Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Management: Successes and Failures

Published byLeonard Hopkins Modified over 6 years ago

Similar presentations

Presentation on theme: "Security Management: Successes and Failures"— Presentation transcript:

1 Security Management: Successes and Failures

2 Agenda About Security Best Practices Demonstration of D365 Security
What is Application Security and why is it important? Understanding Security Role Structure in Dynamics Best Practices What are the typical audit reports? What do auditors look for? What data you be aware of? Managing security the right way Licensing Demonstration of D365 Security

3 About Security: What is Application Security

4 Application security:
Application security is the use of of software, hardware, and procedural methods in a way to protect applications from internal or external threats.

5 When your software is not configured, anyone can do anything.
How does it affect me? When your software is not configured, anyone can do anything. This results in lost sensitive customer data or financial risk.

6

7 Application security can be enhanced by:
How can I protect myself: Application security can be enhanced by: Understanding security within the application Having correct requirements Correctly applying security requirements Identify internal controls if they are in the requirements ( these will help you be SOX compliant) Test security Continuous monitoring

8 How can I identify correct requirements?
Model system to conform with existing business processes Or leverage the system to your business Is the business willing to change to AX out of box setup is good. Ex. Someone who does payments, manager does setup. Lot of times businesses will have people who do all of those functions. Perhaps a business should let users specialize only in a specific function instead of having access to multiple if possible.

9

10 AX Security is an integral part of any implementation.
It’s not just a last minute rush exercise during deployment!

11 About Security: Understanding Security Role Structure in Dynamics

12 Role Based Security Structure
Highest Level of assignment Duty Used by Segregation of Duties checker in compliance module Privilege Lowest level normally used in security design Permission Table and control level

13 A person can have multiple roles assigned to them!
What are Roles? A function that a person does relating to their work title: AR Payment Clerk -  a user who documents accounts receivable payment events and responds to payment inquiries. AR Manager - a user who reviews customer invoice process performance and enables the customer invoice process. A person can have multiple roles assigned to them!

14 Duties are parts of a business process
What are Duties? Duties are parts of a business process A duty can be assigned to more than one role You can assign related duties to separate roles. These duties are said to be segregated. By segregating duties, you can better comply with regulatory requirements, such as those from Sarbanes-Oxley (SOX) Segregation of duties helps reduce the risk of fraud, and helps you detect errors or irregularities.

15 What are Privileges? A privilege specifies the level of access that is required to perform a job, solve a problem, or complete an assignment. A privilege contains permissions to individual application objects, such as user interface elements and tables. For example, the Cancel payments privilege contains permissions to the menu items, fields, and tables that are required to cancel payments.

16 What are Permissions? Permissions are required to run a function including any tables, fields, forms Each function in Microsoft Dynamics AX, such as a form or a service, is accessed through an entry point. Menu items, web content items, and service operations are referred to as entry points.

17 Role Structure Explained
Duties Privilege Permissions Edit Customer Maintain customer records Maintain customer master (custCustomersMaintain) CustTable Delete CustTableforEdit Delete AR Manager Inquire into bank accounts master (BankBankAccountsInquire) BankAccountBalanceView View bank account balance BankAccountBalance Read Enable credit cards

18 Best Practice: What are the typical audit reports?

19 Audit Reports – Users and Roles

20 Audit Reports – Changes to User Role Assignments

21 Audit Reports – Changes to security

22 Best Practice: What do auditors look for?

23 Auditors look for: Any changes that happened in the system that are NOT documented for Approval

24 Auditors look for:

25 Audit Reports – Changes to User Role Assignments
Users that may not exist as employee?

26 Best Practice: What should you be aware of?

27 Security is stored in the source code of Dynamics
All changes made through the UI will not apply to source code! UI changes only create data and is not stored in the back end of AOT like in AX2012

28 Best Practice: Managing security the right way

29 Access types GRANT Read Update UNSET Create DENY Delete

30 Read – Grant Update = Grant Create = Deny Delete= Unset
Source Code Read – Grant Update = Grant Create = Deny Delete= Unset What’s the effective access? They can read/update but not create. If you Deny access, that means you are overriding any granting.

31 Best Practice – Do not affect other roles
Duties Privilege Permissions Edit Customer Maintain customer records Maintain customer master (custCustomersMaintain) CustTable Delete Duplicate Duty Remove Original and replace with new privilege Duplicate Privilege and replace with permission AR Manager Maintain customer master revoke (custCustomersMaintain) View Customer View customer records CustTable READ AR Sr Manager

32 Best Practice – Be careful of shared access
Role Duties Privilege Permissions Views Payment Journal Inquire into Payment Journal CustPaymJournal Read AR Manager Duties Privilege Permissions Views Payment Journal Inquire into Payment Journal CustPaymJournal Read AR Sr Clerk

33 Best Practice: Licensing

34 Activity Team Member OPERATIONS

35 Team Members Team Members
is a named user subscription designed for users who are not tied to a particular function, but who require basic Dynamics 365 functionality. This license includes read access as well as some write access for select light tasks across all Dynamics 365 No transactions or access to setups

36 Activity Activity intended for users who may be heavy users of the application, but do not require the use rights of a full user. Dynamics 365 for Operations Activity use rights include all Team Member user rights as well as the right to: To approve all Activity related transactions (ii) Create or edit the items related to warehousing, receiving, shipping, orders, vendor maintenance, and all budgets

37 Operations Operations
Intended for users whose work requires use of the feature rich business applications functionality. Examples of full users are sales people, customer service representatives, finance employees, controllers, supply chain managers, etc. These type of functions trigger Operations license.

