Alex Meyer

Fastpath

Develop and Implement Least Privilege Security for Dynamics 365

for Finance and Operations

1 | P a g e

Develop and Implement Least Privilege Security for Dynamics

365 for Finance and Operations

Contents Introduction .................................................................................................................................................. 2

Dynamics 365 for Finance and Operations Security ..................................................................................... 3

Developing Least Privilege Security .............................................................................................................. 4

Standard Security Reporting ..................................................................................................................... 5

Task Recorder ............................................................................................................................................ 7

Right click -> Form information ................................................................................................................ 9

Options -> Security Diagnostics .............................................................................................................. 10

Role Test Workspace ............................................................................................................................... 11

Implementing Least Privilege Security ........................................................................................................ 12

Automate Your Security .............................................................................................................................. 13

Meet the Author: ........................................................................................................................................ 13

Alex Meyer: ............................................................................................................................................. 13

References .................................................................................................................................................. 13

2 | P a g e

Introduction We are all concerned with security – in every aspect of our lives. We are especially concerned with

security and control when it comes to our business processes. In this E-book, we will walk through the

necessary steps to take a least privilege methodology to secure your Microsoft Dynamics 365 for

Finance and Operations Enterprise Edition (D365FO) environment. The least privilege methodology is

the process of reducing a user’s access, so they are only allowed to perform the tasks they need to

within the application. This is important for several reasons:

Environment Risk – if a user has more access than needed, they may intentionally or inadvertently

perform actions that could put your company at risk

User Licensing – since licensing is tied to user access, ensuring least privilege access is followed

could save your company money on licensing costs

Segregation of Duties – following the same idea as environment risk, if a user has more access than

needed, they may have unnecessary segregation of duties violations that go unaddressed.

If you have questions after reading this E-book, please feel free to contact us directly at

info@gofastpath.com.

3 | P a g e

Dynamics 365 for Finance and Operations Security

Security within D365FO is a hierarchy structure of different security layers. Each layer is a container

made up of any number of entities from the layer(s) below it.

At the bottom of the hierarchy are privileges. This layer is the most granular as you determine what

securable objects (tables, menu items, data entities, or service operations) the privilege will have access

to. Normally, privileges are very specific in their function. For example, ‘Add BOM line’ and ‘Edit

customer’ are both privileges.

The next layer up of the hierarchy are duties. This layer is comprised of any number of privileges and

normally represents a business task a user performs, such as ‘Approve customer invoices’ or ‘Maintain

budget plans’.

At the top of the hierarchy are roles. This layer can include a combination of duties and/or privileges.

Roles normally represent a function or job a user would perform such as ‘Accountant’ or ‘Accounts

payable clerk’. Roles are the only security layer that can be assigned to a user. Duties and privileges

must be assigned via the security hierarchy described previously and cannot be assigned directly to

users.

D365FO delivers out-of-the-box roles, duties, and privileges that can be used ‘as is’ or can be modified.

Custom roles, duties, and privileges can also be created.

By combining roles, duties, and privileges as well as modifying the object access within privileges, we

can dictate what a user has access to do with D365FO. Access to securable objects in D365FO is also

hierarchy based on access type. This hierarchy is described below from least access to most access:

Read -> Update -> Create -> Delete

And each access type has three access levels:

Unset – access is neither granted or denied to the object

Grant – access is granted to the object at that access type

Deny – an explicit access level that overrides any other grants assigned

4 | P a g e

In the example below, we are looking at a Security Configuration window from within D365FO.

Specifically, we are looking at the Maintain Vendors privilege, and able to see it is assigned the

VendTable menu item display and it has Read, Update, Create, and Delete permissions to this menu

item.

The deny and unset access levels are new to D365FO and allow for more fine-grained control over what

users and roles have access to.

The deny permission is an explicit deny which means that the user will be denied this permission

regardless of any other grants to this object from any other roles, duties, or privileges.

The unset permission is used when the user should not be granted or denied a permission to an object,

it is the default object permission.

Developing Least Privilege Security There are various native/out-of-the-box tools from Microsoft you can use to help develop your D365FO

security. Here is a list of the processes we will be using:

1) Standard security report (From AOT and UI)

2) Task Recorder

3) Right click -> Form information

4) Options -> Security Diagnostics

5) Role Test Workspace

5 | P a g e

Standard Security Reporting • From the user interface

You can obtain a full

hierarchy-based view of

role, duty, privilege, and

object/resource

assignments by going to

System Administration ->

Security Configuration

page, then select a role

and choose ‘View

Permissions’.

You will then be presented

with a report that shows

an overview of the role,

duty, privilege, and

object/resource

assignment. You can also

follow this process to get

the same information at a

duty or privilege level.

In the report, the Context\Resource column shows the AOT name of the securable object and the

Resource type will display the securable object type.

6 | P a g e

• From the AOT Launching Visual Studio and going to the Dynamics 365 menu -> Add ins gives you a number of options, at the very bottom is ‘View related objects and licenses for all roles’

This option exports an Excel file that shows two tabs, License Information and View Related Objects. On the License Information tab, you will be able to see all roles, duties, and privileges as well as the license type that is required for that security layer.

