Develop and Implement Least Privilege Security for ...
Transcript of Develop and Implement Least Privilege Security for ...
Alex Meyer
Fastpath
Develop and Implement Least Privilege Security for Dynamics 365
for Finance and Operations
1 | P a g e
Develop and Implement Least Privilege Security for Dynamics
365 for Finance and Operations
Contents Introduction .................................................................................................................................................. 2
Dynamics 365 for Finance and Operations Security ..................................................................................... 3
Developing Least Privilege Security .............................................................................................................. 4
Standard Security Reporting ..................................................................................................................... 5
Task Recorder ............................................................................................................................................ 7
Right click -> Form information ................................................................................................................ 9
Options -> Security Diagnostics .............................................................................................................. 10
Role Test Workspace ............................................................................................................................... 11
Implementing Least Privilege Security ........................................................................................................ 12
Automate Your Security .............................................................................................................................. 13
Meet the Author: ........................................................................................................................................ 13
Alex Meyer: ............................................................................................................................................. 13
References .................................................................................................................................................. 13
2 | P a g e
Introduction We are all concerned with security – in every aspect of our lives. We are especially concerned with
security and control when it comes to our business processes. In this E-book, we will walk through the
necessary steps to take a least privilege methodology to secure your Microsoft Dynamics 365 for
Finance and Operations Enterprise Edition (D365FO) environment. The least privilege methodology is
the process of reducing a user’s access, so they are only allowed to perform the tasks they need to
within the application. This is important for several reasons:
Environment Risk – if a user has more access than needed, they may intentionally or inadvertently
perform actions that could put your company at risk
User Licensing – since licensing is tied to user access, ensuring least privilege access is followed
could save your company money on licensing costs
Segregation of Duties – following the same idea as environment risk, if a user has more access than
needed, they may have unnecessary segregation of duties violations that go unaddressed.
If you have questions after reading this E-book, please feel free to contact us directly at
3 | P a g e
Dynamics 365 for Finance and Operations Security
Security within D365FO is a hierarchy structure of different security layers. Each layer is a container
made up of any number of entities from the layer(s) below it.
At the bottom of the hierarchy are privileges. This layer is the most granular as you determine what
securable objects (tables, menu items, data entities, or service operations) the privilege will have access
to. Normally, privileges are very specific in their function. For example, ‘Add BOM line’ and ‘Edit
customer’ are both privileges.
The next layer up of the hierarchy are duties. This layer is comprised of any number of privileges and
normally represents a business task a user performs, such as ‘Approve customer invoices’ or ‘Maintain
budget plans’.
At the top of the hierarchy are roles. This layer can include a combination of duties and/or privileges.
Roles normally represent a function or job a user would perform such as ‘Accountant’ or ‘Accounts
payable clerk’. Roles are the only security layer that can be assigned to a user. Duties and privileges
must be assigned via the security hierarchy described previously and cannot be assigned directly to
users.
D365FO delivers out-of-the-box roles, duties, and privileges that can be used ‘as is’ or can be modified.
Custom roles, duties, and privileges can also be created.
By combining roles, duties, and privileges as well as modifying the object access within privileges, we
can dictate what a user has access to do with D365FO. Access to securable objects in D365FO is also
hierarchy based on access type. This hierarchy is described below from least access to most access:
Read -> Update -> Create -> Delete
And each access type has three access levels:
Unset – access is neither granted or denied to the object
Grant – access is granted to the object at that access type
Deny – an explicit access level that overrides any other grants assigned
4 | P a g e
In the example below, we are looking at a Security Configuration window from within D365FO.
Specifically, we are looking at the Maintain Vendors privilege, and able to see it is assigned the
VendTable menu item display and it has Read, Update, Create, and Delete permissions to this menu
item.
The deny and unset access levels are new to D365FO and allow for more fine-grained control over what
users and roles have access to.
The deny permission is an explicit deny which means that the user will be denied this permission
regardless of any other grants to this object from any other roles, duties, or privileges.
The unset permission is used when the user should not be granted or denied a permission to an object,
it is the default object permission.
Developing Least Privilege Security There are various native/out-of-the-box tools from Microsoft you can use to help develop your D365FO
security. Here is a list of the processes we will be using:
1) Standard security report (From AOT and UI)
2) Task Recorder
3) Right click -> Form information
4) Options -> Security Diagnostics
5) Role Test Workspace
5 | P a g e
Standard Security Reporting • From the user interface
You can obtain a full
hierarchy-based view of
role, duty, privilege, and
object/resource
assignments by going to
System Administration ->
Security Configuration
page, then select a role
and choose ‘View
Permissions’.
You will then be presented
with a report that shows
an overview of the role,
duty, privilege, and
object/resource
assignment. You can also
follow this process to get
the same information at a
duty or privilege level.
In the report, the Context\Resource column shows the AOT name of the securable object and the
Resource type will display the securable object type.
6 | P a g e
• From the AOT Launching Visual Studio and going to the Dynamics 365 menu -> Add ins gives you a number of options, at the very bottom is ‘View related objects and licenses for all roles’
This option exports an Excel file that shows two tabs, License Information and View Related Objects. On the License Information tab, you will be able to see all roles, duties, and privileges as well as the license type that is required for that security layer.
