#AXUGSummit | #INreno15

#AXUGSummit

SEC16 AX 2012 SECURITY – TIPS, TOOLS, AND SOX

GG Rowe, Planar Systems, Inc.

#AXUGSummit | #INreno15

CONTINUALLY LEARNING!!!

CAUTION: SPEAKER UNDER CONSTRUCTION

#AXUGSummit | #INreno15

TIPS

#AXUGSummit | #INreno15

Setup at the highest level of access for ease of maintenance

Best practice is to NOT add privileges directly to roles

Compile security objects during development (done in Developer Workspace):

Developing the 2012 security model should be an integral part of your 2012 implementation or upgrade project

TIPS

#AXUGSummit | #INreno15

SECURITY MODEL DEVELOPMENT

Project Phase Security level Security Model Development

Design Standard roles or system administrator

Try not to start project core team members on system administrator!

Development Custom functional roles with standard roles embedded

Create custom functional roles and begin to “tune” as needed for your business processes (at Planar we ended with ~40 custom roles).

Testing SHOULD be using custom functional roles by now!

If testers have an issue performing a test step, this signifies either wrong “function” executing step or modification to custom role needed.

CRP-x Custom functional roles

Track security access issues as a part of the CRP –this will be a continual refinement!

UAT Finalized custom functional roles

You may have open security issues, as a workaround grant “higher” access than desired.

GoLive

Security Model in place

Set up security request forms for user access and process for requesting changes to roles.

MATURITY ~ PRECISION

TOOLS

#AXUGSummit | #INreno15

STANDARD AX 2012 RTM SECURITY SETUP MENU

Menu: System administration>Setup>Security

Security roles Create and maintain roles

Assign users to roles

Security privileges Create and maintain:

Process cycles Duties Privileges Permissions (maintain only)

Not discussing… Record level security External roles

#AXUGSummit | #INreno15

CREATING A PROCESS, DUTY OR PRIVILEGEMenu: System administration>Setup>Security>Security privileges

Notes: (1) From the UI, you can’t clone, can ONLY create new. (2) You need to follow the standard structure, so need to put a duty within a process, a privilege within a duty. (3) When setting up a privilege, you’ll need to add the specific permissions and the appropriate select access level desired.

Access Level Meaning

No Access A user can do nothing.

View A user can view the data.

Edit A user can view and edit the data.

Create A user can view, edit, and create new data.

Correction

A user can view, edit, create new, and correct date-effective

record without creating a new record.

Full Control A user can do anything.

#AXUGSummit | #INreno15

FINDING THE AOT OBJECT NAME & RELATED SECURITY

1. In the UI, from any menu - right click in grid, Personalize and Information tab:

2. In the Developer Workspace aka the AOT –Add-Ins>security tools:

Associated Roles, Duties, Privileges, access level

#AXUGSummit | #INreno15

CLONING SECURITY OBJECTS IN THE AOT

Navigate to Security and from a privilege (or a Duty, Role, or Process):

Rename it, modify it, use it…

#AXUGSummit | #INreno15

STANDARD AX 2012 RTM SEGREGATION OF DUTY

Menu: System administration>Setup>Security>Segregation of duties

Segregation of duties rules Defining SOD rules Checking for conflicts

Verify compliance of user-role assignments Batch processing capability

Segregation of duties conflicts / unresolved conflicts Displays SOD conflicts Deny or allow access and reason why

#AXUGSummit | #INreno15

SEGREGATION OF DUTYMenu: System administration>Setup>Security>Segregation of duties Segregation of duties rules

Set up conflicting duties aka SOD rules – can only compare duties:

Validate duties and roles

Security roles button will open new roles maintenance in a new window

#AXUGSummit | #INreno15

SEGREGATION OF DUTYMenu: System administration>Setup>Security>Segregation of duties Verify compliance of user-role assignments

Reviews all SOD rules against user assignments, can run as batch and set up reoccurance

Segregation of duties conflicts

#AXUGSummit | #INreno15

SEGREGATION OF DUTYMenu: System administration>Setup>Security>Segregation of duties Segregation of duties conflicts

Deny assignment:

Allow assignment:

#AXUGSummit | #INreno15

SEGREGATION OF DUTYMenu: System administration>Setup>Security>Segregation of duties

Segregation of duties conflicts Will track exclusions and overrides made

Segregation of duties unresolved conflicts Shows only the unresolved entries

#AXUGSummit | #INreno15

SEGREGATION OF DUTY

Menu: System administration>Setup>Security>Segregation of duties

System will disallow assigning conflicting duties

No – then disallows:

Yes – creates an entry in Segregation of duties conflict and you must either deny or allow:

