Activity | Area | Description | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Add entry points of module menu to security scenario |
Security management |
You can use a security scenario to indicate all securable objects and related access levels that are required for a user to perform one or more tasks.
This topic explains how to add entry points of a module menu as securable objects to a security scenario. Each entry point in the menu of the module results in a securable object in the scenario.
You can add entry points from several modules to a security scenario. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Add existing task recording to security scenario |
Security management | You can use a security scenario to indicate all securable objects and related access levels that are required for a user to perform one or more tasks.
This topic explains how to add an existing task recording to a security scenario.
You can add a task recording:
You can add several existing task recordings to a security scenario. When you add an existing task recording to a security scenario:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Add table read permissions to role or privilege |
Security management | To any role or privilege, you can add read permissions for all tables or a selection of tables.
You can add table read permissions to a role or a privilege. In this task guide, the permissions are added to a role.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Analyze security configuration history |
Security auditing | In the Security and compliance studio, you can audit the security configuration in several ways:
Events done on the security configuration are logged in the security history. So, you can analyze the changes to the security configuration.
These events are logged:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Analyze security scenario and define required access levels |
Security management |
You can use a security scenario to indicate all securable objects and related access levels that are required for a user to perform one or more tasks.
This topic explains how to analyze the created security scenario and how to define the required access level for each securable object in the scenario.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Analyze segregation of duties |
Security auditing | You can analyze the setup of rules to separate tasks that must be performed by different users. This concept is named segregation of duties. For example, you might not want the same person both to acknowledge the receipt of goods and to process payment to the vendor. Segregation of duties helps you reduce the risk of fraud, and it also helps you detect errors or irregularities. You can also use segregation of duties to enforce internal control policies. This procedure explains how you can analyze the segregation of duties setup. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Analyze stand-ins |
Security auditing | As a security auditor, you can review the past, current, and future stand-in assignments. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Appoint stand-ins |
Security management | You can appoint a user as a stand-in for another user for a specified period. For example, if a user has a vacation, you can appoint a stand-in during this vacation.
For auditing purposes, you cannot delete stand-in records with periods in the past.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Approve security request |
Security management | Usually, a security manager must approve the security request before it is implemented.
How the approval process is done, depends on the setup:
When you review the security request, on the Security requests page, on the Action Pane, on the Requests tab, you can:
Once approved, the security request is implemented automatically. If dynamic snapshots are enabled, the implemented security configuration changes are updated automatically in the latest snapshot. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Assign roles to user |
Security management | The match roles process often results in new security roles. To access Microsoft Dynamics 365 for Finance and Operations, Enterprise edition, users must be assigned to security roles. This procedure guides you to the pages where you can:
The role assignment is validated automatically to verify if it complies with the segregation of duties rules. If enhanced segregation of duties rules are enabled, the role assignment is validated against the enhanced segregation of duties rules.
If dynamic snapshots are enabled, the role assignments are automatically updated in the latest snapshot.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Assign stand-in roles |
Security management |
If you have set up stand-ins, the actual assignment of the required security setup is only done for the defined period. Use the
Assign stand-in roles batch job to do the actual assignment. This batch job activates and deactivates the required security setup for the stand-ins:
Notes:
You are advised to run this batch job daily. Preferably, before working hours. For example, run the batch job at 00:01.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Change table security recording |
Security management | You can make changes to a table security recording. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Compare snapshots |
Security auditing | You can compare snapshots to review the changes made between two snapshot versions. A snapshot is an image of the security configuration at a specific date and time. A snapshot consists of:
On creation of a snapshot, a full compare is done with the previous snapshot version. So, if you compare two subsequent snapshots, the Compared field is already set to Yes. You can also compare non-subsequent snapshot versions. If you do so for the first time, you can manually do a full compare or only compare selected records.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Copy security setup to another user |
Security management | You can copy the security setup of a selected user to another user. All security roles, as assigned to the selected user, are copied to the other user. You can also copy the organization access, as defined for the copied roles, to the other user. If a copied security role is already assigned to the other user, this role is updated with the organization access rights from the copied role. On copy, the security setup of the other user is validated for segregation of duties violations. Note: If enhanced segregation of duties rules are enabled, the security setup is validated against the enhanced segregation of duties rules. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Create role from scenario based on selected role and selected duties and/or privileges |
Security management |
If a partially matched security role is found, you can create a new security role based on the selected role and selected duties and/or privileges. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Create security audit report |
Security auditing |
You can use the security audit report to analyze permissions and permission changes that are made to recorded elements during a specific period.