38 Best Practices – Know your licenses
Based on access and not what users can do vs what they are actually doing. Based on the access each user has to entry points (menu items etc) in the system. Each entry point has two separate user license properties, ViewUserLicense and MaintainUserLicense. This is why you see typically see view or maintain rights in the application

39 Use view permissions to monitor your licenses
Licensing and impact Use view permissions to monitor your licenses

40 Demonstration

41

Download ppt "Security Management: Successes and Failures"

Similar presentations

OPERATING EFFECTIVELY AT WESD. What is Internal Control? A process designed to provide reasonable assurance the organizations objectives are achieved.

OPERATING EFFECTIVELY AT WESD. What is Internal Control? A process designed to provide reasonable assurance the organizations objectives are achieved.
Controlled Online Accounting General Ledger and Adjustments.

Controlled Online Accounting General Ledger and Adjustments.
Enhancement Summary Moving Forward with XA IFM Enhancements R7.8 & R9.

Enhancement Summary Moving Forward with XA IFM Enhancements R7.8 & R9.
Week 1b.

Week 1b.
Auditing Computer Systems

Auditing Computer Systems
Www.winman.com ©2008 TTW Where “Lean” principles are considered common sense and are implemented with a passion! Product Training Credit Cards.

©2008 TTW Where “Lean” principles are considered common sense and are implemented with a passion! Product Training Credit Cards.
Security Controls – What Works

Security Controls – What Works
0 External Billing Procedures: Information Session.

0 External Billing Procedures: Information Session.
Statewide Financial System Program 1 AR 215 Creating and Maintaining Receivables AR 215 Creating and Maintaining Receivables Welcome.

Statewide Financial System Program 1 AR 215 Creating and Maintaining Receivables AR 215 Creating and Maintaining Receivables Welcome.
An Overview of IFM R9 “Who moved my Stuff……..” IFM at R9 CISTECH Tuesday Education Session Series Jim Boyer CISTECH – Sr. XA Consultant.

An Overview of IFM R9 “Who moved my Stuff……..” IFM at R9 CISTECH Tuesday Education Session Series Jim Boyer CISTECH – Sr. XA Consultant.
STOCK CONTROL SOFTWARE. INTRODUCTION Stock Control Software is an integrated accounting system which takes care of all business needs. It incorporates.

STOCK CONTROL SOFTWARE. INTRODUCTION Stock Control Software is an integrated accounting system which takes care of all business needs. It incorporates.
Information Systems Security Computer System Life Cycle Security.

Information Systems Security Computer System Life Cycle Security.
Security Management System for Department Sponsors Session #20244 March 15, 2006 Alliance 2006 Conference Nashville, Tennessee.

Security Management System for Department Sponsors Session #20244 March 15, 2006 Alliance 2006 Conference Nashville, Tennessee.
Concepts of Database Management Eighth Edition

Concepts of Database Management Eighth Edition
Pass SOX security audits and Improve XA security CISTECH Security Solutions Belinda Daub, Senior Consultant Technical Services

Pass SOX security audits and Improve XA security CISTECH Security Solutions Belinda Daub, Senior Consultant Technical Services
Clients (and the interface level) Application Server (and the application level) Database Server (and the Database level)

Clients (and the interface level) Application Server (and the application level) Database Server (and the Database level)
IT Service Delivery And Support Week Eleven – Auditing Application Control IT Auditing and Cyber Security Spring 2014 Instructor: Liang Yao (MBA MS CIA.

IT Service Delivery And Support Week Eleven – Auditing Application Control IT Auditing and Cyber Security Spring 2014 Instructor: Liang Yao (MBA MS CIA.
Presented by Vishy Grandhi.  Lesson 1: Role based security  Lesson 2: Setup new user  Recipes.

Presented by Vishy Grandhi.  Lesson 1: Role based security  Lesson 2: Setup new user  Recipes.
AUDITING THE REVENUE CYCLE AND RELATED ACCOUNTS

AUDITING THE REVENUE CYCLE AND RELATED ACCOUNTS
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. JD Edwards Summit Preview the Plans for JD Edwards World A9.4 Release David Greiner,

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. JD Edwards Summit Preview the Plans for JD Edwards World A9.4 Release David Greiner,

Similar presentations

Ads by Google