1. Naked and Afraid: Re-implementing Dynamics GP Security
Security. Audit. Compliance.
Mark Polino
CPA.CITP.CFF, CGMA, Microsoft MVP
Dynamics Credentialed Professional

2. Disclaimers Naked and Afraid.
It’s a Discovery Channel TV show
AND how many feel when told they are responsible for GP security.
Despite the title, no one will be naked during this presentation.
You are allowed to be afraid.
You are not allowed to be naked during this presentation.

3. Overview The world is an insecure place.
Being responsible for GP security can be scary.
Many companies don’t have confidence in their GP security setup.
It can make you feel Naked and Afraid.
Every firm can benefit from another look at security.
Maybe some headlines slides?

4. GP Security Overview GP security Dynamics GP Security (GP) SSRS (AD)
Management Reporter (AD)
GP Workflow (AD)
Web Client (AD + GP)
Other Products
(GP) – Dynamics GP Users,
(AD) – Active Directory Users
Tell the Alligator story. What’s the most dangerous part of an alligator?

5. Where to Start? Start with GP Security It’s the most complicated
It’s the core

6. GP Security Review Role based.
Access to windows, reports, posting, etc. are rolled up into tasks.
Tasks are combined into Roles.
Roles are assigned to users.

7. Role Assignment

8. What’s in a Role?
Multiple roles with overlapping tasks are NOT recommended.
Default Roles often have overlapping tasks.
Default Roles and their tasks documentation
[Free]
Show off the sheet

9. A Task Based Approach
Take a task based approach to creating new roles.
A task should be everything needed for a discreet operation.
Tasks are generally well designed.
Need to be combined into new roles.

10. Task Assignment

11. Tasked Based Recommendations
Use a tool to figure out what tasks should belong to each role.
[Free]
Add roles or tasks as required.
Don’t use or modify existing roles or tasks.
Assign roles to users.
Temporarily preserve existing roles.
Add other security matrix tool?

12. GP Security Matrix

13. Tips PowerUser is not a role. It’s is an override.
If you must have a power user, manually create a SuperUser role.
[Free]
‘sa’ is really only required for installation.
[Free]
’sa’ is not required to add users
[Free]

14. Real Life Building/Rebuilding GP Security is not a fast process.
Treat it as a project.
If done well, maintenance and adjustments should be easy long term.
It’s an investment against future pain.

15. SSRS SSRS Security tends to be more straightforward
Assign or remove access to report folders
For anything AD consider using AD Groups
Not going in depth. After GP security, these are straightforward

16. Management Reporter Limit users who can create reports
Use AD Users/Groups

17. GP Workflow GP Workflow Use AD Users/Groups Limit managers
must be set at AD level

18. GP Web Client AD Users/Groups to access Web Client.
GP Users to control access.
Web Client only users might not be SQL users.

19. Web Client Security

20. Other Security Tools
GP Power Tools (Formerly Support Debugging Tool) [Paid]
Suite of GP utilities including security tools.
Helpful for figuring out fix when access is denied.

21. Fastpath Security and Compliance Products
Continuous monitoring solution that tracks all changes to critical data
Assure
Risk based security access review and SOD analysis platform
Audit Trail
Request, review and approve Dynamics security without IT intervention
Identity Manager
Audit planning tool allows report design, assignment and scheduling
Audit View
Maintain user provisioning in Active Directory instead of the target system
Config AD
Assure – After you’ve built your roles, check for conflicts
Audit Trail – Monitor changes and access
Audit View – Auto delivery of reports
Identity Manager – Request, review and approve Dynamics security
Config AD – GP Single Sign On. Maintain users in Active Directory instead of GP.
Tools work together. If you request access to a user via Identity Manager or setup a new user with Config AD, Assure will check for conflicts prior to completion.

22. Questions?