Understanding Native Controls in Dynamics AX 2012/365FO
Transcript of Understanding Native Controls in Dynamics AX 2012/365FO
![Page 1: Understanding Native Controls in Dynamics AX 2012/365FO](https://reader035.fdocuments.us/reader035/viewer/2022071613/6157d5f6ce5a9d02d46fa158/html5/thumbnails/1.jpg)
Understanding Native Controls in Dynamics AX 2012/365FO
![Page 2: Understanding Native Controls in Dynamics AX 2012/365FO](https://reader035.fdocuments.us/reader035/viewer/2022071613/6157d5f6ce5a9d02d46fa158/html5/thumbnails/2.jpg)
Alex MeyerDirector of Dynamics AX/365 FO Development and Microsoft MVP
Email: [email protected]: http://d365foblog.comGitHub: https://github.com/ameyer505
Worked in AX/D365FO for over 5 years, specifically around security, audit, and compliance functionality and reporting
Presented at numerous Dynamics Communities User Group events:- User Group Focus- Summit US- Summit Europe- eXtreme365- Various local chapter meetings
![Page 3: Understanding Native Controls in Dynamics AX 2012/365FO](https://reader035.fdocuments.us/reader035/viewer/2022071613/6157d5f6ce5a9d02d46fa158/html5/thumbnails/3.jpg)
Frank VukovitsDirector of Strategic PartnershipsEmail: [email protected]
Twitter: @fvukovits
Original co-founder of AXUG
Certified Internal Auditor
Certified Information Systems Auditor
![Page 4: Understanding Native Controls in Dynamics AX 2012/365FO](https://reader035.fdocuments.us/reader035/viewer/2022071613/6157d5f6ce5a9d02d46fa158/html5/thumbnails/4.jpg)
Agenda
• AX 2012/D365FO Security Model
• Security Reporting
• Administrative Access
• Segregation of Duties
• Database Log
• Workflows
• Lifecycle Services
• Licensing
• Brief Review of Fastpath Solutions
![Page 5: Understanding Native Controls in Dynamics AX 2012/365FO](https://reader035.fdocuments.us/reader035/viewer/2022071613/6157d5f6ce5a9d02d46fa158/html5/thumbnails/5.jpg)
Security Model
![Page 6: Understanding Native Controls in Dynamics AX 2012/365FO](https://reader035.fdocuments.us/reader035/viewer/2022071613/6157d5f6ce5a9d02d46fa158/html5/thumbnails/6.jpg)
Security Model
• Role Based Security• Hierarchy based (role -> duty -> privilege)
• Pessimistic security model
• Security should follow same testing and deployment as code
• User authentication• Active Directory (Azure Active Directory)
• Active Directory Groups – AX 2012
• Xtensible Data Security (XDS) functionality
![Page 7: Understanding Native Controls in Dynamics AX 2012/365FO](https://reader035.fdocuments.us/reader035/viewer/2022071613/6157d5f6ce5a9d02d46fa158/html5/thumbnails/7.jpg)
Reviewing Security
• Don’t set and forget
• Take a risk-based approach to reviews
• Business Process Owners (BPO) should review access
• Monitor System Administrator (SysAdmin) access
• Update process controls and SOD rules to reflect security changes
![Page 8: Understanding Native Controls in Dynamics AX 2012/365FO](https://reader035.fdocuments.us/reader035/viewer/2022071613/6157d5f6ce5a9d02d46fa158/html5/thumbnails/8.jpg)
Common Security Challenges
• Access security is low priority for project team
• Everyone assigned System Administrator (SysAdmin)
• Security is in the domain of IT/Sys Admin not BPOs
• Expensive customizations in place of security
• No consideration for segregation of duties
• Process controls not part of the design
• Dilution of ‘go-live’ security design
![Page 9: Understanding Native Controls in Dynamics AX 2012/365FO](https://reader035.fdocuments.us/reader035/viewer/2022071613/6157d5f6ce5a9d02d46fa158/html5/thumbnails/9.jpg)
Security Reporting• Who has access?
