differences in security between ax 2012 and d365

1www.arbelatech.com

Differences in security between AX 2012 and D365

2www.arbelatech.com

• Introduction

• Digital Transformation

• Security: D365 vs. AX 2012

• Understanding concepts

• Review security management process

• New implementation

• Support existing

• Features available

• Scenario

• Q&A

Agenda

3www.arbelatech.com

D365/AXUG volunteer:

• Perennial summit presenter and attendee

Dynamics Experience:

• 8 Years Dynamics AX

• 4 years Technical and Functional respectively

• Environment Management and Network

• Business Process and Change Management

• 5 years Security and Audit Compliance

corey@arbelatech.com

@coreybakhtiary

4www.arbelatech.com

145+Resources

3Integrated Practices

2Gold Certifications

3Silver Certifications

250+MS Exams Passed

5Offices (US, UK, Ukraine)

4Arbela Products

4X as a Service’s

Dynamics 365

Customer ServiceDynamics 365

Field Service

Dynamics 365

Sales

Dynamics 365

PSA

One Step

ConsolidationMaster Data

Centralization

Arbela Data

Insights

Audit &

Security Manager

BI as a

Service

Marketing as

a ServiceSecurity as

a Service

25Nationalities

21Languages Spoken

Dynamics 365

Finance & Operations

Dynamics 365

TalentDynamics 365

Customer Insights

Arbela by the Numbers

Customer Engagement

as a Service

BI & Analytics

5www.arbelatech.com

Effective Differences and Similarities between 2012 and D365

• Authentication and Authorization are the same• Azure AD vs. AD

• Role/Duty/Privilege are similar• Added securable objects – entity

• Naming conventions

• Upgrade path?

• Added features to manage and report on security• Security Development tool -> embedded in D365

• D365 - Test as role feature in Visual Studio

• Users and roles, roles and users

• Role and access

• Role by Duty – SOD

• UI vs Development changes

6www.arbelatech.com

Security architecture of Microsoft Dynamics 365 for Operations

7www.arbelatech.com

User Access - Application

Role• Highest Level of assignment

• OOB 85+

Duty• Used by Segregation of Duties checker

in compliance module

• OOB approximately 850

Privilege

• Lowest level normally used in security design

• OOB approximately 8000

Permission• Table and control level

• OOB over 25,0000

Naming conventions:• Inquire/View - Read• Maintain – Full Control (Delete)• Enable – Setup area• Perf Review

8www.arbelatech.com

• Access levels• Min and Max

• 5 core access levels• No Access

• View/Read

• Edit/Update

• Create/Add

• Full Control/Delete

• Deny>Grant>Unset

• Modifying access• Increase or decrease

Concepts

9www.arbelatech.com

•Configuration vs Development• Run-time vs. Development workspace

•Object vs Record security• Access to Vendors vs. Access to Vendors in Vendor Group 10

•SOD• Embedded SOD concerns – OOB roles

• Entry

• Setup

• Transactional

•Licensing• Determined by access not use!

Concepts

10www.arbelatech.com

•Abstraction of security related tables

•Complex table relationships

•Table references are provided in table column –XML format

D365 - Table Structure

11www.arbelatech.com

1. Create security objects in Visual Studio

Same as before, a developer can create or edit new roles, duties and privileges in AOT and can be deployed by deployable packages. Visible in the UI.

2. Create security objects within UI

Similar to AX 2012, users can create and edit security objects from UI, however in the back end D365 does not create any objects. All changes are stored as data and must be published to be committed.

**Does Not commit to AOT!

D365 - Security Permissions

12www.arbelatech.com

D365 - Context-based Security

AX 2012 D365 for F & O

13www.arbelatech.com

• Menu items

• Context security

• Entry point specific

• View and Full Control

• Unless reports or Jobs

• Enhancement or New Feature?

• Extend or New permission?

• Cannot remove in AOT

• Disable from configurator

• Find related

Customizations

14www.arbelatech.com

•Power BI/reporting

•Wizard• Privileges: EntityView, EntityMaintain

D365 - Data Entities

15www.arbelatech.com

Security Model Development

Project Phase Security level Security Model Development

Design Standard roles or system administrator

Try not to start project core team members on system administrator!