You can create the report based on:
You can only create this report if Security and compliance IT audit is initialized.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Create security log report |
Security auditing |
You can generate a security history log report for audit or other compliance requirements. These compliance requirements can be internal or external. You can generate the report with:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Create security request from any page |
Security management | Use security requests to register any required changes in the security setup. As a user, you can create a security request from any page. You can only do so, if the 'Security request user' role is assigned to your user setup. Security request typeFor each security request type, a different type-specific section is added to the Security request page. In this section, fill in or add the required type-specific information. This table shows the available security request types, for each type the related section, and a description of what to do in this section (see step 10):
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Create security request in Security and compliance studio |
Security management | As a security administrator, use security requests to register any required changes in the security setup. In Security and compliance studio, you can create security requests from the Security management workspace. Security request typeFor each security request type, a different type-specific section is added to the Security request page. In this section, fill in or add the required type-specific information. This table shows the available security request types, for each type the related section, and a description of what to do in this section (see step 9):
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Create security role |
Security management | All users must be assigned to at least one security role to have access to Dynamics 365 for Finance and Operations. The security roles that are assigned to a user determine the duties that the user can perform and the parts of the user interface that the user can view. You can use the Security role wizard to create or edit a security role. You can select the desired duties, privileges, and entry points. SnapshotThe Security role wizard uses the latest snapshot as a basis. So, for the Security role wizard to have the best performance, make sure the latest snapshot is up-to-date. In the Security and compliance studio parameters, the Enable dynamic snapshot parameter exists. If set to:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Create security role from scenario with selected duties |
Security management | If you match roles to the securable objects from a security scenario, you can choose to create a new role from a selection of matched duties. So, you can create a specific security role, which is still based on the security scenario. The matched duties have at least one of the securable objects from the scenario. In determining the match, the access level for the securable objects, as defined on the security scenario, are not considered.
Note that:
This information offers the opportunity to reduce license costs. You can search for and select the duties with the lowest license type.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Create security role from scenario with selected privileges |
Security management | If you match roles to the securable objects from a security scenario, you can choose to create a new role from a selection of matched privileges. So, you can create a specific security role, which is still based on the security scenario.
This information offers the opportunity to reduce license costs. You can search for and select the privileges with the lowest license type. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Create security scenario |
Security management |
You can use a security scenario to indicate all securable objects and related access levels that are required for a user to perform one or more tasks.
This topic explains how to create a security scenario.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Create security scenario based on RapidValue task guide |
Security management | You can use task guides, which are exported from RapidValue, to create security scenarios in the Security and compliance studio. Note: The task guides are exported from RapidValue as XML files and added to a ZIP file. When downloaded, extract the ZIP file. So, the task guide XML files can be read by the Security and compliance studio. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Create segregation of duty from Match roles |
Security management | You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. For example, you might not want the same person both to acknowledge the receipt of goods and to process payment to the vendor. Segregation of duties helps you reduce the risk of fraud, and it also helps you detect errors or irregularities. You can also use segregation of duties to enforce internal control policies. Complete the following procedure to create a rule from the Match roles page. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Create snapshot |
Security auditing | You create snapshots to be able to use Security and compliance studio functions, for example:
SnapshotA snapshot is an image of the security configuration at a specific date and time. A snapshot consists of:
Snapshot creationYou create a snapshot in these cases:
You are advised to create snapshots:
Dynamic snapshotIn the Security and compliance studio parameters, you can use the 'Enable dynamic snapshots' field to enable automatic updates of security configuration changes to the latest snapshot. So, no new snapshot is required each time you change the security configuration. Automatic updates of security configuration changes to the latest snapshot are done when you, for example:
Note: If yo use dynamic snapshots, you are advised to create a snapshot regularly. You do so to ensure that no security inconsistencies occur and to create a safety net, |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Create task recording for security scenario |
Security management | You can use a security scenario to indicate all securable objects and related access levels that are required for a user to perform one or more tasks.
This topic explains how to create a task recording for a security scenario and how to add the task recording to the scenario. You can create several task recordings for a security scenario.
