Monday, December 26, 2016

It’s The Most Wonderful Time of the Year!!! - NO! Compliance Audit...

It’s The Most Wonderful Time of the Year!!!
The holiday season is a busy time for everyone.  Making plans, buying presents, baking cookies and other tasty goodies, and the list goes on.  You've got to fit this around your work schedule and with year end, it is a mad rush to get work done – make your sales quota for the year, complete your project, balance the books, count the inventory, and schedule your last days of vacation!

Are the auditors on their way?  Do you have processes and procedures in place?  Do you have proper business controls and have they been followed?

If you are a Security Administrator or Compliance Manager, please check out the next issue of the AXUG Magazine which will come out in February 2017.  In the Viewpoint From the Front Line column, I'll discuss compliance from an ERP system perspective.

Since it will be over a month before the article will be posted, Dynamics Communities has given me the okay to share it now:

Fiscal year end is a busy time for everyone.  It is a mad rush to get work done – make your sales quota for the year, complete your project, balance the books, count the inventory, and schedule your last days of vacation!

Are the auditors on their way?  Do you have processes and procedures in place?  Do you have proper business controls and have they been followed? 

 If you are a Security Administrator or Compliance Manager, here are some things to keep in mind:

Who has keys each room and to the entire house?  

The rooms – These are the different functions or modules.  Do you have controlled access to module parameters and set ups?  This should be a limited list of trained super users or managers of each function.  In AX module/process controls are duties that start typically with “Enable”.  When looking at the AX menu structure, the functions are generally in the “Setup” sub-menu of each module.

The entire house – System parameters and global functions are typically controlled by the IT department.  This also includes server and database setups and access.  So the obvious list that comes to mind is who has System administrator access in AX and admin access to the server and database, but there may be some specific functions that need to be called out like access to workflows and batch processing.

The keys – These are the security roles including the set up, maintenance, and assigning to users.  Controls should be in place on what each role should contain, approvals for when updates are made, and approvals for who should be granted access.  The main security role for this is the Security administrator, but could be as detailed as the specific duties or privileges related to maintaining security settings.

Who holds the purse strings?  It’s not just about who can spend money when it comes to ERP.  It is who can perform activity that has financial significance.  

There are inventory transactions that can make material appear and disappear which you should have controlled.  In AX, this is a movement, inventory adjustment, or physical inventory counting transaction.  You may want to review these processes and determine where your highest risks are for your company.  Then put in business controls to monitor those activities.  One example, is a periodic report of all inventory adjustments that is reviewed. 

If a person can do two ends of a transaction without another person involved, then this is also a way to make material or dollars disappear.  This is typically referred to as segregation of duty.  Here are a couple of examples: someone can create a sales order and then ship it -or- someone that has access to create a vendor and print a check.  Eliminate any segregation of duty violations or put a control in place to monitor and ensure no malicious activity was performed.   

Who is the author and publisher of the book?  With an ERP system, this would be who has access to the programming code that the application is running on.  There should be strict controls around making changes, testing and approvals by business owners, and how code is migrated between environments.

Hopefully you have all this documented in your play book.  These would be your documented processes and procedures.  If you have been following it all year long, then you should be in good shape for the auditors.  As with any event, you should do rehearsals.  Do an internal audit of your processes and controls.  Take random samples, follow them through the documented procedures, and insure all steps have been followed and that have proper evidence to support the process.

The auditors will want to see evidence that the processes and controls were followed.  They will do their own sampling and walk-throughs of the processes.  Be ready!!!

The simple rule to follow is “DO as you SAY, and SAY as you DO!”

After the auditors have left, I hope you are smiling knowing that all is in order with your processes and controls.  Happy New Year!!!

Monday, December 19, 2016

AX 2012 Security Unwrapped Series - Understanding Role Based Security

This post will unwrap the Dynamics AX role based security model that was introduced in version 2012.  It will describe the structure and components.

"Within an organization, roles are created for various job functions.  The permissions to perform certain operations are assigned to specific roles.  Members or staff (or other system users) are assigned particular roles, and through those role assignments acquire the computer permissions to perform particular computer-system functions.  Since users are not assigned permissions directly, but only acquire them through their role (or roles), management of individual user rights becomes a matter of simply assigning appropriate roles to the user's account; this simplifies common operations, such as adding a user, or changing a user's department." (Definition From Wikipedia)

Microsoft created a series of standard Roles.  I've grouped them into 3 categories:
1. General staff - many of these roles have "worker", "clerk", or "agent" in their name.  Examples are: cost clerk, buying agent, warehouse worker.  These roles have the basic functions for the specific functional role.  In many cases they cannot complete the transaction.
2. Management - many of these roles have "supervisor" or "manager" in their name.  Examples are: accounting manager, production supervisor.  These roles have access to the parameters and setups for a functions.  Transaction approval which allows the actual update in the application, typically associated with posting inventory or general ledger transactions.
3. Executives - these roles tend to be specific titles, e.g. chief executive officer, financial controller.  A few key setups or approvals, but mostly inquiry and reports.

Microsoft also defined a series Process Cycles which is an entire business process flow.  Below are the original ones defined in 2012:

Expenditure which is the standard Procure to Pay flow - vendors, purchase orders, receiving, payables
Revenue which is the standard Order to Cash flow - prospects, customers, quotations, sales orders, receivables, project accounting
Conversion is the standard Plan to Produce flow - parts, boms, routes, forecasts, production orders, quality, service
Human capital management - hiring, employees, human resources
Information technology - technical sets like AIF, system parameters, workflow, etc.
Cost accounting - setting up and activating costs, cost accounting, inventory valuation

Several were also added as a part of R2/R3:  Fiscal books, Public sector, Retail, Retail merchandising, Sales operations financial planning, Trade agreement management, Process cycle containing duties related to Multi Channel Retail

Duties and  privileges, and permissions are the building blocks that define access.  As the above diagram indicates, there is a hierarchy.  Roles and Process cycles are comprised of duties and privileges.  Duties contain a set of privileges that typically allow access to a functional process.  Privileges tend to be a single function within a functional process.

