1www.arbelatech.com
Differences in security between AX 2012 and D365
2www.arbelatech.com
• Introduction
• Digital Transformation
• Security: D365 vs. AX 2012
• Understanding concepts
• Review security management process
• New implementation
• Support existing
• Features available
• Scenario
• Q&A
Agenda
3www.arbelatech.com
D365/AXUG volunteer:
• Perennial summit presenter and attendee
Dynamics Experience:
• 8 Years Dynamics AX
• 4 years Technical and Functional respectively
• Environment Management and Network
• Business Process and Change Management
• 5 years Security and Audit Compliance
@coreybakhtiary
4www.arbelatech.com
145+Resources
3Integrated Practices
2Gold Certifications
3Silver Certifications
250+MS Exams Passed
5Offices (US, UK, Ukraine)
4Arbela Products
4X as a Service’s
Dynamics 365
Customer ServiceDynamics 365
Field Service
Dynamics 365
Sales
Dynamics 365
PSA
One Step
ConsolidationMaster Data
Centralization
Arbela Data
Insights
Audit &
Security Manager
BI as a
Service
Marketing as
a ServiceSecurity as
a Service
25Nationalities
21Languages Spoken
Dynamics 365
Finance & Operations
Dynamics 365
TalentDynamics 365
Customer Insights
Arbela by the Numbers
Customer Engagement
as a Service
BI & Analytics
5www.arbelatech.com
Effective Differences and Similarities between 2012 and D365
• Authentication and Authorization are the same• Azure AD vs. AD
• Role/Duty/Privilege are similar• Added securable objects – entity
• Naming conventions
• Upgrade path?
• Added features to manage and report on security• Security Development tool -> embedded in D365
• D365 - Test as role feature in Visual Studio
• Users and roles, roles and users
• Role and access
• Role by Duty – SOD
• UI vs Development changes
6www.arbelatech.com
Security architecture of Microsoft Dynamics 365 for Operations
7www.arbelatech.com
User Access - Application
Role• Highest Level of assignment
• OOB 85+
Duty• Used by Segregation of Duties checker
in compliance module
• OOB approximately 850
Privilege
• Lowest level normally used in security design
• OOB approximately 8000
Permission• Table and control level
• OOB over 25,0000
Naming conventions:• Inquire/View - Read• Maintain – Full Control (Delete)• Enable – Setup area• Perf Review
8www.arbelatech.com
• Access levels• Min and Max
• 5 core access levels• No Access
• View/Read
• Edit/Update
• Create/Add
• Full Control/Delete
• Deny>Grant>Unset
• Modifying access• Increase or decrease
Concepts
9www.arbelatech.com
•Configuration vs Development• Run-time vs. Development workspace
•Object vs Record security• Access to Vendors vs. Access to Vendors in Vendor Group 10
•SOD• Embedded SOD concerns – OOB roles
• Entry
• Setup
• Transactional
•Licensing• Determined by access not use!
Concepts
10www.arbelatech.com
•Abstraction of security related tables
•Complex table relationships
•Table references are provided in table column –XML format
D365 - Table Structure
11www.arbelatech.com
1. Create security objects in Visual Studio
Same as before, a developer can create or edit new roles, duties and privileges in AOT and can be deployed by deployable packages. Visible in the UI.
2. Create security objects within UI
Similar to AX 2012, users can create and edit security objects from UI, however in the back end D365 does not create any objects. All changes are stored as data and must be published to be committed.
**Does Not commit to AOT!
D365 - Security Permissions
12www.arbelatech.com
D365 - Context-based Security
AX 2012 D365 for F & O
13www.arbelatech.com
• Menu items
• Context security
• Entry point specific
• View and Full Control
• Unless reports or Jobs
• Enhancement or New Feature?
• Extend or New permission?
• Cannot remove in AOT
• Disable from configurator
• Find related
Customizations
14www.arbelatech.com
•Power BI/reporting
•Wizard• Privileges: EntityView, EntityMaintain
D365 - Data Entities
15www.arbelatech.com
Security Model Development
Project Phase Security level Security Model Development
Design Standard roles or system administrator
Try not to start project core team members on system administrator!