• No standard user reports
• Security development tool• Available in AX 2012• Launched from AOT, against role, duty, or privilege (Right click > Add-Ins > Security tools)• View related security objects – role -> duty -> privilege -> entry point and access ->
object and access• D365FO has no Security Development Tool• Majority of AX 2012 Security Development Tool features are built into D365FO user
interface (for more information on this see Alex’s blog at http://d365foblog.com)
• Do not rely on security layer name (Inquiry != Inquiry)
• Custom reports• Requires development (AX classes or SQL)• User/Role access (SecurityUserRole/SecurityUserRoleCondition table)
![Page 10: Understanding Native Controls in Dynamics AX 2012/365FO](https://reader035.fdocuments.us/reader035/viewer/2022071613/6157d5f6ce5a9d02d46fa158/html5/thumbnails/10.jpg)
Security Development Tool – AX 2012
![Page 11: Understanding Native Controls in Dynamics AX 2012/365FO](https://reader035.fdocuments.us/reader035/viewer/2022071613/6157d5f6ce5a9d02d46fa158/html5/thumbnails/11.jpg)
Security Reporting – D365FO
![Page 12: Understanding Native Controls in Dynamics AX 2012/365FO](https://reader035.fdocuments.us/reader035/viewer/2022071613/6157d5f6ce5a9d02d46fa158/html5/thumbnails/12.jpg)
Security Reporting – D365FO
Visual Studio -> Dynamics 365 -> Addins -> View Related Objects and Licenses for All Roles
![Page 13: Understanding Native Controls in Dynamics AX 2012/365FO](https://reader035.fdocuments.us/reader035/viewer/2022071613/6157d5f6ce5a9d02d46fa158/html5/thumbnails/13.jpg)
Security Reporting – D365FO
![Page 14: Understanding Native Controls in Dynamics AX 2012/365FO](https://reader035.fdocuments.us/reader035/viewer/2022071613/6157d5f6ce5a9d02d46fa158/html5/thumbnails/14.jpg)
System Administrator Access
• Programmatic role
•Cannot be modified
• Required for AOT access
• Required for code deployment
![Page 15: Understanding Native Controls in Dynamics AX 2012/365FO](https://reader035.fdocuments.us/reader035/viewer/2022071613/6157d5f6ce5a9d02d46fa158/html5/thumbnails/15.jpg)
Segregation of Duties (SOD)
• Have a methodology
• Build ruleset• Needs to be a group effort (BPO, finance, audit)
• Balance preventative vs. productivity
• Don’t forget about process controls
• The goal is a blend of security and controls
![Page 16: Understanding Native Controls in Dynamics AX 2012/365FO](https://reader035.fdocuments.us/reader035/viewer/2022071613/6157d5f6ce5a9d02d46fa158/html5/thumbnails/16.jpg)
Segregation of Duties
• SOD feature exists in AX 2012 & D365FO
• Preventative control that can be overridden with proper mitigation
• No standard ruleset• Must be developed by end user
• Gaps• Analysis performed at duty level, not object level• Privilege to role assignment• Security inherited via AD group• Whitepaper on gap analysis
• https://www.gofastpath.com/blog/fastpath-vs.-dynamics-ax/d365fo-segregation-of-duty-analysis-comparison
![Page 17: Understanding Native Controls in Dynamics AX 2012/365FO](https://reader035.fdocuments.us/reader035/viewer/2022071613/6157d5f6ce5a9d02d46fa158/html5/thumbnails/17.jpg)
Segregation of Duties Rule Setup – AX 2012
![Page 18: Understanding Native Controls in Dynamics AX 2012/365FO](https://reader035.fdocuments.us/reader035/viewer/2022071613/6157d5f6ce5a9d02d46fa158/html5/thumbnails/18.jpg)
Segregation of Duties Rule Setup – D365FO
![Page 19: Understanding Native Controls in Dynamics AX 2012/365FO](https://reader035.fdocuments.us/reader035/viewer/2022071613/6157d5f6ce5a9d02d46fa158/html5/thumbnails/19.jpg)
Database Log
• Risk based approach
• Identify and track critical data points
• Field level
• Reduces performance hit
• Reduces data storage requirements
• Improves reporting performance
• Improves reviewer accuracy
