Cloud Network Administrator, Njevity Educational Session Presented by Mark Huff Cloud Network Administrator, Njevity Tweet During today’s meeting: @GPUG, #GPUGDenver
Introduction Mark Huff – Njevity, Inc. Cloud Network Administrator Member of the Association of Dynamics Professionals GPUG Member – Upgrade SIG leader Dynamics Credentialed Professional An Accidental Administrator Working with Dynamics GP over 10 years, Network Admin/IT over 15
Dynamics GP (in)Security Special thanks to the following Mark Polino--FastPath David Musgrave—Winthrop Development Consultants/Mekorma Mark Rockwell—Rockton Software Mark—This is based on his presentations David and Mark For making tools to make security easier
Insecure World The world is an insecure place. Being responsible for GP security can be scary and many companies don’t have confidence in their GP security setup.
Dynamics GP (in)Security GP security elements Dynamics GP Security (GP) SSRS (AD) Management Reporter (AD) GP Workflow (AD) Web Client, (AD + GP) OData (AD + GP) Other/integrating Products(?) PowerBI, SmartConnect, etc. GP Security is more than just Dynamics GP Roles and Tasks. It can involve GP, SSRS, MR, GP Workflow, the GP Web Client, other integrating products, mitigating controls and other elements of the control environment.
Dynamics GP (in)Security Where to Start? -Start with GP Security In Gatorland in Orlando an employee was sitting on big alligator holding its jaws closed. He asked, “What’s the most dangerous part of an alligator?” Half the audience says the head, half says the tail. He looks at them and asks “What part of the alligator am I holding?” GP security is like that. If don’t have basic GP security under control, SSRS, MR and the others don’t matter much.
GP Security Review: Windows, Reports, SmartLists, Posting, etc. roll up to tasks. Tasks are combined into Roles. Roles are assigned to users. Window: Skeeze under Creative Commons CC0 Public Domain, https://pixabay.com/en/window-open-ocean-sea-beach-1163609/ Post: SEO Planter, CC by 2.0 https://www.flickr.com/photos/seoplanter/7460433282 Form: By British Government. (Scan of original) [Public domain], via Wikimedia Commons Task: Clker-Free-Vector-Images, CC0 Public Domain, https://pixabay.com/en/checklist-lists-business-form-41335/ Roll: By Bangin (Own work) [GFDL (http://www.gnu.org/copyleft/fdl.html), CC-BY- SA-3.0 (http://creativecommons.org/licenses/by-sa/3.0/) or CC BY 2.5 (http://creativecommons.org/licenses/by/2.5)], via Wikimedia Commons User: Chris Harrison, “Tyler, Powerbook User” CC by SA 2.0 https://www.flickr.com/photos/cdharrison/280252512
Dynamics GP (in)Security Overview of Dynamics GP Security Design Review Apply Test Adjust This process works with GP and with the related products (SSRS, MR, etc.). It can often be scaled down for those products. Design, Review, Apply, Test, Adjust.
Dynamics GP (in)Security DESIGN
Risk Based Business process maps High risk business processes A Risk Based approach includes: Business process maps High risk business processes Risks, reviews, reviewers and periodicity Evidence that reviews are being done Mitigation A Risk based approach: Uses business process maps to understand where risks live. Focuses on high risk business processes. Determines functionality required for high risk processes. Defines risks, reviews, reviewers and periodicity. Provides evidence of reviews. May include mitigation.
Map the Process Find a route that covers the security it needs, but still gets you from start to finish without too many “crossing” issues
What’s in a Role? Default GP Roles: Have overlapping permissions. Have inherent role conflicts. Lack transparency. May contain GP 9.0 Leftovers. Update roles after upgrades Documentation: Default Roles and their tasks. https://app.box.com/GPRoles [Free] Not build with Segregation of Duties in mind. Lots of overlapping permissions https://app.box.com/GPRoles
Role Assignment
Recommendation: A Task-Based Approach Take a task-based approach. Default Tasks: Are discreet. Are generally well designed. Include everything required. Need to be combined into new roles. Default Tasks are fairly good, but may need to be revisted for your organization
Task Assignment
Tasked Based Recommendations A task-based design approach: Matches tasks to new roles. http://www.gofastpath.com/gp-security-matrix [Free] Adds new roles or tasks as required. Saves, but deprecates default roles. Assign roles to users. Assigns Default User tasks in new roles. Can be phased. Take a tasked based approach. Match the processes against built in tasks to assign new roles on the left. Free Excel Template is at http://www.gofastpath.com/gp-security-matrix
GP Security Matrix
Dealing with Power Users Is not actually a role. Ignores and overrides security permission. Does not appear on security access reports. Manually create a SuperUser role instead. http://bit.ly/GPSuperUser [Free] Most important, Power Users don’t show up on lists of users who can access particular features. If you must have Power User, create an explicit Super User role instead. Info at: http://bit.ly/GPSuperUser
Limited/Self Service Users Limited/Self Service Users have: Predefined roles. Predefined tasks. Built in limitations. Limited and Self Server users have predefined Roles and Tasks to further reduce their built in limitations. For example, a Limited User is primarily read only with some limited transaction permission (approvals, requisitions, etc.). This can be locked down further with tasks to limit them to just the Purchasing module for example.
