Expert Security Tips and Hacks for D365FO by Alex Meyer
Dive into a wealth of expert security tips, tricks, and hacks presented by Alex Meyer, a renowned Director of Dynamics AX/365 FO Development and Microsoft MVP. Explore key areas such as security reporting, setup, segregation of duties, user management best practices, and more. Learn how to conduct regular user access reviews, minimize administrator assignments, generate audit reports on SysAdmins, and leverage Microsoft's out-of-the-box security layers effectively. Stay ahead in safeguarding your D365FO environment with these valuable insights.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
Security Tips, Tricks, and Hacks in D365FO Presented by Alex Meyer Fastpath
Alex Meyer Director of Dynamics AX/365 FO Development Microsoft MVP in Business Applications Email: meyer@gofastpath.com Blog: http://d365foblog.com Security Class: http://d365fosecurity.com GitHub: https://github.com/ameyer505 Twitter: https://twitter.com/alexmeyer_ITGuy Worked in AX/D365FO for 5+ years, specifically around security, audit, and compliance functionality and reporting Presented at numerous conferences events: - Security - Audit/Compliance - Native Controls
Tips, Tricks, and Hacks broken into the following areas: Security Reporting Security Setup Segregation of Duties/Mitigations User Management Best Practices Agenda
Regularly Review Users and Their Access Security not a one-time exercise Should review what tasks/business process a user can perform Review should be done by managers / BPOs Utilize a risk based approach
Minimize Administrator Assignment Easy way out / hard to undo More SysAdmins equals More risk More money Can increase time for audit
How to Generate a Report on SysAdmins for Audit Reviews First report auditors will ask for Can utilize the User Role Assignment report System Administration > Inquiries > Security > User Role Assignments
Microsoft provides out of box roles, duties, and privileges Know the Pros/Cons of Using Default Security Layers Pros Fast/easy to implement Security layers get automatically updated during Microsoft updates Cons Security may be over provisioned These security layers were designed from a functional perspective and do not take segregation of duties into account Security layers get automatically updated during Microsoft updates
Understand the Different Object Types Menu Items Three different types display, output, and actions Display tied to forms within application Output reports that the user can run and be exported Action a task or process a user can perform in the system Tables Refer to SQL tables where data is stored Data Entities Objects that combine multiple SQL tables to encapsulate a business concept Allow for CRUD operations from external service Services Operations X++ API endpoints
Know the Different Access Types and Access Levels Access Types Are hierarchy-based, from least to greatest access: Read, Update, Create, Delete (used for Menu Items, Tables, and Data Entities) Invoke (used for Service Operations) Access Levels Can be set at each access type level Unset default state, neither grants nor denies access Grant grants the user access to the object at that access type level Deny - explicitly denies the user access to the object at that access type level, overrides any grants
Remember to Add Company Restrictions By default, role access is assigned across all companies Once a user role assignment has 1 company restriction, access only in that company Can also use organizational hierarchies to help assign large number of company restrictions
What is it? Utilize Least Privilege Security Methodology Methodology that says a user should be granted the minimum amount of access for a job assignment Why is it important? Minimize Environmental Risk If a user has more access than needed, they may intentionally or inadvertently perform actions that could put the company at risk. Lower User Licensing Costs Since licensing is tied to the level of user access, ensuring the least privilege access could save your company money on licensing costs. Reduce Segregation of Duties Risk If a user has more access than needed, they may have unnecessary segregation of duties violations that can go unaddressed.
