roles and User assignments match the matrix. If possible, test security in test environment. Phase security changes and test with subsets of users.

Process - Adjust Design Review Apply Test Adjust

Be prepared to provide support following a security change. Be prepared for delayed requests. Some operations only happen monthly. Have resources available to approve requests or alter procedures.

Security Tool GP Power Tools (Formerly Support Debugging Tool) [Paid] – Suite of GP utilities including security tools. – Helpful for figuring out fix when access is denied. portal/

GP Power Tools

Real Life Building/Rebuilding GP Security is not a fast process. Treat it as a project. If done well, maintenance and adjustments should be easy long term. It’s an investment against future pain. Dealing with Limited and Self Service users.

Security Process Design Review Apply Test Adjust

SSRS – Security tends to be more straightforward – Assign or remove access to report folders – For anything AD consider using AD Groups – GP provides SQL roles for access to underlying data.

Management Reporter Limit users who can create reports Use AD Users/Groups Other limited defined in Permission Granted section.

GP Workflow – Use AD Users/Groups – Limit managers – must be set at AD level

GP Workflow Security

GP Web Client AD Users/Groups to access Web Client. GP Users to control access. Web Client only users might not be SQL users.

Web Client Security

Fastpath Security and Compliance Products Continuous monitoring solution that tracks all changes to critical data Assure Risk based security access review and SOD analysis platform Audit Trail Request, review and approve Dynamics security without IT intervention Identity Manager Audit planning tool allows report design, assignment and scheduling Audit View Maintain user provisioning in Active Directory instead of the target system Config AD

Questions?