Keeping Dynamics 365 for Finance and Operations (D365FO) secure can be a full-time job. It doesn’t stop when the system goes live; instead, it is an ongoing exercise for administrators to keep the users, the application, and the company data as safe from risk as possible.
Fastpath has put together a collection of tips and tricks to help you get a leg up on your D365FO security. These won’t fix all your issues, but they will go a long way to helping you provision users with the proper privileges, as well as reduce your exposure to Segregation of Duties (SoD) risk.
It might seem like the easiest thing to do is to assign someone System Administrator privileges when they ask for additional access rights. After all, SysAdmin will always let them complete any task at hand. Unfortunately, this can create security risks and increase the chances of SoD conflicts.
Try to limit the number of users with System Administrator privileges (Microsoft recommends less than five). Also, since SysAdmin automatically requires an enterprise-level license when a team member license might do just as well, eliminating unnecessary SysAmins can save you money.
Generally, the first report an auditor will ask for is “Who has System Administrator access, and what have they done with that access?”
To see who has been assigned System Administrator, use the User Role Assignment report:
System Administration > Inquiries > Security > User Role Assignments
Blindly copying one user’s role permissions to other users can quickly lead to overprovisioning. Instead, your company should establish a process that will identify the specific permissions that will be granted to each user.
Many companies allow requests for user role assignments to be made via email. This method of user provisioning is difficult to audit and maintain.
Instead, your company should establish a process that will clearly define:
Employees change roles within a company – they go on vacation, get sick, or quit. Your company might also change business processes or new regulations might impact your industry.
To ensure people are granted the appropriate access privileges, you should regularly review the role each user has as well as the access privileges that have been assigned to each of those roles.
These reviews should include the Business Process Owners (BPOs), since they have the best understanding of how the access privileges should be applied for each role.
Most SoD conflicts are caused when a single user can modify both master and transactional records of the same process, such as the ability to both enter vendors and pay them as well. Enforcing a process to stop users from being able to perform both sides of a transaction is critical. Ensuring multiple users are involved in a transaction (for example, requiring manager approval) will help mitigate this problem.
Security in D365FO can be saved either in code or in the database by using the user interface.
Using the Application Object Tree (AOT), you are configuring security using code. You can see the code or development artifact being created by using the Application Explorer.
If you use the User Interface to change the security setting, this setting is stored in the database.
Knowing where your security configurations are stored will help you when it is time to migrate your security settings to other environments.
These tips come from the Fastpath webinar, 30 Tips and Tricks for D365FO Security. This webinar covers securing Microsoft Dynamics 365 Finance and Operations in five areas:
You can view all 30 tips and tricks by downloading the eBook, 30 Security Tips n' Tricks for Microsoft Dynamics 365 Finance and Operations. The end of the eBook includes resource links which are referred to in the on-demand webinar.