7 | P a g e
The second tab (View Related Objects), is a very extensive report that shows the entire hierarchy from role -> duty -> privilege -> securable object -> securable object type -> access levels assigned to the resource as well as the license type tied to that access. It is a comprehensive report that mimics the report you can find in the View Permissions feature in Security Configuration through the user interface, but shows all roles instead of one at a time.
Task Recorder D365FO has functionality that allows the user to ‘record’ the steps of a process as it is performed in the user interface. This allows not only for the creation of a step-by-step guide of a singular task/process, but also allows us to determine what menu items are required to perform this task/process.
To perform a task recording of a process:
1) Go to gear in the menu bar and click on Task Recorder
2) Give the recording a name and description.
3) Navigate the steps required to complete the task in the user interface; each step will be
recorded in the right-hand pane.
4) When you are done, click the Stop button in the top menu bar and you will be presented with
options to save the task steps in several ways. We will be focusing on the developer recording
option in the next section.
8 | P a g e
To analyze a task recording to see what menu items are used during the task/process. In the system
administration module, under the Security heading you will find an entry for ‘Security diagnostics for
task recordings’.
The next screen allows you to open a task record, with the ‘Open from this PC’ option, you can upload a
developer recording XML file of a previously generated task recording.
Once processed it will show you the menu item label, menu item AOT name, and menu item type of
each entry point used during the task recording. You are also able to select a user from the User ID drop
down and the system will tell you whether that user currently has the necessary permissions to perform
the steps of the task recording. In the example below, you can see that this user is missing the necessary
permissions to perform this process.
9 | P a g e
Right click -> Form information Because of the complexities of the D365FO user interface, sometimes it is a little ambiguous what menu
item display is driving the user interface element you are interacting with. One way to figure this out is
to right click on the area and under ‘Form information’ you will get the name of the form you are
currently on.
If you now, click on the ‘Form Name’ option a dialog will appear with administrative information
including the individual control you are looking at and more importantly, the menu item name.
10 | P a g e
Options -> Security Diagnostics Breakdown of the roles, duties, and privileges that have access to a specific page/form On a record or form go to Options -> In the Page Options section -> Select Security Diagnostics
A ‘Security Diagnostics’ window will open and show the roles, duties, and privileges that have access to this page/form
11 | P a g e
Role Test Workspace One feature that is still missing by default is the ability to launch a test workspace with a set of roles to see what actions a user assigned these roles could potentially take. Luckily, we can add this feature back in by adding in a hidden Visual Studio extension (I go over this in depth in my blog). When you install the extension, it will add a number of options to the Dynamics 365 -> Add-ins menu. One of the added menu items in this list is ‘View with Role Set’.
You are now able to select a ‘Role Set’ that you would like to test. One convenient feature is that you can select an already existing user and see what current roles are assigned to that user. Or, you can create a new role set and start from scratch. The idea below is to move the roles you would like to test to the Assigned Roles side from the Available Roles.
12 | P a g e
This will launch a test environment with the role(s) you have selected to let you see what a user would have access to if they were to be assigned those roles. Two things to point out when using this feature:
- A test user is created for this purpose and is assigned the role(s) selected, this user will show up in the user list in your environment (this user also has to be enabled)
- All tests need to be assigned the SystemUser role, otherwise you will get errors launching the test environment as most roles do not have explicit access to the initial dashboard (which is always the first screen to load in the testing environment)
Implementing Least Privilege Security
1) Determine tasks a user will perform making sure to not overprovision
a. This Security Matrix generated by Fastpath may assist with this function
2) Isolate menu items from process/task
a. Task Recorder – perform the task the user will need to do while recording it using the
task recorder function
b. Use the Task Recorder Parser or Security Diagnostic for Task Recordings in D365FO to
extract menu items consumed during task recording
3) Determine correct permissions for menu items
a. Remember menu item security is honored and applied at table level
b. If you would like additional help with this, the Fastpath Security Designer Tool will
provide this information
4) If necessary, modify table level access to allow/restrict access to certain functionality on form
5) Test and validate – always be sure to test solution prior to deployment
13 | P a g e
Meet the Author:
Alex Meyer:
References
How to Simulate the Security Development Tool in Dynamics
365 Enterprise
An Update on How to Simulate the Security Development Tool
in Dynamics 365 Enterprise
Security Reporting for Dynamics 365 Enterprise in the AOT
Alex is the Director of Dynamics AX/365 for Finance and
Operations Development at Fastpath. He has a Bachelor of
Science degree in computer engineering from Iowa State
University.
He is a subject matter expert in AX/Dynamics 365 for Finance
and Operations security. He presents sessions and webinars
surrounding security and native controls in numerous ERPs.
Alex also writes frequently in a blog specifically for Dynamics
365 for Finance and Operations.
Microsoft Dynamics 365 for Finance & Operations Blog
Automate Your Security
At Fastpath, our mission is to deliver software
solutions that seamlessly empower our clients to
take control of their security, compliance, and
risk management initiatives. We pride ourselves
on delivering the highest level of customer
support. If you are looking to achieve the level of
security that will satisfy your auditors and benefit
your business, contact our team at Fastpath –
www.gofastpath.com.