‘sa’ Tips The ‘sa’ user (SQL system administrator): Is really ONLY required for installation tasks. http://bit.ly/FP_SA [Free] Is NOT required to add users. http://bit.ly/GP_SA [Free] There are a lot of ‘sa’ myths out there around GP. Beyond GP 2010, sa is only needed for installation. In GP 2010 it is only required for install and PSTL. SA has not been required to setup users for a very long time. More info at: http://bit.ly/FP_SA http://bit.ly/GP_SA
Dynamics GP (in)Security REVIEW
Review Review: For segregation of duties conflicts in roles. (Role Conflicts) For segregation of duties conflicts assigning multiple roles to a user. (User Conflicts) Roles and user setups need to be checked for Segregation of Duties conflicts within roles and across roles.
Review Tips Zero conflicts = Zero productivity. Risk based approach. Conflict mitigation. Security design should have signoff. Elimination of all conflicts isn’t reasonable and can produce inefficient processes. A risk based approach focuses on highest risk processes for conflicts. Security design should be signed off prior to applying in GP.
Dynamics GP (in)Security APPLY
Set/Adjust Security Create new Roles Apply Tasks to new Roles based on matrix Assign Roles to users Temporarily preserve existing roles Can be phased Actually setting new security is pretty easy. Use the design to create new roles, apply tasks to them, and assign those roles to users.
Dynamics GP (in)Security TEST
Test Verify Roles and User assignments. Test Environment. Phase security changes. For test COMPANIES, copy security is useful. For test SERVERS, copy table data. https://blogs.msdn.microsoft.com/developingfordynamicsgp/2008/11/09/how-to-transfer-security-tasks-and-roles- between-systems You can set security in a test environment. Security changes can be phased. Some options for moving from test SERVER: https://blogs.msdn.microsoft.com/developingfordynamicsgp/2008/11/09/how-to-transfer-security-tasks-and-roles-between-systems/
Dynamics GP (in)Security ADJUST
Adjust Support, support, support Expect delayed issues Be ready to approve requests or alter procedures Phasing security really helps here. If a single department has issues, it’s much easier to fix than if something key is missed for all users
Security Tool Suite of GP utilities including security tools. GP Power Tools (Formerly Support Debugging Tool) [Paid] Suite of GP utilities including security tools. Helpful for fixing when access is denied. Terrific for adjustments phase. Can help with security moves between servers. New “Deny” security. https://winthropdc.wordpress.com/gp-power-tools-portal/ GP Power Tools is a fantastic tool for troubleshooting security errors and identifying how to fix them. https://winthropdc.wordpress.com/gp_power-tools-portal/
GP Power Tools
Rockton ToolBox Security Manager Task Builder Auditor—As a setup tool
Security Manager
FastPath FastPath Assure Compliance Audit (Paid) http://www.gofastpath.com/products/assure Fa
Real Life This is not a fast process--It’s a project Failures in internal controls are incredibly expensive Don’t ignore mitigation options Don’t forget about Field Level Security Not all risks have to be addressed via security. Some can be addressed with controls outside of GP, with reviews or with other mitigating controls.
Dynamics GP (in)Security Additional Security
Physical Security Don’t forget physical security Easily accessible server Unlocked Desktops Checks unattended
SSRS SSRS security: Assigns or removes access to reports or report folders Can use AD Groups Includes GP provided SQL roles for access to data. SSRS security is AD based and not as deep as GP. Generally, users need Browse access to reports or folders to run reports.
Management Reporter MR security: Focuses on limiting users who can create reports. Uses AD Users/Groups. Offers additional control in Permission Granted. Key with MR is limiting changes to reports. For financial statements, reliability and repeatability are crucial.
GP Workflow Uses AD Users/Groups. Should focus on workflow managers. GP Workflow security: Uses AD Users/Groups. Should focus on workflow managers. User’s email must be set at AD level GP Workflow has additional security around workflow setup and approval. “Managers” are users with the rights to create and change workflows. The key control is limiting Managers.
GP Web Client Uses AD Users/Groups to access Web Client. GP Web Client security: Uses AD Users/Groups to access Web Client. Uses GP Users to control access. May include Web Client users who are not SQL users. Web client is also AD based for connection to the website and GP based for login. GP’s identity manager only provides single sign on for the web client and it can be tricky to setup.
OData Data Sources Publish Roles Tasks Custom Roles/Tasks Users with the SQL Database Owner role will inherit security access to all published OData objects, even if they aren’t given explicit security. OData access in GP is a layered security. Items must be made available (published) before security can be assigned to them.
Jet Express Roles Reports SQL Permissions AD User Based
Other/Integrating Systems Shouldn't allow processes not allowed in GP Should have designed security Should be reviewed May include spreadsheets
Dynamics GP (in)Security DEMO QUESTIONS DISCUSSION
Contact Info Mark Huff, Njevity, Inc. Twitter: @gp_hatguy mhuff@Njevity.com Cell: (720) 480-3429