Upload
hoangkhuong
View
218
Download
5
Embed Size (px)
Citation preview
#AXUGSummit | #INreno15
#AXUGSummit
SEC16 AX 2012 SECURITY – TIPS, TOOLS, AND SOX
GG Rowe, Planar Systems, Inc.
#AXUGSummit | #INreno15
Setup at the highest level of access for ease of maintenance
Best practice is to NOT add privileges directly to roles
Compile security objects during development (done in Developer Workspace):
Developing the 2012 security model should be an integral part of your 2012 implementation or upgrade project
TIPS
#AXUGSummit | #INreno15
SECURITY MODEL DEVELOPMENT
Project Phase Security level Security Model Development
Design Standard roles or system administrator
Try not to start project core team members on system administrator!
Development Custom functional roles with standard roles embedded
Create custom functional roles and begin to “tune” as needed for your business processes (at Planar we ended with ~40 custom roles).
Testing SHOULD be using custom functional roles by now!
If testers have an issue performing a test step, this signifies either wrong “function” executing step or modification to custom role needed.
CRP-x Custom functional roles
Track security access issues as a part of the CRP –this will be a continual refinement!
UAT Finalized custom functional roles
You may have open security issues, as a workaround grant “higher” access than desired.
GoLive
Security Model in place
Set up security request forms for user access and process for requesting changes to roles.
MATURITY ~ PRECISION
#AXUGSummit | #INreno15
STANDARD AX 2012 RTM SECURITY SETUP MENU
Menu: System administration>Setup>Security
Security roles Create and maintain roles
Assign users to roles
Security privileges Create and maintain:
Process cycles Duties Privileges Permissions (maintain only)
Not discussing… Record level security External roles
#AXUGSummit | #INreno15
CREATING A PROCESS, DUTY OR PRIVILEGEMenu: System administration>Setup>Security>Security privileges
Notes: (1) From the UI, you can’t clone, can ONLY create new. (2) You need to follow the standard structure, so need to put a duty within a process, a privilege within a duty. (3) When setting up a privilege, you’ll need to add the specific permissions and the appropriate select access level desired.
Access Level Meaning
No Access A user can do nothing.
View A user can view the data.
Edit A user can view and edit the data.
Create A user can view, edit, and create new data.
Correction
A user can view, edit, create new, and correct date-effective
record without creating a new record.
Full Control A user can do anything.
#AXUGSummit | #INreno15
FINDING THE AOT OBJECT NAME & RELATED SECURITY
1. In the UI, from any menu - right click in grid, Personalize and Information tab:
2. In the Developer Workspace aka the AOT –Add-Ins>security tools:
Associated Roles, Duties, Privileges, access level
#AXUGSummit | #INreno15
CLONING SECURITY OBJECTS IN THE AOT
Navigate to Security and from a privilege (or a Duty, Role, or Process):
Rename it, modify it, use it…
#AXUGSummit | #INreno15
STANDARD AX 2012 RTM SEGREGATION OF DUTY
Menu: System administration>Setup>Security>Segregation of duties
Segregation of duties rules Defining SOD rules Checking for conflicts
Verify compliance of user-role assignments Batch processing capability
Segregation of duties conflicts / unresolved conflicts Displays SOD conflicts Deny or allow access and reason why
#AXUGSummit | #INreno15
SEGREGATION OF DUTYMenu: System administration>Setup>Security>Segregation of duties Segregation of duties rules
Set up conflicting duties aka SOD rules – can only compare duties:
Validate duties and roles
Security roles button will open new roles maintenance in a new window
#AXUGSummit | #INreno15
SEGREGATION OF DUTYMenu: System administration>Setup>Security>Segregation of duties Verify compliance of user-role assignments
Reviews all SOD rules against user assignments, can run as batch and set up reoccurance
Segregation of duties conflicts
#AXUGSummit | #INreno15
SEGREGATION OF DUTYMenu: System administration>Setup>Security>Segregation of duties Segregation of duties conflicts
Deny assignment:
Allow assignment:
#AXUGSummit | #INreno15
SEGREGATION OF DUTYMenu: System administration>Setup>Security>Segregation of duties
Segregation of duties conflicts Will track exclusions and overrides made
Segregation of duties unresolved conflicts Shows only the unresolved entries
#AXUGSummit | #INreno15
SEGREGATION OF DUTY
Menu: System administration>Setup>Security>Segregation of duties
System will disallow assigning conflicting duties
No – then disallows:
Yes – creates an entry in Segregation of duties conflict and you must either deny or allow:
#AXUGSummit | #INreno15
msi and the install instructions:https://technet.microsoft.com/en-us/library/hh859727.aspx
Overview of the tool:https://technet.microsoft.com/en-us/library/hh859728.aspx