Development Custom functional roles with standard roles embedded
Create custom functional roles and begin to “tune” asneeded for your business processes (at Planar we ended with ~40 custom roles).
Testing SHOULD be using custom functional roles by now!
If testers have an issue performing a test step, this signifies either wrong “function” executing step or modification to custom role needed.
CRP-x Custom functional roles
Track security access issues as a part of the CRP –this will be a continual refinement!
UAT Finalized custom functional roles
You may have open security issues, as a workaround grant “higher” access than desired.
Go Live Security Model in place
Set up security request forms for user access and process for requesting changes to roles.
MATURITY ~ PRECISION
16www.arbelatech.com
•Analyze/Discover
•Design (T)• Customizations
• Find references
•Develop/Test (T)
•CRP/UAT
•Deploy (T)• Promote
•Support
Process: New Security Model
17www.arbelatech.com
Features to know
• Security configuration (Functional)
• Task recorder (Functional)
• Security diagnostics (Functional)
• Visual Studio
• Task recorder import
• Application/Solution Explorer
• View related roles/duties
• View with role set
• Excel workbook designer
• Data management
• Project filter
• Security Development Tool
• Security Roles, Duties and Privileges
• Process Cycle
18www.arbelatech.com
•Opportunity• Standardize
• Business meets System or System meets Business?
• Leverage • Legacy system
• Standard Operating Procedures
• Training documentation
• Interviews• BPO sign off
•Considerations• Controls/SOD
• Licensing
Analyze/Discover - Identify Requirements
19www.arbelatech.com
•OOB roles or custom roles?• Align HR/Job title to role
• Test/report and find missing permissions or over assignment
• Customizations• Find related
• Data entities
• Show Identifier
• How much time can you spend?
Design - Technical
Features to use:
• D365
• Visual Studio (App)
• Task recorder
• AX 2012• AOT• Task recorder
20www.arbelatech.com
• Role stacking
• Super roles are inflexible
• Activity/task roles require maintenance
• Group by Department or BPO
• SOD and Licensing implications
• Licensing
• Visual Studio Add-ins
• Segregation of duties functionality in Sys Admin
module
Design
Features to use:
• D365
• Visual Studio (App)
• Task recorder
• Security Diagnostics
• Install Dev Tools
• AX 2012• AOT• Task recorder
21www.arbelatech.com
Task recorder
Security diagnostics
Design:
22www.arbelatech.com
• Naming conventions
• New permissions
• Duplicate
• Name explicitly
• Build/Deploy
• Test
• Iterate Dev -> Test -> Dev ->Test
• Test everything?
• Report
• Prepare for CRP/UAT
Develop/Test
Features to use:
• D365
• Security configurator
• Visual Studio (App)
• App Explorer
• Add-ins
• View with role set
• Install Dev Tools
• Task recorder
• AX 2012• Security Development
tool• AOT• Task recorder
23www.arbelatech.com
• View All Process Role -PTP
• Test
Develop:
24www.arbelatech.com
•Promote
•UI (Data Management)
•VS (Source Code)
• Import User
•Excel workbook designer
•Assign Users to Roles
• Legal Entity assignment
Deploy
Features to use:
• D365
• Users
• Data management
• AX 2012• Users• AOT project or model
25www.arbelatech.com
•Data Management• System Administration
•Export• Metadata entities
• Source data format
• Sequence
•Edit file
• Import• Bulk Overwrite
Deploy - Promote
26www.arbelatech.com
Deploy:
Promote
27www.arbelatech.com
•Source Code
•Cloud• Hand off to Microsoft
• Automated
•On-premise• Full DB rights
Deploy - Promote
28www.arbelatech.com
•Excel Workbook Designer• Org Admin
• Setup
• Import Users• Validation
• UserID
• NetworkDomain
Deploy – Import Users
29www.arbelatech.com
Excel Workbook designer
30www.arbelatech.com
www.arbelatech.com
Deploy:
User import
Role Promotion
31www.arbelatech.com
•Periodic reporting• User access reviews
• Control reviews
• Interruption of operations due to security
• Internal Controls• SOD
• Industry Best Practices
•Licensing
Support/Optimize
32www.arbelatech.com
QUESTIONS?
www.arbelatech.com
33www.arbelatech.com
www.arbelatech.com
THANK YOU