When you save a task recording to a security scenario:
You can use the task recording steps to optimize the license cost when you create a security role. If an entry point (securable object and access level) increases the license cost, the related step can help you to decide if this access level is required or not.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Create user |
Security management | Users are internal employees of your organization, or external customers and vendors, who require access to the system to perform their jobs. You can manually create users in the system. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Define users who can view sensitive data change log |
Security management | On the sensitive data change tracking setup, you can define the users who can view the changes that are logged for the sensitive data setup. If you:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Delegate work items for users |
Security management | If a user is planned to be out of the office or otherwise unavailable to act on work items for a period, you (as security or system administrator) can automatically delegate new work items to other users. To configure automatic delegation of user work items to other users, you must create delegation rules. these rules define when certain types of work items are delegated. Users can also delegate own work items themselves. For more information on how to do so, refer to Delegate work items in a workflow. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Delete snapshots |
Security auditing | As a snapshot can consist of a lot of data, keeping many snapshots can slow performance. Therefore, you are advised to have a maximum of five snapshots. You can set up automatic clean-up of snapshots. As a result, older snapshots are deleted according to these rules:
On deletion, counting of snapshots to be kept starts with the latest snapshot, while protected snapshots are skipped in the count. The remaining older snapshots are deleted.
No snapshots are deleted if the value of the Limit number of snapshots field is 0, or less than or equal to the number of snapshots.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Disable users that do not exist in Microsoft Entra ID |
Security management | You can run the Microsoft Entra ID user status batch job to disable users in D365 FO if these users no longer exist in the Microsoft Entra ID. Make sure, this batch job is run about 30 minutes before the Analyze license usage (Named user license count reports processing) batch job is run. So, the license usage count is based on actual users.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Download image |
Security management | In the Security and compliance file share workspace, you can download image files that are used in security requests. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Download task recording |
Security management | In the Security and compliance file share workspace, you can download task recording files that are used in security scenarios. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Download XML file with exported security role |
Security management | If you have exported a security role configuration or customization, you can download the XML file from the Security and compliance file share workspace. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Duplicate role from Match roles |
Security management |
It is advisable to create a subset of security roles that are actually used in your company. This way, the security administrator has a better overview of the security roles that are used in your company. So, if a standard security role matches a scenario, you can create an exact copy of this standard security role and assign this copy to the applicable users. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Duplicate security role |
Security management |
Consider creating a subset of security roles that are actually used in your company. This way, the security administrator has a better overview of the security roles that are used in your company. This topic explains how you can create an exact copy of a security role. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Edit query for sensitive data change tracking |
Security management | On the sensitive data change tracking setup, you define the table fields for which sensitive data changes must tracked. For each table that is defined in the General section of the Sensitive data setup page, a query is created automatically. If the the defined table is a:
A query is applied on record level to the related table. You can edit an automatically created query. Usually, you edit a query only in specific cases. For example, if a table record has a type field, you can make the query type-specific. For the LogisticsElectronicAddress table, you can, for example, track sensitive data changes only for addresses that are marked as Private. To do so, add a range to the related query with the Private field, and Criteria set to Yes. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Explore security configuration for any Dynamics 365 for Finance and Operations page |
Security management | You can explore the security configuration for any page in Dynamics 365 for Finance and Operations. You can use this, for example, to see if you can lower the license type for a user to reduce license cost. Each page can have several securable objects. For a selected securable object of a page, you can explore the related references. For example, if the selected object is of type Duty, you can explore:
The license type of each reference is indicated with a colored dot:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Explore security configuration in Security and compliance studio |
License management |
You can, for each level in the security configuration, explore the related references. You can use this, for example, to see if you can lower the license type for a user to reduce license cost.
For example, for a pinned duty, you can explore:
For the pinned level, the references with the highest user license type are highlighted. You can set the highlight color in the Security and compliance studio parameters.
