Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dynamics GP Security - A to Z

Published byMillicent Stewart Modified over 6 years ago

Similar presentations

Presentation on theme: "Dynamics GP Security - A to Z"— Presentation transcript:

1 Dynamics GP Security - A to Z
Liz Piteo

2 GP Security Overview GP security elements Dynamics GP Security (GP)
SSRS (AD) Management Reporter (AD) GP Workflow (AD) Web Client, (AD + GP) Other/integrating Products(?) PowerBI, SmartConnect, etc. (GP) – Dynamics GP Users, (AD) – Active Directory Users GP Security is more than just Dynamics GP Roles and Tasks. It can involve GP, SSRS, MR, GP Workflow, the GP Web Client, other integrating products, mitigating controls and other elements of the control environment.

3 GP Security Review GP Security Review:
Role based. GP Security Review: Windows, Reports, SmartLists, Posting, etc. roll up to tasks. Tasks are combined into Roles. Roles are assigned to users.

4 What’s in a Role? Default GP Roles:
Have overlapping permissions. Have inherent role conflicts. Lack transparency. May contain GP 9.0 Leftovers. Documentation: Default Roles and their tasks. [Free] Default GP roles weren’t built with SoD in mind. They have lots of overlapping permissions.

5 Role Assignment 4/18/2018 7:15 AM Role Assignment screen © 2016 Dynamic Communities. All rights reserved. DYNAMIC COMMUNITIES MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6 Tasks Tasks are the key Default Tasks: Are discreet.
Are generally well designed. Include everything required. Need to be combined into new roles. The default tasks in GP tend to be very good. Generally, most firms can rely on the tasks, they just need to be combined into new roles.

7 Task Assignment 4/18/2018 7:15 AM Task Assignment window © 2016 Dynamic Communities. All rights reserved. DYNAMIC COMMUNITIES MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

8 Dealing with Power Users
Is not actually a role. Ignores and overrides security permission. Does not appear on security access reports. Manually create a SuperUser role instead. [Free] Most important, Power Users don’t show up on lists of users who can access particular features. If you must have Power User, create an explicit Super User role instead. Info at:

9 ‘sa’ Tips The ‘sa’ user (SQL system administrator):
Is really ONLY required for installation tasks. [Free] Is NOT required to add users. [Free] There are a lot of ‘sa’ myths out there around GP. Beyond GP 2010, sa is only needed for installation. In GP 2010 it is only required for install and PSTL. SA has not been required to setup users for a very long time. More info at:

10 Limited/Self Service Users
Limited/Self Service Users have: Predefined roles. Predefined tasks. Built in limitations. Limited and Self Server users have predefined Roles and Tasks to further reduce their built in limitations. For example, a Limited User is primarily read only with some limited transaction permission (approvals, requisitions, etc.). This can be locked down further with tasks to limit them to just the Purchasing module for example.

11 Other Security Items SQL Server Password Management/Reset
Config AD & Identity Management Orphaned Users System Password Backup/Restore

12 Design is not just what it looks like,
Security Design Design is not just what it looks like, design is how it works. - Steve Jobs Designed security is: more comprehensive less vulnerable. easier to audit. less costly. risk based.

13 Risk Based A Risk Based approach includes: Business process maps.
High risk business processes. Risks, reviews, reviewers and periodicity. Evidence that reviews are being done. Mitigation. A Risk based approach: Uses business process maps to understand where risks live. Focuses on high risk business processes. Determines functionality required for high risk processes. Defines risks, reviews, reviewers and periodicity. Provides evidence of reviews. May include mitigation.

14 Map the process Swim lane. A Role on the left stays in its lane all the way across This can become your process narrative. Process Map - Fastpath

15 Tasked Based Recommendations
A task-based design approach: Matches tasks to new roles. [Free] Adds new roles or tasks as required. Saves, but deprecates default roles. Assign roles to users. Assigns Default User tasks in new roles. Can be phased. Take a tasked based approach. Match the processes against built in tasks to assign new roles on the left. Free Excel Template is at

16 GP Security Matrix 4/18/2018 7:15 AM
Security Matrix example © 2016 Dynamic Communities. All rights reserved. DYNAMIC COMMUNITIES MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

17 Review Review: For segregation of duties conflicts in roles. (Role Conflicts) For segregation of duties conflicts assigning multiple roles to a user. (User Conflicts) Roles and user setups need to be checked for Segregation of Duties conflicts within roles and across roles. Assure from Fastpath contains a comprehensive list of auditor built conflicts for GP. It is designed to report on security and identify both user and role conflicts. Users can electronically sign reports to indicated review and document mitigations.