Development Custom functional roles with standard roles embedded

Create custom functional roles and begin to “tune” asneeded for your business processes (at Planar we ended with ~40 custom roles).

Testing SHOULD be using custom functional roles by now!

If testers have an issue performing a test step, this signifies either wrong “function” executing step or modification to custom role needed.

CRP-x Custom functional roles

Track security access issues as a part of the CRP –this will be a continual refinement!

UAT Finalized custom functional roles

You may have open security issues, as a workaround grant “higher” access than desired.

Go Live Security Model in place

Set up security request forms for user access and process for requesting changes to roles.

MATURITY ~ PRECISION

16www.arbelatech.com

•Analyze/Discover

•Design (T)• Customizations

• Find references

•Develop/Test (T)

•CRP/UAT

•Deploy (T)• Promote

•Support

Process: New Security Model

17www.arbelatech.com

Features to know

• Security configuration (Functional)

• Task recorder (Functional)

• Security diagnostics (Functional)

• Visual Studio

• Task recorder import

• Application/Solution Explorer

• View related roles/duties

• View with role set

• Excel workbook designer

• Data management

• Project filter

• Security Development Tool

• Security Roles, Duties and Privileges

• Process Cycle

18www.arbelatech.com

•Opportunity• Standardize

• Business meets System or System meets Business?

• Leverage • Legacy system

• Standard Operating Procedures

• Training documentation

• Interviews• BPO sign off

•Considerations• Controls/SOD

• Licensing

Analyze/Discover - Identify Requirements

19www.arbelatech.com

•OOB roles or custom roles?• Align HR/Job title to role

• Test/report and find missing permissions or over assignment

• Customizations• Find related

• Data entities

• Show Identifier

• How much time can you spend?

Design - Technical

Features to use:

• D365

• Visual Studio (App)

• Task recorder

• AX 2012• AOT• Task recorder

20www.arbelatech.com

• Role stacking

• Super roles are inflexible

• Activity/task roles require maintenance

• Group by Department or BPO

• SOD and Licensing implications

• Licensing

• Visual Studio Add-ins

• Segregation of duties functionality in Sys Admin

module

Design

Features to use:

• D365

• Visual Studio (App)

• Task recorder

• Security Diagnostics

• Install Dev Tools

• AX 2012• AOT• Task recorder

21www.arbelatech.com

Task recorder

Security diagnostics

Design:

22www.arbelatech.com

• Naming conventions

• New permissions

• Duplicate

• Name explicitly

• Build/Deploy

• Test

• Iterate Dev -> Test -> Dev ->Test

• Test everything?

• Report

• Prepare for CRP/UAT

Develop/Test

Features to use:

• D365

• Security configurator

• Visual Studio (App)

• App Explorer

• Add-ins

• View with role set

• Install Dev Tools

• Task recorder

• AX 2012• Security Development

tool• AOT• Task recorder

23www.arbelatech.com

• View All Process Role -PTP

• Test

Develop:

24www.arbelatech.com

•Promote

•UI (Data Management)

•VS (Source Code)

• Import User

•Excel workbook designer

•Assign Users to Roles

• Legal Entity assignment

Deploy

Features to use:

• D365

• Users

• Data management

• AX 2012• Users• AOT project or model

25www.arbelatech.com

•Data Management• System Administration

•Export• Metadata entities

• Source data format

• Sequence

•Edit file

• Import• Bulk Overwrite

Deploy - Promote

26www.arbelatech.com

Deploy:

Promote

27www.arbelatech.com

•Source Code

•Cloud• Hand off to Microsoft

• Automated

•On-premise• Full DB rights

Deploy - Promote

28www.arbelatech.com

•Excel Workbook Designer• Org Admin

• Setup

• Import Users• Validation

• UserID

• NetworkDomain

Deploy – Import Users

29www.arbelatech.com

Excel Workbook designer

30www.arbelatech.com

www.arbelatech.com

Deploy:

User import

Role Promotion

31www.arbelatech.com

•Periodic reporting• User access reviews

• Control reviews

• Interruption of operations due to security

• Internal Controls• SOD

• Industry Best Practices

•Licensing

Support/Optimize

32www.arbelatech.com

QUESTIONS?

www.arbelatech.com

33www.arbelatech.com

www.arbelatech.com

THANK YOU