The license type of each reference is indicated with a colored dot:
You can open the Security explorer from several places in the Security and compliance studio:
In this procedure, it is opened from the License optimization workspace, Security explorer tile.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Export security explorer data to Microsoft Excel |
Security management | You can export security explorer data to a Microsoft Excel file for further analysis. You can choose to export:
For example, for a pinned duty, you can export:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Export security role configuration |
Security management | You can export a security role with all its related security configuration. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Export security role customization |
Security management | You can export a customized security role. Only the security role customizations are exported. As a result, an XML file is created with the security role customizations. The XML file is stored in the Security and compliance file share workspace. You can use the XML file to import and use the security role customizations in another environment. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Export sensitive data access setup to Microsoft Excel |
Security auditing | You can export sensitive data access setup to a Microsoft Excel file for further analysis. You can choose to export:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Extend table security recording |
Security management | You can extend an existing table security recording with additionally recorded table fields. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Give access to sensitive data |
Security management | You can give a securable object access to sensitive data. If you give a securable object access to sensitive data, automatically all related securable objects get access to sensitive data as well.
For example, if you give a duty access to sensitive data, the related users, roles, privileges, and entry points also get access to sensitive data.
In the steps, as an example, a duty is given access to sensitive data.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Give user roles access to organizations |
Security management | You can give a user access to several organizations by assigning several user roles to these organizations. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Import and publish security role configuration |
Security management | You can import a security role with all its related security configuration from an XML file that is exported from another environment. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Import security role customization |
Security management | You can import a customized security role from an XML file that is exported from another environment. Only the security role customizations are imported. When the securable objects are imported from the XML file, these objects are published automatically. If dynamic snapshots are enabled, the published objects are automatically updated in the latest snapshot. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Import user |
Security management | Users are internal employees of your organization, or external customers and vendors, who require access to the system to perform their jobs.
You can import users from the Microsoft Entra ID users.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Inactivate or activate security roles |
Security management | When changes to a security role are required, you can choose to create a new version of it. In this case, the previous version of the security role must become inactive. So, it can't be assigned to users anymore. Before you inactivate a security role, make sure it's not assigned to any user. If you inactivate a security role that is still assigned to users, you get an error message listing the users to which it is assigned. You can also activate an inactive security role. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Initialize Security and compliance IT audit |
Security auditing | During implementation, to make security configuration event logging possible, you initialize the Security and compliance studio IT audit. You initialize just once. You can also use this job to clean up the security log.
As a result:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Insert image in security request description |
Security management | You can insert an image in the description of a security request.
In this topic, as an example, an image is inserted as Security user. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Lock or unlock security role |
Security management |
You can lock a security role. So, it can't be used as a target role when roles are merged.
If a security role lock is no longer required, you can unlock the security role.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Manually add securable objects to security scenario |
Security management | You can use a security scenario to indicate all securable objects and related access levels that are required for a user to perform one or more tasks.
This topic explains how to manually add securable objects to a security scenario.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Match security roles to security scenario |
Security management | Use match roles to match all securable objects, as defined in a security scenario, to security roles. In general, a match means that the securable object exists on the role with a given access level.
Which roles are a match, is defined by:
You can match roles in these ways:
Each security role, with a match for at least one of the securable objects from the security scenario, is shown as a matched role. The matching degree of each matched security role indicates to what extent the role has matching entry points.
If you find a matched security role, you can assign users to it.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Merge security roles |
Security management | You can merge existing security roles into another existing security role or a new security role.
On merge:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Merge security scenarios |
Security management | A user can have access to several business processes. To maintain this in one security scenario can be cumbersome. If so, you can maintain business process access in a separate security scenario for each business process. Before you match roles, you can merge these business process security scenarios into one security scenario. So, in match roles, all the relevant entry points are considered. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Monitor asset classification details |
Security auditing | D365 FO provides a default set of classifications for the kinds of data that are stored in each table. These classifications are subject to change depending on the need to identify different kinds of data. The actual classification for each field in each table can change at any time, depending on differing needs for identifying data. In Security and compliance studio, you can monitor all defined field asset classifications in one overview. The asset classification overview shows:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Monitor imported Microsoft Entra ID groups |
Security management | You can import Microsoft Entra ID groups to D365 FO. On synchronize Microsoft Entra ID group members, the imported groups are loaded to Security and compliance studio. If a member of an imported Microsoft Entra ID group exists as a user in D365 FO, the user is linked to the group in Security and compliance studio. So, members of Microsoft Entra ID groups who do not exist as a user in D365 FO, are not shown in the Security and compliance studio.