![Page 20: Understanding Native Controls in Dynamics AX 2012/365FO](https://reader035.fdocuments.us/reader035/viewer/2022071613/6157d5f6ce5a9d02d46fa158/html5/thumbnails/20.jpg)
Database Log
• Tracks user, date, time and old/new values for changes
• Limitations• Designed as debugging tool• Performance considerations
• Batch jobs broken down to row by row when database log enabled for a table
• Only tracks changes inside Dynamics
• Changes made in database with AOS service account
• Code changes
• SysAdmin changes
• Maintain audit data
![Page 21: Understanding Native Controls in Dynamics AX 2012/365FO](https://reader035.fdocuments.us/reader035/viewer/2022071613/6157d5f6ce5a9d02d46fa158/html5/thumbnails/21.jpg)
Database Log Setup – AX 2012
![Page 22: Understanding Native Controls in Dynamics AX 2012/365FO](https://reader035.fdocuments.us/reader035/viewer/2022071613/6157d5f6ce5a9d02d46fa158/html5/thumbnails/22.jpg)
Database Log Setup – D365FO
![Page 23: Understanding Native Controls in Dynamics AX 2012/365FO](https://reader035.fdocuments.us/reader035/viewer/2022071613/6157d5f6ce5a9d02d46fa158/html5/thumbnails/23.jpg)
Database Log Inquiry – AX 2012
![Page 24: Understanding Native Controls in Dynamics AX 2012/365FO](https://reader035.fdocuments.us/reader035/viewer/2022071613/6157d5f6ce5a9d02d46fa158/html5/thumbnails/24.jpg)
Database Log Inquiry – D365FO
![Page 25: Understanding Native Controls in Dynamics AX 2012/365FO](https://reader035.fdocuments.us/reader035/viewer/2022071613/6157d5f6ce5a9d02d46fa158/html5/thumbnails/25.jpg)
Workflows
• Powerful and flexible
• Requires developer and workflow expertise• Workflow editor
• Approvals• Journals• Purchase Orders
• Reporting• Tracking Details
![Page 26: Understanding Native Controls in Dynamics AX 2012/365FO](https://reader035.fdocuments.us/reader035/viewer/2022071613/6157d5f6ce5a9d02d46fa158/html5/thumbnails/26.jpg)
Workflow Editor – AX 2012
![Page 27: Understanding Native Controls in Dynamics AX 2012/365FO](https://reader035.fdocuments.us/reader035/viewer/2022071613/6157d5f6ce5a9d02d46fa158/html5/thumbnails/27.jpg)
Workflow Tracking Details – AX 2012
![Page 28: Understanding Native Controls in Dynamics AX 2012/365FO](https://reader035.fdocuments.us/reader035/viewer/2022071613/6157d5f6ce5a9d02d46fa158/html5/thumbnails/28.jpg)
Workflow Editor – D365FO
![Page 29: Understanding Native Controls in Dynamics AX 2012/365FO](https://reader035.fdocuments.us/reader035/viewer/2022071613/6157d5f6ce5a9d02d46fa158/html5/thumbnails/29.jpg)
Workflow Tracking Details – D365FO
![Page 30: Understanding Native Controls in Dynamics AX 2012/365FO](https://reader035.fdocuments.us/reader035/viewer/2022071613/6157d5f6ce5a9d02d46fa158/html5/thumbnails/30.jpg)
Lifecycle Services (LCS)
• Management portal for AX/D365FO environments
• Business process modeler
• Task recorder – upload custom business processes
• License sizing estimator
![Page 31: Understanding Native Controls in Dynamics AX 2012/365FO](https://reader035.fdocuments.us/reader035/viewer/2022071613/6157d5f6ce5a9d02d46fa158/html5/thumbnails/31.jpg)
Lifecycle Services (LCS)
![Page 32: Understanding Native Controls in Dynamics AX 2012/365FO](https://reader035.fdocuments.us/reader035/viewer/2022071613/6157d5f6ce5a9d02d46fa158/html5/thumbnails/32.jpg)
User Licensing• Licensing determined by user ’s access to entry points
• Menu Items• Data Entities• Service Operations
• Each entry point has two properties• ViewUserLicense• MaintainUserLicense
• Depending on access a user has to entry point will determine which license is required
• AX 2012 Licenses• Enterprise• Functional• Task• Self Service
• D365FO License• Operations• Activity• Team Member
![Page 33: Understanding Native Controls in Dynamics AX 2012/365FO](https://reader035.fdocuments.us/reader035/viewer/2022071613/6157d5f6ce5a9d02d46fa158/html5/thumbnails/33.jpg)
Questions?