7 | P a g e

The second tab (View Related Objects), is a very extensive report that shows the entire hierarchy from role -> duty -> privilege -> securable object -> securable object type -> access levels assigned to the resource as well as the license type tied to that access. It is a comprehensive report that mimics the report you can find in the View Permissions feature in Security Configuration through the user interface, but shows all roles instead of one at a time.

Task Recorder D365FO has functionality that allows the user to ‘record’ the steps of a process as it is performed in the user interface. This allows not only for the creation of a step-by-step guide of a singular task/process, but also allows us to determine what menu items are required to perform this task/process.

To perform a task recording of a process:

1) Go to gear in the menu bar and click on Task Recorder

2) Give the recording a name and description.

3) Navigate the steps required to complete the task in the user interface; each step will be

recorded in the right-hand pane.

4) When you are done, click the Stop button in the top menu bar and you will be presented with

options to save the task steps in several ways. We will be focusing on the developer recording

option in the next section.

8 | P a g e

To analyze a task recording to see what menu items are used during the task/process. In the system

administration module, under the Security heading you will find an entry for ‘Security diagnostics for

task recordings’.

The next screen allows you to open a task record, with the ‘Open from this PC’ option, you can upload a

developer recording XML file of a previously generated task recording.

Once processed it will show you the menu item label, menu item AOT name, and menu item type of

each entry point used during the task recording. You are also able to select a user from the User ID drop

down and the system will tell you whether that user currently has the necessary permissions to perform

the steps of the task recording. In the example below, you can see that this user is missing the necessary

permissions to perform this process.

9 | P a g e

Right click -> Form information Because of the complexities of the D365FO user interface, sometimes it is a little ambiguous what menu

item display is driving the user interface element you are interacting with. One way to figure this out is

to right click on the area and under ‘Form information’ you will get the name of the form you are

currently on.

If you now, click on the ‘Form Name’ option a dialog will appear with administrative information

including the individual control you are looking at and more importantly, the menu item name.

10 | P a g e

Options -> Security Diagnostics Breakdown of the roles, duties, and privileges that have access to a specific page/form On a record or form go to Options -> In the Page Options section -> Select Security Diagnostics

A ‘Security Diagnostics’ window will open and show the roles, duties, and privileges that have access to this page/form

11 | P a g e

Role Test Workspace One feature that is still missing by default is the ability to launch a test workspace with a set of roles to see what actions a user assigned these roles could potentially take. Luckily, we can add this feature back in by adding in a hidden Visual Studio extension (I go over this in depth in my blog). When you install the extension, it will add a number of options to the Dynamics 365 -> Add-ins menu. One of the added menu items in this list is ‘View with Role Set’.

You are now able to select a ‘Role Set’ that you would like to test. One convenient feature is that you can select an already existing user and see what current roles are assigned to that user. Or, you can create a new role set and start from scratch. The idea below is to move the roles you would like to test to the Assigned Roles side from the Available Roles.

12 | P a g e

This will launch a test environment with the role(s) you have selected to let you see what a user would have access to if they were to be assigned those roles. Two things to point out when using this feature:

- A test user is created for this purpose and is assigned the role(s) selected, this user will show up in the user list in your environment (this user also has to be enabled)

- All tests need to be assigned the SystemUser role, otherwise you will get errors launching the test environment as most roles do not have explicit access to the initial dashboard (which is always the first screen to load in the testing environment)

Implementing Least Privilege Security

1) Determine tasks a user will perform making sure to not overprovision

a. This Security Matrix generated by Fastpath may assist with this function

2) Isolate menu items from process/task

a. Task Recorder – perform the task the user will need to do while recording it using the

task recorder function

b. Use the Task Recorder Parser or Security Diagnostic for Task Recordings in D365FO to

extract menu items consumed during task recording

3) Determine correct permissions for menu items

a. Remember menu item security is honored and applied at table level

b. If you would like additional help with this, the Fastpath Security Designer Tool will

provide this information

4) If necessary, modify table level access to allow/restrict access to certain functionality on form

5) Test and validate – always be sure to test solution prior to deployment

13 | P a g e

Meet the Author:

Alex Meyer:

References

How to Simulate the Security Development Tool in Dynamics

365 Enterprise

An Update on How to Simulate the Security Development Tool

in Dynamics 365 Enterprise

Security Reporting for Dynamics 365 Enterprise in the AOT

Alex is the Director of Dynamics AX/365 for Finance and

Operations Development at Fastpath. He has a Bachelor of

Science degree in computer engineering from Iowa State

University.

He is a subject matter expert in AX/Dynamics 365 for Finance

and Operations security. He presents sessions and webinars

surrounding security and native controls in numerous ERPs.

Alex also writes frequently in a blog specifically for Dynamics

365 for Finance and Operations.

Microsoft Dynamics 365 for Finance & Operations Blog

Automate Your Security

At Fastpath, our mission is to deliver software

solutions that seamlessly empower our clients to

take control of their security, compliance, and

risk management initiatives. We pride ourselves

on delivering the highest level of customer

support. If you are looking to achieve the level of

security that will satisfy your auditors and benefit

your business, contact our team at Fastpath –

www.gofastpath.com.