Duties and Privileges have a general naming convention, typically starting with an action verb which is very descriptive of the access:

Update: “Maintain…”, “Create…”, “Update…”, “Delete...”, "Add...", "Change/Edit..."
Inquiry: “Inquire into…”, “View…”, "Search..."
Reports: “Review…”, Preview…”, “Generate…”, "Print..."
Parameters:  “Enable…”, “Activate…”
Controls:  “Approve…”. “Complete…”, "Post...", "Reject...", "Cancel..."

Privileges are made up of Permissions which are very specific actions within the application.  I call them the keys to the kingdom.  They define levels of access to tables, menus, functions, etc.  Below is a definition of the access level:
In my next post, I'll dive into the standard AX security menu and its capabilities.

Saturday, December 17, 2016

Dynamics AX Security Unwrapped Series

This series of posts will unwrap the Dynamics AX security model that was introduced in version 2012.  It will be in part what I've presented over the past 3 years at Summit and webinars, but enhanced with learning from experts in the field whom I've met since I've started my journey into AX and the security model.

Please follow me along on this journey.  I hope I can provide some information new to you and suggest an implementation approach.  I welcome feedback both in comments or questions.  This is inspiration for me to embellish my posts!!!

Tuesday, November 29, 2016

2 Very Notable Changes in AX Security with AX7/D3FO

There are two very notable changes with security when moving to AX7 or Dynamics 360 For Operations (D3FO).  I learned this at the 2016 AXUG Summit Conference.
  1. The Security Development Tool that I love (!!!) will be completely new starting with AX7.  The menu item is called Security Configuration Form.  You won't be able to TEST from the tool anymore.  Hopefully Microsoft will add this back.
  2. There are multiple access levels to a form which is set at each entry point.  In D3FO, the application will honor entry point access.  What this means in layman terms is IF a user has role which grants them multiple accesses to a form.  Then depending on what navigation path they access the form from, their access will be different.  Microsoft considered this a bug in 2012 and corrected it in AX7.  This may upset/confuse your users as they may think their access has been changed!

Friday, November 25, 2016

The beginning of an upgrade journey

Following my own advice!  Here is my article in the Q3 AXUG Magazine - Viewpoint: Are you ready for the New Dynamics AX .

During the AXUG Summit 2016, I spoke with 2 Microsoft professionals, Matthew Maertens on Security and Tariq Bell on Upgrades.  Since my company is on 2012 R1/RTM, our upgrade journey is to upgrade to R3 which will position us for where Dynamics 365 for Operations will take us.  With R3 mainstream support through 2021, we have time to see what paths Microsoft will offer and consider our options before beyond 2012.

  1. R3 licence key - You will need this to install, we contacted our partner who had to request from Microsoft.  Note: The key is only good for 3 months.
  2. ISV code - Secured R3/CU9 compatible versions of their software.  We'll need to recontact when they will have a CU12 version which was just announced November 21, 2016.  We'll want to install CU11 so that we can upgrade to SQL Server 2016.
  3. Partner model - Since we have customizations from our partner, they reviewed and provided an updated R3 compatible model and provided some notes as to what we might want to consider in modifications given R3 functionality.
  4. Microsoft documentation - Gathered up release documentation on changes and new features.  Reviewed and took note of what might be desirable from my company's view.  Here's some links: New, Changed, and Deprecated Features for AX2012, New Feature List for R2, What's New in Microsoft Dynamics 2012 R3, and Deprecated Features AX 2012.  You can also find documents on specific features. 
  5. Customizations - Thankfully, we tracked all changes to AX in Jira, both changes by our partner and those done internally.
  6. Project Team - Established the project team; pointed them to the release documentation; highlighted reasons to upgrade both technically and functionally; and presented a high level project plan.
To Do:
  1. Process Reviews - We'll do this in 2 ways.  First, each functional team member will review the release documentation to see what might affect them or where they might want to alter their current process.  Secondly, we will regression test all our processes.
  2. Security - We will move our custom security from the USR to the CUS layer.  Much to the delight of some of my consultant friends.  Also we have yet to review what changes might affect what we've setup.
  3. R3 environment with company data - This is in process now.  It is a difficult process given the technical changes between R1 and R3.  We will be working with our partner for some guidance and hope to have an environment up by mid-December.  I'll post more details on this in a subsequent post.
This is just the start.  More to come as we dive into this upgrade!!!

Wednesday, November 23, 2016


As you begin this holiday this holiday weekend,
please take a moment to be THANKFUL.
Thankful of all you have:
project team members,
super users,
online communities,
LinkedIn connections,
and best of all your loved ones...
those that support you in all you do
at home and at work.

Tuesday, November 22, 2016

2016 AXUG Summit - Count In. Count On.

Summit was very busy this year!  It had a stronger Microsoft presence and much more content by USERS!!!  My involvement has grew this year - Programming Committee, Security Track User Leader, Speaker, and Moderator.

The most inspirational part of it for me was when past attendees reached out to me to thank me for the knowledge and advice that I was able to provide and they could use it back at their jobs.  This for me is driving stronger commitment to the AXUG community and the spring boarding of this blog.

I hope that you will join me on this adventure.  I will post articles on project management, AX security, and my company's R3 upgrade journey!