Utilize Least Privilege Security Different approaches for security implementation: Top-Down Taking out of box security layers and removing access Pros easier/faster Cons user can still be over provisioned Bottom-Up Create new security based on user daily tasks/business processes Pros true least privilege Cons slower, more expensive Hybrid A risk-based approach combination of the above options
Dont be Afraid of Extensible Data Security (XDS) Allows for limiting user access to a subset of objects Ex: User has access to all customers with a CustGroup = 10 Done via code, not in Security Configuraiton Must be done carefully because of potential performance impact
Protect High-Risk Data Using Table Permission Framework (TPF) Used for providing additional layer of protection to high business impact (HBI) data Credit cards, social security numbers, etc Parameter on table and table fields AosAuthorization If enabled, user must be given explicit Grant access to table or field
Leverage the Deny Permission Successfully The Deny permission in D365FO is explicit meaning that it overrides any grants from other security layers For example, if we deny Update, Create, and Delete permissions to the SalesTable the user can no longer modify sales headers but can still interact with sales lines
Know Where Security is Stored If security is created/modified within AOT, security is stored as code (development artifact) If security is created/modified within Security Configuration area within application, security is stored in database
Use Security Diagnostics for Task Recordings What are they? Native AX/D365FO feature Records steps user performs within application Normally used for documentation or testing purposes How do they help with security setup? Can help identify which objects are consumed or utilized while performing task Security Diagnostics for Task Recordings There are some gaps: Only works for menu item displays (not outputs or actions) Does not show the access required for an object Does not show menu items tied to forms Cannot analyze certain security situations (security done in code, or stored in tables)
Add View with Role Set Option within Visual Similar to Launch Test Workspace within AX 2012 Security Development Tool Hidden by default within D365FO Visual Studio instance Can be added by installing a Visual Studio extension Studio
D365FO Security Test Workspace Since PU32, error when launching Created project to address this (unreleased yet) Will be released on my GitHub soon
Know Limitations of Segregation of Microsoft SOD is done at duty level Potential to have false positives/false negatives/gaps because not done at object level Duties Assign all privileges to role (bypassing duty assignment) Functionality Any security change done at duty or privilege level requires ruleset to be re-validated No ruleset out of box End user must create their own rules
Used when user access causing SOD violation cannot be removed Can be internal or external to the application Understand How to Utilize Process Controls / Mitigations Manager / BPO sign off Transaction sampling Workflows Positive pay at bank Will be used in every environment, not feasible to get to 0 SOD risks Must be a blend of security and process controls
Establish a Process to Provision Users Process should include: User being provisioned Access user requires Managerial approvals required Time duration request should be active
Monitor User Logins Helps to identify potential security risks/issues System Administration -> Inquiries -> User Log
Plan for Changing User Access User access constantly changing Employee promotion Employee sick leave / vacation Firefighter/Emergency access Backup user access Employee termination Is access going to be temporary or permanent? Who will assign/remove access? Is this process documented for audit review?
Never Make Security Changes Directly in Production Don t do this Treat security as code Developer can t change code straight in production, you shouldn t be changing security there directly either Do this instead! Security changes should go into DEV instance and go through code promotion process to other environments
Take a Risk-Based Approach to Review, Setup, and Tracking Not every access within application is at the same risk level Categorize access into levels (high, medium, low etc) Reviews should focus on high risk access Reviewing high risk areas more closely has greatest ROI Less data to review More accurate reviews Can spend less time on reviews
Security is More Than Just Dynamics Other systems outside of ERP can also affect overall security Think in terms of rings , where each ring builds on the rings inside it
Questions? Alex Meyer Email: meyer@gofastpath.com Blog: http://d365foblog.com
Resources 30 Tips n' Tricks To Secure Dynamics 365 for Finance and Operations Options for Configuring User Legal Entity Restrictions in D365FO Develop and Implement Least Privilege Security for Dynamics 365 for Finance and Operations Extensible Data Security (XDS) Framework in D365FO Table Permission Framework in D365FO How To Utilize the Deny Permission in Dynamics 365 for Finance & Operations How to Simulate the Security Development Tool in Dynamics 365 for Finance and Operations How to Simulate the Security Development Tool in Dynamics 365 for Finance and Operations using View With Role Set Gaps in the Security Diagnostics for Task Recordings Features in D365FO Fastpath vs. Dynamics AX/D365FO Segregation of Duty Analysis Comparison Best Practice for Moving D365FO Security Between Environments