D365 Finance & Operations and Dynamics AX Forum

Expand all | Collapse all

SoD options

  • 1.  SoD options

    Posted 24 days ago
    Hello,

    What solutions can be used for segregation of duties mitigation in AX2012R3?

    ------------------------------
    Serge
    ------------------------------
    Conference-AXUG_200x200


  • 2.  RE: SoD options

    TOP CONTRIBUTOR
    Posted 24 days ago
    Serge,

    Dynamics AX has native SOD functionality built within the application, this can be found in System Administration -> Setup -> Security -> Segregation of Duties

    Here you can set up your conflicts (ruleset) and looks to see if any of your current users have conflicts based on the roles they are assigned. There are a number of gaps with this solution though:
    - No out of box conflicts/ruleset, this means you have to create the the rules yourself
    - Conflicts are analyzed at the duty level not the object level
       - Because it does not go down to the object level there are a number of cases that can lead to false positives/false negatives within your resulting analysis
       - Numerous ways to subvert this analysis (privilege to role assignment, using AD group security, along with others) which means not all user access is being analyzed as       part of the analysis
       - In AX 2012, there is no way to easily provide a mitigation for these conflicts (there is a place to do this in D365FO).

    I go over these gaps more thoroughly here:
    https://www.gofastpath.com/blog/fastpath-vs-dynamics-ax-d365fo-segregation-of-duty-analysis-comparison

    There are other 3rd party solutions that help meet these gaps. Please feel free to reach out with any questions.

    ------------------------------
    Alex Meyer
    Director of Dynamics AX/365 for Finance & Operations Development
    Fastpath
    Des Moines, IA
    ------------------------------

    Conference-AXUG_200x200


  • 3.  RE: SoD options

    Posted 24 days ago

    Alex
    Can you explain what is meant by AD (active directory) group security?  How can that be used to give access in AX?  And how would it subvert the out of box SoD functionality?

    Thanks
    Calvin



    ------------------------------
    Calvin Eddings
    The Church of Jesus Christ of Latter-Day Saints
    Salt Lake City UT
    ------------------------------

    Conference-AXUG_200x200


  • 4.  RE: SoD options

    TOP CONTRIBUTOR
    Posted 24 days ago
    Calvin,

    Dynamics AX/365FO has functionality that you can use AD groups to set up security. I wrote about the process in D365FO here: https://alexdmeyer.com/2019/02/10/configuring-azure-ad-group-security-in-d365fo/

    During this process users in an AD group are set up in D365FO as a user and assigned the System User role but no other roles, all other access is inherited from the AD group they are a part of. Because of this, these types of users will not show up in the SOD analysis within AX/D365FO because the user isn't directly assigned duties which is how the native SOD functionality determines conflicts.

    ------------------------------
    Alex Meyer
    Director of Dynamics AX/365 for Finance & Operations Development
    Fastpath
    Des Moines, IA
    ------------------------------

    Conference-AXUG_200x200


  • 5.  RE: SoD options

    Posted 24 days ago

    Hi,

    I got a very expensive quote from fastpath. Is there other segregation of duties software from 3rd party?

     

    Best regards,

    Serge

     

     




    Conference-AXUG_200x200


  • 6.  RE: SoD options

    Posted 11 days ago

    Hi Serge,

     

    My name is Paul Vaughan and I am currently employed with an MCA Connect, a Dynamics Partner.  Prior to coming to MCA Connect I was a user and implementer around AX 2012 for the company where I worked.  We chose to purchase the Fastpath suite of products to help us not only with SOD needs but with Licensing control and true-up along with Base Data change tracking.  Their tool allowed me as a user to identify where we had license exposure that would have cost our company several thousand dollars.  We were able to correct that exposure by using the Fastpath tool to easily drill down to the Permission level where the license is identified.

     

    When I came to work for MCA Connect 4 years ago, we partnered with Fastpath to create an offering to our clients using their Fastpath Assure tool doing that same analysis identification and resolution as I did when I was a customer.  We have been able to help our clients identify on the low end around $350K of exposure to a high end of around $3 million.  I wanted to share this with you to help you see a possible way to get a very quick ROI on your investment in their product. 

     

    I could go on about the short comings of SOD out-of-the-box in Dynamics but that would be for another time.

     

    Good luck in your decision.  I hope this helps provide a possible way to see the value of the investment in the Fastpath tools.



    ------------------------------
    Paul Vaughan
    Project Manager
    MCA Connect
    ------------------------------

    Conference-AXUG_200x200


  • 7.  RE: SoD options

    Posted 11 days ago

    Thanks for the insight. Has anybody use Arbela Security Manager (ASM) as well?

    Anything to compare with Fastpath?

     

    Best regards,

    Serge

     

     




    Conference-AXUG_200x200


If you've found this thread useful, dive deeper into User Group community content by role