9 common errors to avoid while implementing security in Microsoft Dynamics 365 Finance and Operations

1. No management buy-in

To have a successful security project, management buy-in is essential. Without their support, obstacles that arise will be more challenging to solve since security can often be pushed to the sidelines.

2. Not involving the critical three

The critical three include: Business users, compliance and IT. Without involving all three user groups, businesses will have a tough time communicating what they need, understanding what security risks are involved and how to approach the problem. Communication between these teams is vital and will allow for a successful security implementation.

3. Using a ruleset not tailored to the business

Segregation of duties (SoD) reporting tools that come with standard rulesets can provide a high-level overview for understanding what risks are involved within security roles. However, it is important to keep in mind that each business is different, and customisations will be needed.

4. Relying on security by obscurity

A common mindset among businesses is if they don’t know about the risk, then it’s not causing an issue. However, this mindset can lead to a trickle-down effect. Most SoD violations occur unintentionally and the best way to prevent them is to remove the access altogether.

5. Assuming out-of-box roles are compliant

D365FO has out-of-the-box roles that can provide a foundation for building out security. However, using out-of-the-box security can be harmful to the business since the standard roles provide excessive access, leading to SoD violations.

We recommend developing new security roles that are broken into business tasks rather than using the out-of-the-box roles that D365FO offers.

6. Over-assignment of system administrator

The system administrator role in D365FO tends to be over-assigned to users. This can happen when the business is unable to determine the correct security access or when a user is unable to perform what they need to in a timely manner without this access. This can lead to a risk because the system administrator role has access to everything and will not show up in SoD reporting.

To reduce this risk, we recommend the system administrator role be restricted to the fewest number of users possible. If a user needs elevated access, then we recommend granting access through a test environment. To monitor users who have system administrator access, we recommend the business set up a reoccurring cadence to review users who have this access. Additionally, there are tools (like Fastpath) that can be set up to do certain types of monitoring of system administrators.

7. Retaining old access as users change job responsibilities

Most high-conflict users will have access to several job responsibilities within different process areas. Removing old access right away is critical to reduce security risk. Additionally, businesses should avoid copying access from other users since it can lead to a snowball effect. Rather than copying access from other users, assign the least amount of access required for a user to perform their day-to-day operations.

8. Forgetting about the process backbone

Security governance processes are important to support a secure and compliant environment. These reviews should involve IT, business leaders, and as needed compliance. Perform the following checks on a consistent basis to regulate risks and reduce pain points for the future:

1. Before assigning new user access, check for SoD risks to manage the risk beforehand.
2. Perform user access reviews regularly to catch inappropriate access.
3. Ensure that the business and IT are comfortable with role changes as they occur.
4. Perform regular user SoD reviews to see if access can be removed or remediated.
5. Perform a SoD ruleset review regularly to ensure the risks remain relevant or to catch missing risks from new functionality that has been added.

9. Starting security discussions at the wrong time

Whether D365FO implementation is complete or still in progress, timing is everything. The sooner organisations start, the better. However, starting too early can mean role owners may not be able to make informed decisions. When implementing D365FO, many businesses will focus on security after the conference room pilot (CRP) sessions and before user acceptance testing (UAT). Leveraging the UAT date allows for businesses to work backward to create an appropriate security timeline.

Implementing Microsoft Dynamics 365 Finance and Operations is a significant undertaking, but avoiding these key mistakes when implementing access and user security can significantly increase the likelihood of a successful and smooth implementation. By carefully planning, gaining management buy-in, focusing on security, providing adequate support and change management, organisations can harness the full potential of D365FO to drive efficiency and growth.

To help clients begin their journey towards a robust, compliance-oriented security with the aid of the Microsoft Dynamics 365 for Finance and Supply Chain Security role templates, Protiviti has developed Microsoft Dynamics 365 Finance and Supply Chain Security Role templates. Learn more here.

To learn more about our Microsoft consulting solutions, contact us.