18 Review Tips Zero conflicts = Zero productivity. Risk based approach.
Conflict mitigation. Security design should have signoff. Elimination of all conflicts isn’t reasonable and can produce inefficient processes. A risk based approach focuses on highest risk processes for conflicts. Security design should be signed off prior to applying in GP.

19 Set/Adjust Security Create new Roles.
4/18/2018 7:15 AM Create new Roles. Apply Tasks to new Roles based on matrix. Assign Roles to users. Temporarily preserve existing roles. Can be phased. Actually setting new security is pretty easy. Use the design to create new roles, apply tasks to them, and assign those roles to users. © 2016 Dynamic Communities. All rights reserved. DYNAMIC COMMUNITIES MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

20 Test Verify Roles and User assignments. Test Environment.
Phase security changes. For test COMPANIES, copy security is useful. For test SERVERS, copy table data. You can set security in a test environment. Security changes can be phased. Some options for moving from test SERVER:

21 Adjust Support, support, support. Expect delayed issues.
4/18/2018 7:15 AM Support, support, support. Expect delayed issues. Be ready to approve requests or alter procedures. Phasing security really helps here. If a single department has issues, it’s much easier to fix than if something key is missed for all users. © 2016 Dynamic Communities. All rights reserved. DYNAMIC COMMUNITIES MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

22 Security Tool GP Power Tools (Formerly Support Debugging Tool) [Paid]
Suite of GP utilities including security tools. Helpful for fixing when access is denied. Terrific for adjustments phase. Can help with security moves between servers. New “Deny” security. GP Power Tools is a fantastic tool for troubleshooting security errors and identifying how to fix them.

23 GP Power Tools 4/18/2018 7:15 AM GP Power Tools © 2016 Dynamic Communities. All rights reserved. DYNAMIC COMMUNITIES MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

24 Real Life This is not a fast process. It’s a project.
Failures in internal controls are incredibly expensive. Don’t ignore mitigation options. Don’t forget about Field Level Security. Audit Trail Not all risks have to be addressed via security. Some can be addressed with controls outside of GP, with reviews or with other mitigating controls.

25 SSRS SSRS security: Assigns or removes access to reports or report folders Can use AD Groups Includes GP provided SQL roles for access to data. SSRS security is AD based and not as deep as GP. Generally, users need Browse access to reports or folders to run reports.

26 Management Reporter MR security:
4/18/2018 7:15 AM MR security: Focuses on limiting users who can create reports. Uses AD Users/Groups. Offers additional control in Permission Granted. Key with MR is limiting changes to reports. For financial statements, reliability and repeatability are crucial. © 2016 Dynamic Communities. All rights reserved. DYNAMIC COMMUNITIES MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

27 GP Workflow GP Workflow security: Uses AD Users/Groups.
4/18/2018 7:15 AM GP Workflow security: Uses AD Users/Groups. Should focus on workflow managers. User’s must be set at AD level. GP Workflow has additional security around workflow setup and approval. “Managers” are users with the rights to create and change workflows. The key control is limiting Managers. © 2016 Dynamic Communities. All rights reserved. DYNAMIC COMMUNITIES MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

28 GP Workflow Security 4/18/2018 7:15 AM
Workflow security screens © 2016 Dynamic Communities. All rights reserved. DYNAMIC COMMUNITIES MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

29 GP Web Client GP Web Client security:
4/18/2018 7:15 AM GP Web Client security: Uses AD Users/Groups to access Web Client. Uses GP Users to control access. May include Web Client users who are not SQL users. Web client is also AD based for connection to the website and GP based for login. GP’s identity manager only provides single sign on for the web client and it can be tricky to setup. © 2016 Dynamic Communities. All rights reserved. DYNAMIC COMMUNITIES MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

30 Web Client Security 4/18/2018 7:15 AM GP Security
© 2016 Dynamic Communities. All rights reserved. DYNAMIC COMMUNITIES MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

