Unified Operations & Dynamics AX Forum

Expand all | Collapse all

System Admins' Access Concerns

  • 1.  System Admins' Access Concerns

    Posted 08-23-2018 12:58 PM

    Hi Everyone,

    We are looking to address the concerns of our Accounting Team, regarding the IT System Admins' security role unfettered access, that could allow nefarious activities. One concern is the ability to create  vendors then generate payments to themselves (via the vendors they created) without it being immediate recognized.

    Can anyone share their process and controls, they have established, to mitigate this risk?



    ------------------------------
    Marva Dockery
    Ultimate Software
    ------------------------------


  • 2.  RE: System Admins' Access Concerns

    GOLD CONTRIBUTOR
    Posted 08-23-2018 01:11 PM
    Hi Marva-

    There was a discussion post a few days ago titled AX2012 R3 - Segregation of Duties regarding segregation of duties in AX/D365. Below is a link to the post.

    Unified Operations & Dynamics AX Forum - Dynamics AX User Group

    There were some very good responses that I think will address the question you have posed in this post. Hope this helps!

    ------------------------------
    Robin Finnell
    Continuous Improvement Coordinator
    Operations Lead - D365FO/MES Implementation
    Tillamook County Creamery Association
    Tillamook
    ------------------------------



  • 3.  RE: System Admins' Access Concerns

    TOP CONTRIBUTOR
    Posted 08-23-2018 02:58 PM
    Marva,
    The sys admin role is a tricky one. From a system access perspective, it is not granting all security, it is a complete lack of security. So things like group membership, segregation of duties and most other AX security features are simply ignored. There are a few things that can be done to help alleviate these concerns.
    The main reason a user needs sysadmin in 2012 is to get to the development environment. Most would argue this should not be allowed in a production system and I agree, to a degree. Sometimes troubleshooting in prod is the only way to see how a specific issue is occurring. This should be a rare occurrence. For all other access (like user admin, database maintenance, etc.) a security group could be built to limit access to just the features a sysadmin needs. Once there is an actual role (and not sysadmin) then all the security features kick in and you should be good. This may take some time to create, but it is the most reliable solution.
    If users need get into the dev environment, have a process for requesting and logging the grant, making sure to revoke when done.
    If a dedicated role wont work and sysadmin has to stay in place, consider turning on database logging for the processes that cause concern. Send a manager an alert every time a new vendor is created, etc. You need to be careful with this one so you don't turn on logging for everything as it can cause system issues, but in limited scope in can work very well. Keep in mind a sysadmin can disable database logging in AX, so an external log (at the SQL level perhaps) may be needed here.

    ------------------------------
    Scott Morley

    ------------------------------



  • 4.  RE: System Admins' Access Concerns

    Posted 08-23-2018 04:18 PM

    Thank you, Scott, for your feedback.

    I will share your suggestions with my team as well as revisit the alerts, since that was one of the options we discussed.  



    ------------------------------
    Marva Dockery
    Ultimate Software
    ------------------------------



  • 5.  RE: System Admins' Access Concerns

    TOP CONTRIBUTOR
    Posted 08-24-2018 01:52 AM
    ​I've not used one before - but I understand a corporate password vault is the way to go.
    Basic idea - is the sys admin password gets checked out and used as needed, then checked back in. System handles changing it after it gets checked in. Then you can at least have documentation of who is using the login, what they should have been using it for, and if any irregularities are detected, a chance at finding the culprit.

    However, the basic reality of tech is this: A really smart tech can find ways to circumvent just about any control management puts in place (as the nsa & others have discovered). Make sure you hire people you can trust.

    And - don't be shy about hiring a controls manager that asks for a lot of ad-hoc reporting. Most criminal minds are overconfident, and will be discovered by their sloppiness.

    ------------------------------
    Tony Zeigler
    Senior Consultant
    Strategic Solutions NW, LLC
    Beaverton OR
    ------------------------------



  • 6.  RE: System Admins' Access Concerns

    Posted 08-23-2018 03:53 PM
    ​Thank you Robin, I will take a look at the information.