With Security and compliance studio, you can monitor the groups, as imported Microsoft Entra ID, and the linked D365 FO users.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Monitor latest login of users |
System administration | You can monitor the latest login of users. You can use this information to reduce license costs. For example, you can remove users who have never logged in or who's latest login is more than three months back. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Monitor license usage per license type |
License management | For each license type, you can monitor the related number of users. You can also, for each user, monitor the related license type. Note that the licensing model of D365 FO has changed. Previously, for D365 FO, these license types were available:
On the All users tab and Full users tab, the New license type field is shown next to the User license field. The new license types can be shown in these formats:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Monitor risks |
Security management | You can identify the operational risks for your company. Several charts can help you monitor the risks. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Monitor security configuration history |
Security management | Events done on the security configuration are logged in the security history. So, you can monitor the changes to the security configuration.
These events are logged:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Monitor sensitive data change log |
Security auditing | When you have set up the tracking of sensitive data changes, changes to sensitive data are logged. Who can view the sensitive data log is defined on the related sensitive data change tracking users setup. If on the sensitive data setup:
On the Sensitive data log page, in the:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Monitor work item delegation history |
Security management | You can monitor the work item delegation history. All work item delegations are logged in the history. So, delegations added by users themselves and delegations added by security or system administrators are logged. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Move users to another role |
Security management | You can move users from one role to another role. You can use this, for example, if you have created a new variant of an existing role. You can then move the users from the old role to the new role. As a result, the moved users are no longer available on the old role. You can only move a user if it doesn't:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Override permissions on roles |
Security management | To apply the table field permissions as defined for a table security record, you must override these permissions on the applicable roles. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Override permissions on roles based on security scenario |
Security management | You can override the permissions of a security role based on a security scenario. You typically do this to delimit access to specific data. In a security scenario, you can indicate all securable objects and related access levels that are required for a user to perform one or more tasks. You can use this setup to override the permissions on one or more security roles. If you override permissions of a security role:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Rebuild asset classification |
Security auditing | In Security and compliance studio, you can monitor all specified field asset classifications. To monitor up-to-date asset classifications, you are advised to rebuild the asset classification data daily.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Record table security |
Security management |
You can use table security to manage permissions on table field level. Use table security recording to define the tables and table fields for which you want to set or change permissions. After recording the fields, you can define the desired access right for each recorded field. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Refresh licenses |
Security management | The licensing model of D365 F&SCM has changed. Previously, for D365 F&SCM, these license types were available:
On the All users tab and Full users tab, the New license type field is shown next to the User license field. The new license types can be shown in these formats:
To show the required new license types in Security and compliance studio, refresh the new license type information. The new license types are refreshed based on the latest snapshot of the security configuration.
As a result, the applicable new license types are retrieved and shown in the Security explorer for each of these securable objects:
Also, on other forms, the new license types are filled after refreshing the licenses. The New license type field is shown on each form where the User license field is shown.
The new license types can be shown in these formats:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Register risks |
Security management | You can identify the operational risks for your company. These risks can be security-and-compliance related, or any other type of risk for your organization. You can link a risk to segregation of duties rule to help reduce business risks, human errors, or fraudulent transactions. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Resolve segregation of duties conflicts |
Security management |
You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. If on verification, the definition of a security role or the role assignments of a user violate the rules, the conflict is logged. All conflicts must be resolved by the security administrator. For each logged conflict, you can:
Complete the following procedure to view and resolve conflicts.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Resolve segregation of duties conflicts (enhanced) |
Security management | You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. If on verification, the definition of a security role or the role assignments of a user violate the rules, the conflict is logged. All conflicts must be resolved by the security administrator. For each logged conflict, you can:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Set Security and compliance studio parameters |
Security management | Before you start using the Security and compliance studio, set the Security and compliance studio parameters. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Set up areas |
System administration | You can use areas to categorize security requests. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Set up segregation of duties rules |
Security management |
You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. For example, you might not want the same person both to acknowledge the receipt of goods and to process payment to the vendor. Segregation of duties helps you reduce the risk of fraud, and it also helps you detect errors or irregularities. You can also use segregation of duties to enforce internal control policies. Complete the following procedure to create a rule.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Set up segregation of duties rules (enhanced) |
Security management | You can set up rules to separate tasks that must be performed by different roles or users. This concept is named segregation of duties. For example, you might not want the same person both to acknowledge the receipt of goods and to process payment to the vendor. Segregation of duties helps you reduce the risk of fraud, and it also helps you detect errors or irregularities. You can also use segregation of duties to enforce internal control policies.