![Page 34: Understanding Native Controls in Dynamics AX 2012/365FO](https://reader035.fdocuments.us/reader035/viewer/2022071613/6157d5f6ce5a9d02d46fa158/html5/thumbnails/34.jpg)
Fastpath Facts
• Founded 2004
• Staff includes CPAs, CIAs, and CISAs
• 1,300+ Customers across 30+ Countries
• Fastpath Works Across Platforms
![Page 35: Understanding Native Controls in Dynamics AX 2012/365FO](https://reader035.fdocuments.us/reader035/viewer/2022071613/6157d5f6ce5a9d02d46fa158/html5/thumbnails/35.jpg)
Fastpath Assure® – Powered by Microsoft Azure
Audit TrailCritical Data
Change Tracking
SODSegregation of Duties andSecurity Access Reviews
Identity ManagerCompliant User and Emergency
Access Provisioning
Fastpath ensures our customers can confidently answer these three critical questions:
Who has accessto their systems?
What did theydo with that access?
Where are they vulnerable?
Security Designer*Create and Change
Security in Dynamics*D365 for Finance and Operations only
![Page 36: Understanding Native Controls in Dynamics AX 2012/365FO](https://reader035.fdocuments.us/reader035/viewer/2022071613/6157d5f6ce5a9d02d46fa158/html5/thumbnails/36.jpg)
Audit Partners
![Page 37: Understanding Native Controls in Dynamics AX 2012/365FO](https://reader035.fdocuments.us/reader035/viewer/2022071613/6157d5f6ce5a9d02d46fa158/html5/thumbnails/37.jpg)
Demo
![Page 38: Understanding Native Controls in Dynamics AX 2012/365FO](https://reader035.fdocuments.us/reader035/viewer/2022071613/6157d5f6ce5a9d02d46fa158/html5/thumbnails/38.jpg)
Fastpath Demo Links
• SOD, User Access Reviews, and Access Certifications
• Audit Trail
• Identity Manager
Note these demos are for Dynamics AX, but the modules look and feel, along with functionality, is the same with Dynamics 365 F&0
![Page 39: Understanding Native Controls in Dynamics AX 2012/365FO](https://reader035.fdocuments.us/reader035/viewer/2022071613/6157d5f6ce5a9d02d46fa158/html5/thumbnails/39.jpg)
Resources
• Lifecycle Services (LCS) for Finance and Operations
• Security Roles & Licensing Whitepaper
• Role-based Security Use Patterns for Developers
• Microsoft Dynamics AX 2012 R3 Licensing Guide
• Microsoft Dynamics 365 Licensing
• D365FO Security Blog
• D365FO Security Audit Field Manual
• D365FO Resources From Fastpath
• Develop & Implement Least Privilege Security in D365FO
• D365FO Security Matrix
• AX 2012 Security Matrix
![Page 40: Understanding Native Controls in Dynamics AX 2012/365FO](https://reader035.fdocuments.us/reader035/viewer/2022071613/6157d5f6ce5a9d02d46fa158/html5/thumbnails/40.jpg)
Thank you for attending!
Alex Meyer
Frank Vukovits