    ------------------------------
    Marva Dockery
    Ultimate Software
    ------------------------------



  • 7.  RE: System Admins' Access Concerns

    SILVER CONTRIBUTOR
    Posted 08-23-2018 01:25 PM
    Marva,

    I'll second Segragation of Duties.

    In other scenarios, specifically pertaining to ACH payment methods, where a .txt file is generated onto a network share, we had approached the security issue by locking down permissions on the file path. Furthermore, we had limited access to our ACH upload page from the bank to strictly the Controller/AP MGR.

    ------------------------------
    Ian Gorman, PMP, MCSE
    Consultant
    ------------------------------



  • 8.  RE: System Admins' Access Concerns

    Posted 08-23-2018 04:22 PM
    Thanks ​Ian for your response.

    Yes, the file is auto generated and user do not have access/permissions on the file path.  Thanks again.

    ------------------------------
    Marva Dockery
    Ultimate Software
    ------------------------------



  • 9.  RE: System Admins' Access Concerns

    TOP CONTRIBUTOR
    Posted 08-24-2018 10:38 AM
    We developed a process that when one of the IT BAs or developers needs sysadmin access to correct a problem.  We create a ticket in our Helpdesk application.  Reason, access is approved, granted, IT personnel does their activity, access removed are all logged in the ticket.  Then an audit can occur for whatever desired.  We only check for changes in AOT objects (code changes) and granting or remvoving of AX security.  But you can check whatever concerns you.  The audit is also recorded in the ticket and then closed.  The only person who has sysadmin permanently is our system administrator/DBA.  We've also instituted some business controls to monitor activity.  They are more of monthly reports that are reviewed, but you could run them as often as you want if you have a specific area of concern.  I will be speaking at AXUG Summit - ERP Security in AX2012 - Why Does it Matter? and will get into segregation of duty and business controls.  It is currently scheduled for Wed at 11:15am in Rm 123.  Join me at my session!!!

    ------------------------------
    GG Rowe, PMP
    IT Applications and Project Manager
    Planar Systems Inc.
    Hillsboro OR
    ------------------------------



  • 10.  RE: System Admins' Access Concerns

    TOP CONTRIBUTOR
    Posted 08-24-2018 11:46 AM
    Having worked for a SOX compliant company I feel you on the System Administrator role.  Sharing some thoughts and memories on what we did.   We created a job that looked at the ModelElmentData table that ran nightly and produced a daily csv that was sent to our security team of anything not modified by the AOS.  It certainly is not perfect because the date in the table is nothing you could look at and say this is what changed but we could show it was being reviewed and was who we expected when it came to code base.  Another issue here was there was a gap during production code updates as when you swap the modelstore you lose the changes that day and need to validate the SQL job.  Key fields we used database logging that can cause some performance issues but we didn't really see that still I wouldn't go crazy.  In the end our Account department decided to invest in FastPaths Security Audit tool.  A nice tool and makes it easy for a not IT person to setup and review specific fields as well as apply sox rules and check security roles.  However it to failed to monitor the model db but Fast Path was able to create a SQL script to accomplish that for us as well.  We created a SQL job also to monitor who had the System Administrator role so we could show who we said had it was the only ones who had it.

    Happy Security Auditing :)

    ------------------------------
    Mark Zerr
    AX Technical Analyst
    New Sunshine LLC
    Indianapolis IN
    ------------------------------



  • 11.  RE: System Admins' Access Concerns

    Posted 08-24-2018 03:07 PM
    ​Thank you Mark,

    Yes, we will be using the FastPath Security Audit tool as well.

    ------------------------------
    Marva Dockery
    Ultimate Software
    ------------------------------



  • 12.  RE: System Admins' Access Concerns

    Posted 08-24-2018 03:05 PM
    ​Thanks GG,

    Awesome input, I share with my team.

    ------------------------------
    Marva Dockery
    Ultimate Software
    ------------------------------