Security for access to tool:Role/Duty/Privilege - Manage role entry point permissions
Menu items installed: SysSecRoleEntryPoint & SysSecRoleEntryPointDeveloper
MICROSOFT SECURITY DEVELOPMENT TOOL
#AXUGSummit | #INreno15
SECURITY DEVELOPMENT TOOLMenu: System administration>Setup>Security>Security entry point permissions
Navigation menu is loaded to the left Load license meta data Enter an AX security role Left navigation menu updated with role’s access Expand menu for details Highlight a specific menu item and see specific menu item
details on right: Access level and effective user license for role Shows system user access for comparison
#AXUGSummit | #INreno15
Restricted access to module parameters and setups Review each module’s setup menu
Review access to parameters and setup with especial attention to any that are “financially significant”
Access to key functions Functions that are “financially significant”
E.g. journal names associated to GL and inventory transactions
Segregation of duty (SOD) Affect SEC reporting (sales revenue, P&L, etc.) or Segregation of Duty related
Conflicting duties from the above key functions – or- use AX’s Segregation of duties menu
Compensating controls for any SOD conflicts For conflicts that cannot be prevented systematically, build a process to monitor
Limit system administrator and security administrator roles
SOX – SYSTEM ACCESS
#AXUGSummit | #INreno15
Controlled environments Who has access to the Developer Workspace?
Should control environments that are part of the migration path
Business owner approval for changes with particular attention to: “financially significant” functions
Security access additions and modifications
Evidence of testing Adjust per severity and risk level of the change
Test scripts, User testing vs. IT testing
Controlled migration of objects Helpdesk tickets or Application requests from users
Use Axutilelements query shows AOT objects with create and modify dates
Add DB logging to Security user role table
SOX – IT CHANGE MANAGEMENT
#AXUGSummit | #INreno15
IT run batch jobs and backups Any jobs run by IT should be monitored Setup Error Alert on AX batch jobs, save log, and auto-create a Helpdesk ticket
IT access to Production and other environments related to migration process Restrict access to the Developer Workspace (system administrator access) Monitoring activity if access granted
Periodic review• User access
Consider review by Business Process Owner vs. the traditional Reporting Manager review Include review of module parameter and setups
Account Administration Hires Terminations Contractors
Administrator Access Generally this is review of what IT team’s access in the controlled environments
SOX – ITGC MONITORING
#AXUGSummit | #INreno15
The Annual internal review and external review…
Review of your ITGC (IT General Controls) and Business Controls Review of documented flows of your controlled processes Auditors will perform test against your defined controls Will need to have ability to extract your “change population”
This is a dump of activities per each of your controls For example, a dump of ‘changed objects’ or ‘employee hires’
Once you define your controls, FOLLOW THEM RELIGOUSLY!
SOX – THE AUDIT
#AXUGSummit | #INreno15
Can assign role access by Legal Entity
Use User Groups to limit access by journal name
Management Reporter – Inherits security from AX security
Some reports use the AX BI Cubes – has its own security
3 levels maximum for nesting roles, but security add-in tool only 2 levels
Security administrator cannot grant System administrator role
Deleting in the UI does not delete object in the AOT
Enterprise Portal – has its own security
TIDBITS
#AXUGSummit | #INreno15
MANAGEMENT REPORTER SECURITY
AX Permission AX Role Management Reporter Role
Maintain financial statement setups Accounting Manager
Accounting Supervisor
Designer
Generate financial statement report Accountant
Accounting manager
Accounting supervisor
Chief financial officer
Compliance manager
Financial controller
Generator
Maintain security settings Security Administrator Administrator
Viewing financial statements Not applicable Viewer
NOTES: 1. AX background job syncs security and data from AX to Management Reporter2. User can only have one role in Management Reporter
#AXUGSummit | #INreno15
AX BI CUBES SECURITY
Some AX reports are built on the AX BI Cubes (I’ve found they typical have “statistical” in it’s name).
Error message you will see if user is not set up on the BI server:"Either the user, <domain>\<userid>, does not have access to the Dynamics AX database, or the database does not exist."
Roles need to be maintained the server where the AX BI cubes reside – align with standard AX defined roles:
#AXUGSummit | #INreno15
NESTED ROLES
NOTE: 1. You will receive a compile error if more than 3 levels used2. Security Add-In function in AOT only works with 2 levels
Menu: System administration>Setup>Security>Security roles