#AXUGSummit | #INreno15

msi and the install instructions:https://technet.microsoft.com/en-us/library/hh859727.aspx

Overview of the tool:https://technet.microsoft.com/en-us/library/hh859728.aspx

Security for access to tool:Role/Duty/Privilege - Manage role entry point permissions

Menu items installed: SysSecRoleEntryPoint & SysSecRoleEntryPointDeveloper

MICROSOFT SECURITY DEVELOPMENT TOOL

#AXUGSummit | #INreno15

SECURITY DEVELOPMENT TOOLMenu: System administration>Setup>Security>Security entry point permissions

Navigation menu is loaded to the left Load license meta data Enter an AX security role Left navigation menu updated with role’s access Expand menu for details Highlight a specific menu item and see specific menu item

details on right: Access level and effective user license for role Shows system user access for comparison

SOX

#AXUGSummit | #INreno15

Restricted access to module parameters and setups Review each module’s setup menu

Review access to parameters and setup with especial attention to any that are “financially significant”

Access to key functions Functions that are “financially significant”

E.g. journal names associated to GL and inventory transactions

Segregation of duty (SOD) Affect SEC reporting (sales revenue, P&L, etc.) or Segregation of Duty related

Conflicting duties from the above key functions – or- use AX’s Segregation of duties menu

Compensating controls for any SOD conflicts For conflicts that cannot be prevented systematically, build a process to monitor

Limit system administrator and security administrator roles

SOX – SYSTEM ACCESS

#AXUGSummit | #INreno15

Controlled environments Who has access to the Developer Workspace?

Should control environments that are part of the migration path

Business owner approval for changes with particular attention to: “financially significant” functions

Security access additions and modifications

Evidence of testing Adjust per severity and risk level of the change

Test scripts, User testing vs. IT testing

Controlled migration of objects Helpdesk tickets or Application requests from users

Use Axutilelements query shows AOT objects with create and modify dates

Add DB logging to Security user role table

SOX – IT CHANGE MANAGEMENT

#AXUGSummit | #INreno15

IT run batch jobs and backups Any jobs run by IT should be monitored Setup Error Alert on AX batch jobs, save log, and auto-create a Helpdesk ticket

IT access to Production and other environments related to migration process Restrict access to the Developer Workspace (system administrator access) Monitoring activity if access granted

Periodic review• User access

Consider review by Business Process Owner vs. the traditional Reporting Manager review Include review of module parameter and setups

Account Administration Hires Terminations Contractors

Administrator Access Generally this is review of what IT team’s access in the controlled environments

SOX – ITGC MONITORING

#AXUGSummit | #INreno15

The Annual internal review and external review…

Review of your ITGC (IT General Controls) and Business Controls Review of documented flows of your controlled processes Auditors will perform test against your defined controls Will need to have ability to extract your “change population”

This is a dump of activities per each of your controls For example, a dump of ‘changed objects’ or ‘employee hires’

Once you define your controls, FOLLOW THEM RELIGOUSLY!

SOX – THE AUDIT

TIDBITS

#AXUGSummit | #INreno15

Can assign role access by Legal Entity

Use User Groups to limit access by journal name

Management Reporter – Inherits security from AX security

Some reports use the AX BI Cubes – has its own security

3 levels maximum for nesting roles, but security add-in tool only 2 levels

Security administrator cannot grant System administrator role

Deleting in the UI does not delete object in the AOT

Enterprise Portal – has its own security

TIDBITS

#AXUGSummit | #INreno15

MANAGEMENT REPORTER SECURITY

AX Permission AX Role Management Reporter Role

Maintain financial statement setups Accounting Manager

Accounting Supervisor

Designer

Generate financial statement report Accountant

Accounting manager

Accounting supervisor

Chief financial officer

Compliance manager

Financial controller

Generator

Maintain security settings Security Administrator Administrator

Viewing financial statements Not applicable Viewer

NOTES: 1. AX background job syncs security and data from AX to Management Reporter2. User can only have one role in Management Reporter

#AXUGSummit | #INreno15

AX BI CUBES SECURITY

Some AX reports are built on the AX BI Cubes (I’ve found they typical have “statistical” in it’s name).

Error message you will see if user is not set up on the BI server:"Either the user, <domain>\<userid>, does not have access to the Dynamics AX database, or the database does not exist."

Roles need to be maintained the server where the AX BI cubes reside – align with standard AX defined roles:

#AXUGSummit | #INreno15

NESTED ROLES

NOTE: 1. You will receive a compile error if more than 3 levels used2. Security Add-In function in AOT only works with 2 levels

Menu: System administration>Setup>Security>Security roles

THANK YOU!!!

GG Rowe, Planar Systems, Inc.

Email: gg.rowe@planar.com Phone: 503-748-5754