31 Other/Integrating Systems
4/18/2018 7:15 AM Other/Integrating Systems: Shouldn't allow processes not allowed in GP. Should have designed security. Should be reviewed. May include spreadsheets. Be careful with integrating systems. If a user can’t create a journal entry in GP, they shouldn’t be allowed to work around that by importing an entry via a 3rd party product. © 2016 Dynamic Communities. All rights reserved. DYNAMIC COMMUNITIES MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

32 Fastpath Security and Compliance Products
Continuous monitoring solution that tracks all changes to critical data Assure Risk based security access review and SOD analysis platform Audit Trail Request, review and approve Dynamics security without IT intervention Identity Manager Maintain user provisioning in Active Directory instead of the target system Config AD Assure – After you’ve built your roles, check for conflicts Audit Trail – Monitor changes and access Identity Manager – Request, review and approve Dynamics security Config AD – GP Single Sign On. Maintain users in Active Directory instead of GP. Tools work together. If you request access to a user via Identity Manager or setup a new user with Config AD, Assure will check for conflicts prior to completion.

33 Questions?

Download ppt "Dynamics GP Security - A to Z"

Similar presentations

2010 Dynamics GP Client Conference

2010 Dynamics GP Client Conference
Enhanced XA Security CISTECH Security Solutions Belinda Daub, Senior Consultant Technical Services 704-814-0004.

Enhanced XA Security CISTECH Security Solutions Belinda Daub, Senior Consultant Technical Services
SmartConnect Integrations

SmartConnect Integrations
GP2013 (R2) New features in GP2013 (R2). New Ribbon for windows Edit List is the Print button on the right without the paper background Action pane can.

GP2013 (R2) New features in GP2013 (R2). New Ribbon for windows Edit List is the Print button on the right without the paper background Action pane can.
1 of 2 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.

1 of 2 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.
Microsoft Dynamics GP 2013 R2 Identity Management SmartList Designer 2.0 Take Company Offline Azure Backup Ribbons on desktop client SQL Server.

Microsoft Dynamics GP 2013 R2 Identity Management SmartList Designer 2.0 Take Company Offline Azure Backup Ribbons on desktop client SQL Server.
For Sage MIP Fund Accounting

For Sage MIP Fund Accounting
1 of 5 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.

1 of 5 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.
Introduction to Microsoft Dynamics GP 2013. Kevin Schimke | Project Manager – LeX Business Productivity Team.

Introduction to Microsoft Dynamics GP Kevin Schimke | Project Manager – LeX Business Productivity Team.
Enterprise Security for Microsoft Dynamics GP Jeff Soelberg

Enterprise Security for Microsoft Dynamics GP Jeff Soelberg
Windows Role-Based Access Control Longhorn Update

Windows Role-Based Access Control Longhorn Update
Hall, Accounting Information Systems, 7e ©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly.

Hall, Accounting Information Systems, 7e ©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly.
Security. Audit. Compliance. Mark Polino CPA.CITP.CFF, CGMA, Microsoft MVP Dynamics Credentialed Professional Naked and Afraid: Re-implementing.

Security. Audit. Compliance. Mark Polino CPA.CITP.CFF, CGMA, Microsoft MVP Dynamics Credentialed Professional Naked and Afraid: Re-implementing.
7 Customize your home page Navigation list used for approvals 8.

7 Customize your home page Navigation list used for approvals 8.
Authored by Frank Hamelly, Microsoft MVP Regional Chapters.

Authored by Frank Hamelly, Microsoft MVP Regional Chapters.
Security. Audit. Compliance.

Security. Audit. Compliance.
Liz Piteo Native Controls in a Microsoft Dynamics Environment.

Liz Piteo Native Controls in a Microsoft Dynamics Environment.
Buy Back Time with Better, Faster, Easier Budgeting for Microsoft Dynamics GP Zubin Gidwani Founder 650-332-6651.

Buy Back Time with Better, Faster, Easier Budgeting for Microsoft Dynamics GP Zubin Gidwani Founder
Tips and Tricks: Stress Free Security in Dynamics AX Chris Haley, Microsoft.

Tips and Tricks: Stress Free Security in Dynamics AX Chris Haley, Microsoft.
BEST PRACTICES FOR DYNAMICS NAV ADMINISTRATION AND SECURITY Per Mogensen.

BEST PRACTICES FOR DYNAMICS NAV ADMINISTRATION AND SECURITY Per Mogensen.

Similar presentations

Ads by Google