D365 Finance & Operations and Dynamics AX Forum

Expand all | Collapse all

How does your organization request security access and look at SOD

  • 1.  How does your organization request security access and look at SOD

    SILVER CONTRIBUTOR
    Posted Oct 31, 2019 05:22 PM
    Edited by Calvin Eddings Oct 31, 2019 06:22 PM
    Does anyone have suggestions for workflow request and approval solutions for requesting access to d365?  I need it to help identify SOD risk.   Anyone use Fastpath Identity Manager? Would like to hear feedback about that as a solution.

    Thanks!

    #Security#FinanceandOperations


    ​​​

    ------------------------------
    Calvin Eddings
    The Church of Jesus Christ of Latter-Day Saints
    Salt Lake City UT
    ------------------------------
    Academy - Online Interactive Learning from Experts


  • 2.  RE: How does your organization request security access and look at SOD

    GOLD CONTRIBUTOR
    Posted Nov 01, 2019 07:41 AM
    Hi Calvin,

    We don't have a workflow in place, however, any access request or modification is approved by our ERP business lead, who is also our director of finance. This is done through email, and less than ideal, but it works for us for now. We don't do audits on a regular basis, i.e. who has what role and is that correct, but we do it randomly and usually remove roles from people rather than adding any.

    I should also mention that we use mainly customized security roles and not the ones that came with D365F&O, and they are named after the job titles, so it's a little easier to know who should have what security access just by looking at their job title.

    Let me know if you have any further questions.

    ------------------------------
    Kerstin Newman
    Business Analyst
    StarTech.com
    London ON
    ------------------------------

    Academy - Online Interactive Learning from Experts


  • 3.  RE: How does your organization request security access and look at SOD

    SILVER CONTRIBUTOR
    Posted Nov 01, 2019 11:35 AM
    Thank you very much for your reply.

    Relating that to my situation - it is helpful to hear who is doing your approvals - I am considering a more centralized approval model like you described, versus a very decentralized approval model currently at many locations and by many people. Because I find those people don't understand security enough to really add value or be a 'gate keeper'.

    That is interesting that you have set up custom roles - the idea of that is daunting for the number of job types we have.  We have only done that to provide users to custom code so far.  But I have created job profiles that are lists of d365 roles that should be assigned to a given job profile.  So far that has proven very helpful - instead of just copying users.


    ------------------------------
    Calvin Eddings
    The Church of Jesus Christ of Latter-Day Saints
    Salt Lake City UT
    ------------------------------

    Academy - Online Interactive Learning from Experts


  • 4.  RE: How does your organization request security access and look at SOD

    SILVER CONTRIBUTOR
    Posted Nov 01, 2019 09:03 AM
    We use FastPath with AX 2009.  It has some limitations - maybe not present with D365 - but it works well enough.  I don't know of anything better out there.  Make sure to budget a lot of time for configuration and testing.  I would recommend talking to a 3rd party about what risks you should be measuring.  The out of the box ruleset is fairly limited.  I have one particular consultant I can recommend if you message me.  One big plus on the Fastpath team - Alex Meyer and others are very responsive to questions.

    ------------------------------
    Ben Green
    Orion Energy Systems
    Manitowoc
    ------------------------------

    Academy - Online Interactive Learning from Experts


  • 5.  RE: How does your organization request security access and look at SOD

    Posted Nov 01, 2019 10:48 AM

    FastPath has a nice tool for this.  I'm not sure if standard AX does or not.  We have used the tool in FastPath and it's good.

     

    TJ Dennis

    CIO

    Office-(712) 252-6562

    TJ.Dennis@WilsonTrailer.com

    image001.gif@01CBD975.FA3046E0

     




    Academy - Online Interactive Learning from Experts


  • 6.  RE: How does your organization request security access and look at SOD

    SILVER CONTRIBUTOR
    Posted Nov 01, 2019 12:03 PM
    Hello!  At Texas Roadhouse we have an Accounting Information Systems team and an Accountant in that team prepares every security request for AX & the Director of that team approves each request before it goes to IT for the user to be provisioned.  That same team reviews a list of SOD items every month & prepares a quarterly user review that reviews the roles assigned to users, critical access, etc.  We are on AX 2012 & we have used FastPath since our go-live, 3 years ago.  They have helped us automate our reporting for reviewing SOD's & critical access.  The FastPath team provides great support & has helped us work through multiple initiatives within our team.  Kayla King from our team has also been working with our auditors on controls around workflow & how we can manage that as well.  She also has worked with FastPath on a lot of our automation. Her email is kayla.king@texasroadhouse.com.  Please reach out to her if you would like to discuss more in detail or have any further questions!

    ------------------------------
    Kristal Baird
    Director of Accounting Systems
    Texas Roadhouse
    Louisville KY
    ------------------------------

    Academy - Online Interactive Learning from Experts


If you've found this thread useful, dive deeper into User Group community content by role