With the enhanced segregation rules, you can not only define segregation rules on duty level, but also on privilege level, on entry point level, and with segregation security sets.
With a segregation rule on duty level only, the related privileges or entry points can also be linked to another duty to which the segregation rule does not apply. By defining the segregation on a lower level (privilege or entry point), you can enforce segregation more precisely.
Complete the following procedure to create an enhanced segregation rule on one of these levels: duty, privilege, or entry point.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Set up segregation security sets |
Security management | With the segregation rules (enhanced) functionality, you can use segregation security sets to generate entry point level segregation rules. Use a segregation security set to list and group entry points for which segregation rules are desired. You can use these segregation security sets to set up segregation rules. For each segregation rule with segregation security sets, child segregation rules are generated automatically. A child segregation rule is generated for each combination of entry points from the two segregation security sets of the segregation rule. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Set up sensitive data access reasons |
Security management | If you give a securable object access to sensitive data, you must specify the reason you do so. This topic explains how to set up sensitive data access reasons. Each sensitive data access reason has one of these types:
A set of predefined sensitive data access reasons is available. You are advised to upload these predefined sensitive data access reasons before you add new ones.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Set up sensitive data change tracking |
Security management | You can set up the tracking of changes to sensitive data. You set up sensitive data change tracking by field. You can define the fields, for which sensitive data changes must tracked, in these ways:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Set up staging table mapping to track sensitive data changes |
Security management | You can add any field from any table to the sensitive data setup. However, the table can be date-effective or part of an inheritance structure. In this case, the table cannot be used to enable change logging for sensitive data. Instead, the related staging table must be used to enable change logging for sensitive data. To define which staging table must be used to enable change logging, map the date-effective table or inheritance structure table to the desired staging table. Also, map the applicable fields of the date-effective table or inheritance structure table to the related fields of the staging table. Examples of date-effective tables or inheritance structure tables and related staging tables are:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Set up user groups |
Security management | To use some features and functionality in D365 FO, user groups can be required. For example, users are outside the organization hierarchy for budget planning but must work with budget plans. You can assign budget plans to user groups. You can also set up restrictions for journal posting that are based on user groups. This topic describes how to create a user group and add users to it. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Submit security request for approval - Security administrator |
Security management | As a security administrator, you can create a security request from the Security management workspace. Usually, a security request is approved by the security manager. Once you have completed the security request creation, submit the security request for approval. How the approval process is done, depends on the setup:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Submit security request for approval - Security request user |
Security management | As a security request user, you can create a security request from any page. Usually, a security request must be approved by the security manager. Once you have completed the security request creation, submit the security request for approval. How the approval process is done, depends on the setup:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Synchronize groups with Microsoft Entra ID groups |
Security management | You can import Microsoft Entra ID groups to D365 FO. Synchronize Microsoft Entra ID group members, to load the imported groups to Security and compliance studio. If a member of an imported Microsoft Entra ID group exists as a user in D365 FO, the user is linked to the group in Security and compliance studio. So, members of Microsoft Entra ID groups who do not exist as a user in D365 FO, are not shown in the Security and compliance studio.
After you imported a Microsoft Entra ID group, changes can be made to its members on the Azure Portal. Members can be added to or removed from the Microsoft Entra ID group. Usually, it is required that these changes are also applied to the imported groups in D365 FO.
To keep the setup in Security and compliance studio up to date, you are advised to synchronize the Microsoft Entra ID group members daily.
