Microsoft D365 Security Design Implementation Considerations This blog post was authored by Julia Artzi - Senior Consultant, Business Platform Transformation on Protiviti's technology insights blog.When approaching an ERP implementation, the topic of security is going to be broached and the question then becomes, “now or later?”Before discussing the considerations for implementing security before or after an ERP implementation, it is important to review the purpose of creating a custom security model. For most companies, creating compliant custom security is a requirement. Utilising standard out-of-box security will result in numerous segregation of duties risks that most likely will be identified during an audit. To be proactive, aligning a custom security design with the ERP implementation will keep risks and controls upfront, encourage collaboration amongst teams and avoid potential re-work in business processes. We outline some aspects to consider for deciding when to implement a custom security design either before or after an ERP implementation below. Topics Cybersecurity and Privacy Industries Technology, Media and Telecommunications Implementation timelinePre-ERP implementation: Designing, building and testing a custom security model takes several months, varying based on the number of modules utilised. Most of this time will be spent conducting workshops with the business to determine access requirements and then the role build itself. Since these roles will be built to be risk compliant, we will also need to factor in time to configure a segregation of duties ruleset and control library. Organisations already on the path to implementation will want to weigh this timeline against the need to go-live as quickly as possible.Post-ERP implementation: Implementing security after an ERP implementation allows for more buy-in time from the business, IT, and compliance. There is less pressure to make decisions based on the ERP implementation timeline and greater focus on taking the proper measures to come to a reasonable solution.User knowledge basePre-ERP implementation: While all security designs are iterative, there may be additional iterations when implementing security during an ERP implementation as the SMEs are learning the platform functionality, business processes are still in design phases and configuration is still being completed. While this may appear as a disadvantage, the security role design may help SMEs better understand the system and provide transparency among the responsibilities of other workstreams.Post-ERP implementation: On the other hand, designing custom security after implementation will be more streamlined as the business processes and configurations are defined, resulting in quicker decision making and testing during the project.Business opticsPotentially one of the most important considerations is the impact on the business. The look and the feel of the application and the user experience is different depending on which approach is taken. This could result in additional change management and training efforts to help the end user understand how to use the application leveraging the custom security model.Pre-ERP implementation: When aligning role design to ERP implementation, the business will operate compliantly immediately from go-live. Although there may be some growing pains incorporating security into the implementation, there is less burden on IT for maintenance as the business has a deeper understanding of the system and will be empowered to make decisions.Post-ERP implementation: Designing security post-implementation may have larger impacts on the business as the business has become comfortable with their access and navigation. The business may have to adjust their processes due to potential access changes as roles become segregation of duties risk compliant. However, implementing a custom security model after an ERP implementation may give more time for the business to grasp the concepts and be engaged in the role design without distraction from other implementation activities.TestingPre-ERP implementation: During an ERP implementation, we recommend incorporating security during the user acceptance testing phase. One of the main obstacles we see is that testers may not know exactly what to look for or do not fully understand the way the system should function as this may be one of their first experiences working in the system. Additionally, it may be difficult for testing teams to identify what issues are related to security and which are related to configuration, integrations or custom code. It is important to create synergy among the testing team to ensure bugs are properly identified and troubleshooted in a timely manner.Post-ERP implementation: If a business designs security after implementation, testers are easily able to navigate test scripts and identify bugs. Also, business processes are already defined, which removes the guesswork in the testing process.Licensing impactsPre-ERP implementation: While cost can be a deterring factor in deciding when to implement a custom security model, it is important to weigh it against the cost of utilising standard out-of-box security. The out-of-box roles tend to overprovision security – creating segregation of duties risks and higher licensing costs. Customising the security model to only the access required will make the environment more secure and can save hundreds of thousands in licensing fees. Learn more about the Microsoft D365 licensing model here.Post-ERP implementation: Implementing security post implementation might result in more licensing fees during the initial go-live. Depending on the size of the user base, this can add up quickly and offset any savings realised during the implementation. Although putting security on the back burner may help the overall ERP implementation cost and timeline, it may create increased costs for compliance to closely monitor and report against user’s out-of-box access.It is important to align with the implementation partner and team to understand which choice is right for each business. In either case, a custom security model is the best way to ensure the system is properly secured from segregation of duties risks.Final considerationsOrganisations looking for the segregation of duty risk and user licensing minimisation of custom security, but which do not have the necessary resources for a full design timeline as described in this post, may want to consider the D365FO Template Role offering from Protiviti. These template roles offer a great starting point in the custom security design journey and offer easy customisation to fit business needs.To learn more about our Microsoft consulting solutions or a free solution demo, contact us. Featured insights BLOGS Building a Business Case for Copilot for Microsoft 365 – A Game-Changer for Business Efficiency With the rapid rise in artificial intelligence (AI) tools, companies are updating technologies and processes as quickly as budgets allow. Industries are transforming rapidly as the drivers for economic growth are evolving. BLOGS Improving Financial Services’ Efficiency with Copilot for Microsoft 365 In an era of rapid technological advancement, businesses are increasingly turning to artificial intelligence (AI) to enhance productivity, streamline processes and improve decision-making. One such tool making waves in the financial services sector... BLOGS Unlocking Agile Insights: Building Automated Burndown Charts with Microsoft DevOps Analytics View and Power BI In the fast-paced world of software development, staying ahead of the curve requires more than just coding prowess. Agile methodologies have emerged to provide a structured framework for teams to navigate the ever-changing landscape. BLOGS Building an Accessibility Culture with Copilot for Microsoft 365 Organisations across the U.S. recognise the criticality of accessibility for both consumers and employees. This concern dates to the early 2000s, when several well-known brands were targeted by lawsuits that ultimately changed how e-commerce works.... BLOGS Microsoft SharePoint Premium simplifies content management and governance Content management involves the creation, organisation, storage and distribution of digital content within an organisation, ranging from documents and images to videos and web pages. One of the biggest problems businesses face with content management... BLOGS 9 common errors to avoid while implementing security in Microsoft Dynamics 365 Finance and Operations Microsoft Dynamics 365 Finance and Operations (D365FO) is a comprehensive ERP solution that empowers businesses to optimise financial management and operational efficiency. With its integrated approach, powerful analytics, scalability and continuous... BLOGS Navigating the GenAI course with Microsoft Copilot Generative artificial intelligence (GenAI) is a hot topic these days, and not just in the IT world. The statistics indicate off-the-charts interest in GenAI’s capabilities, with AI spending predicted to more than double to $300 billion by 2026.... BLOGS Azure DevOps: 3 tips to organise work items using standard functionality To effectively manage software development projects, it’s crucial to organise work items efficiently. Proper organisation not only boosts productivity but also enhances collaboration among team members. Microsoft Azure DevOps (ADO) is a powerful... BLOGS Capabilities, limitations of Microsoft’s native SoD tool Segregation of duties (SoD) is a well-known term among auditors and anyone who has ever been audited. SoD is the understanding that no user should have access to two conflicting business functions that would allow a user to commit fraud or error (e.g... BLOGS Creating Read-Only Roles for Microsoft Dynamics 365 Finance and Supply Chain Management This blog post was authored by Sarah Guthrie - Senior Consultant, Enterprise Application Solutions on Protiviti's technology insights blog. In today’s fast-paced business landscape, organisations rely heavily on robust enterprise resource planning... BLOGS Migrating Security from Microsoft Dynamics 365 Finance and Supply Chain Management Microsoft Dynamics 365 Finance and Supply Chain Management (D365 F&SCM) publishes security changes with new code releases. These changes are automatically applied to out-of-the-box security roles, duties and privileges when the code is upgraded... Button Button