On synchronize of Microsoft Entra ID group members:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Undo access to sensitive data |
Security management | You can undo the access to sensitive data for a securable object. If you, for a securable object, undo the access to sensitive data, automatically also the access to sensitive data is undone for all related securable objects. For example, if you undo access to sensitive data for a duty, the access to sensitive data is also undone for the related users, roles, privileges, and entry points. In the steps, as an example, access to sensitive data is undone for a privilege. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Upload image |
Security management | In the Security and compliance file share workspace, you can upload image files to be used in security requests. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Upload task recording |
Security management | In the Security and compliance file share workspace, you can upload task recording files to be used in security scenarios. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Use predefined segregation of duties rules (enhanced) on demand |
Security management | You can set up segregation of duties rules (enhanced) to separate tasks that must be performed by different roles or users. With the enhanced segregation rules, you can not only define segregation rules on duty level, but also on privilege level, on entry point level, and with segregation security sets. On demand, a predefined set of segregation rules (enhanced) is available. Predefined segregation rulesThe set of segregation rules (enhanced) consists of:
The predefined segregation rules (enhanced) are mainly related to these functional areas:
ImportYou can import the predefined segregation of duties rules (enhanced) with the Data management import function. To import the set of predefined segregation rules (enhanced):
On import:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Use predefined segregation of duties rules on demand |
Security management | You can set up segregation of duties rules to separate tasks that must be performed by different users. On demand, a predefined set of segregation of duties rules is available. These predefined segregation of duties rules are set up based on this risk identification matrix for several transaction types: You can upload the predefined segregation of duties rules in Data management. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Validate segregation of duties |
Security management | You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. Use
Validate segregation of duties to verify whether existing roles comply with new rules for segregation of duties. So, it validates intra-role compliance.
If any existing roles violate the selected rule, a message is displayed that contains the name of the role and the names of the conflicting duties. The security administrator must either indicate the mitigation for the security risk or modify the role so that it does not violate the rules for segregation of duties. If no roles violate the selected rule, a message indicates that all roles comply.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Validate segregation of duties (enhanced) |
Security management | You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. Use
Validate segregation of duties to verify whether existing roles comply with new rules for enhanced segregation of duties. So, it validates intra-role compliance.
If any existing roles violate the selected rule, a message is shown that contains the name of the role and the names of the conflicting securable objects. You must either indicate the mitigation for the security risk or modify the role so that it does not violate the rules for enhanced segregation of duties. If no roles violate the selected rule, a message indicates that all roles comply.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Validate segregation of duties for stand-in |
Security management | You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. If you use segregation of duties rules, you can validate if the assignment of the user roles to the stand-in user complies with the segregation of duties rules. If assigning the user roles to the stand-in violates the segregation of duties rules, a message is displayed with the name of the role and the names of the conflicting duties. The security administrator must either indicate the mitigation for the security risk or modify the conflicts so that segregation of duties rules are not violated. If no rules are violated, a message indicates that the stand-in role complies with the segregation of duties rules.
Note: If enhanced segregation of duties rules are enabled, the stand-in role assignment is validated against the enhanced segregation of duties rules. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Verify compliance of user-role assignments |
Security management | You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. Use Verify compliance of user-roles assignments to verify whether user role assignments comply with new rules for segregation of duties. So, it verifies inter-role compliance and user-level validations. A notification displays the results of the validation. When the definition of a security role or the role assignments of a user violate the rules, the conflict is logged. The security administrator must resolve all conflicts. Complete the following procedure to identify conflicts.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Verify compliance of user-role assignments (enhanced) |
Security management | You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. Use
Verify compliance of user-roles assignments to verify whether user role assignments comply with new rules for enhanced segregation of duties. So, it verifies inter-role compliance and user-level validations.
A notification displays the results of the validation. When the definition of a security role or the role assignments of a user violate the rules, the conflict is logged. You must resolve all conflicts. Complete the following procedure to identify conflicts.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
View access to sensitive data charts |
Security auditing | You can use several charts to audit access to sensitive data:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
View asset classification chart |
Security auditing | D365 FO provides a default set of classifications for the kinds of data that are stored in each table. These classifications are subject to change depending on the need to identify different kinds of data. The actual classification for each field in each table can change at any time, depending on differing needs for identifying data. In Security and compliance studio, you can monitor all defined field asset classifications in the Asset classification chart. The asset classification chart shows:
If you click a classification on the chart, the asset classification overview is opened. It shows all tables that have at least one field with the clicked asset classification. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
View securable objects with access to sensitive data |
Security auditing | It is important to know which securable objects give access to sensitive data. For these securable object types, you can review which securable objects give access to sensitive data:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
View Security and compliance studio data on person search report |
Security auditing | For Security and compliance studio, an extension is added to the Person search report.
On the Person search report, in the Security and compliance studio results section, you can find this security information:
For more information, refer to Person search report. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
View security management charts |
Security management |
Several charts are available to monitor the status of the security configuration.
|