Migrating Security from Microsoft Dynamics 365 Finance and Supply Chain Management This blog post was authored by Julia Artzi - Consultant, Sarah Guthrie - Senior Consultant, Enterprise Application Solutions on The Technology Insights Blog. Microsoft Dynamics 365 Finance and Supply Chain Management (D365 F&SCM) publishes security changes with new code releases. These changes are automatically applied to out-of-the-box security roles, duties and privileges when the code is upgraded in a given environment. However, manual migrations between development, test and production environments are required when maintaining a customised security design that complies with segregation of duty risks and contains custom objects. We would like to share our principles to approach security migration, known limitations in security migrations and use cases for two distinct types of migrations utilising Fastpath Assure. Topics IT Management, Applications and Transformation Approach Allow a lower-tiered environment (development environment) to be the source of truth for production. We recommend first making security changes/build in a development environment, migrating to a test environment for user acceptance testing and upon confirmation migrating into production, as per change management standards. Periodically export production security configuration as a backup. We recommend storing a security backup in case of any faulty migrations or code updates to reduce business performance impacts from access issues. We have experienced instances where security is accidentally updated from an older environment without warning. This causes security regression, undoing previous changes made and leading to an excess of bugs submitted. Periodic exports of security prevent this issue. Align code base between all environments. If security objects are available in one environment and not another, the migration will not import any security object which does not exist in the receiving environment. This makes the source of truth a grey area. Please note the two instances below in which this situation may arise. This can happen when a role is created directly in the production environment and the same name exists in the lower-tier environment. When importing security from the lower-tier environment to production, an error arose. Even though the security labels were the same, the system names were different. This means that the production role cannot be updated via security import. If new custom objects are added in one environment but do not exist in future environments down the migration path, then security changes — including those custom objects — will not appear in the receiving environment since they do not exist. This could happen when new objects are evaluated in a user acceptance testing (UAT) environment, for instance, and is not yet available in production. This does not cause security migration errors; it just does not associate the nonexistent securable objects to the desired roles or privileges. Keep track of changes. We recommend labeling security configuration imports with the migrated changes, the environment migrated from and the date to properly document changes. During the hyper-care period for a security go-live, there may be numerous security migrations every day between environments, and sometimes to the same role. It is important to keep track of the order of these changes, especially when they impact the same role, duty or privilege since moving change out of order can cause security regression. Limitations One of the largest limitations to security migrations is that the out-of-box security migrations in D365 will only allow system administrators to migrate all the security from one environment into another. Because the system imports and exports the entire security configuration, thousands of objects import each time a security migration is complete, regardless of the scope of the changes. For instance, if one object is added to a privilege, the entire security migration will still need to be imported due to system limitations. This increases the margin of error as any changes made to other roles, duties or privileges that may not be ready to import will get picked up in the migration. Additionally, this process will result in every environment mirroring each other. This means test roles built in a development environment will appear in the production security configuration. It is ideal to have the test environment be a source of truth for production, but not necessarily the development environment. Due to these limitations, we recommend utilising tools such as Fastpath’s Security Migrations feature (part of the Security Designer module) to migrate security via code or user interface (UI). The feature allows security administrators to only migrate the change made to a specific role, duty or privilege and provides the flexibility to migrate only the change(s) that are ready for testing. Two methods of migrating security: Export to code and export to UI Utilising Fastpath, the migration is executed by first exporting security configuration within D365, importing the security to the Fastpath tool, selecting which roles, duties or privileges to migrate, then importing the file export into the appropriate D365 environment. Fastpath Security Migration allows for easy selection of roles, duties and privileges by system name and AOT name, exporting the file into XML to import directly in another D365 environment or exporting to code to be imported via code. Code migration allows for easier version control than XML and allows code to be migrated across multiple environments more quickly, however, it does require knowledge of Visual Studio whereas ‘export to UI’ is more user-friendly as it is done in the UI. Please see our steps below on how to complete these types of migration. In the development environment, export security configuration from D365 F&SCM (System Administration > Security > Security Configuration > Data > Export). In Fastpath, navigate to Security Designer > Security Migration. Click the + icon in the upper right of the Security Migration pane. Enter the security migrations name (i.e., 09/16/22 12:00pm, Dev to Prod, Adding All Customer page to Help Desk role). Select the XML file exported in step 1. Click Save. Toggle on the roles, duties, and/or privileges to be migrated. Remember that toggling on an object will automatically grab all the associated security roles, duties and privileges. Source: https://support.fastpathassure.com/hc/en-us/articles/360041124533 Reference either the code migration or UI migration section below dependent on the method selected for migration. Code migration Click the down arrow next to the security migration and click ‘export to code.’ Graphical user interface, application Source: https://support.fastpathassure.com/hc/en-us/articles/360041124533 From here, follow the normal steps for code migration. If a defined process does not exist, continue with the steps below. In Visual Studio, create a model for security; within that, create a security project with folders for roles, duties and privileges. Add the exported roles, duties and/or privileges from step 6 into the corresponding folders in Visual Studio. Synchronise the databases. To confirm that the changes were successful, open the uploaded environment and navigate to System Administration > Security Configuration. Filter for the roles/duties/privileges created and verify they now exist. UI migration Select Export to UI Navigate to the D365 Security Configuration page and import the XML file generated through the Fastpath export. Roles, duties and privileges affected by the changes will appear in the “Unpublished Objects” header. Select “Publish All” to enable changes. Security migration is a vital part of building security in D365 F&SCM. Understanding the different methods and their benefits can improve any security design approach. Using ‘export to UI’ is beneficial when building in the front end. However, when migrating across multiple environments or to maintain version control ‘export to code’ may be more useful. Utilising Fastpath and these two methods will make security migration simpler. To learn more about our Microsoft consulting solutions, contact us. Find out more about our solutions: Microsoft Consulting Solutions Protiviti is a Managed, Microsoft Cloud Solutions Partner with proficiency in all 6 designations: Modern Work, Security, Data and AI, Infrastructure, Digital and Application Innovation and Business Applications. Leadership Michael Pang Michael is a managing director with over 20 years’ experience. He is the IT consulting practice leader for Protiviti Hong Kong and Mainland China. His experience covers cybersecurity, data privacy protection, IT strategy, IT organisation transformation, IT risk, post ... Learn More Adam Johnston Adam is the country market lead for Hong Kong. With over 15 years’ experience, he has spent much of his career consulting to Fortune 500 organisations, helping them solve complex transformation, and resourcing programs and projects. Adam’s specialisation is ... Learn More Featured insights BLOGS Building a Business Case for Copilot for Microsoft 365 – A Game-Changer for Business Efficiency With the rapid rise in artificial intelligence (AI) tools, companies are updating technologies and processes as quickly as budgets allow. Industries are transforming rapidly as the drivers for economic growth are evolving. BLOGS Improving Financial Services’ Efficiency with Copilot for Microsoft 365 In an era of rapid technological advancement, businesses are increasingly turning to artificial intelligence (AI) to enhance productivity, streamline processes and improve decision-making. One such tool making waves in the financial services sector... BLOGS Unlocking Agile Insights: Building Automated Burndown Charts with Microsoft DevOps Analytics View and Power BI In the fast-paced world of software development, staying ahead of the curve requires more than just coding prowess. Agile methodologies have emerged to provide a structured framework for teams to navigate the ever-changing landscape. BLOGS Building an Accessibility Culture with Copilot for Microsoft 365 Organisations across the U.S. recognise the criticality of accessibility for both consumers and employees. This concern dates to the early 2000s, when several well-known brands were targeted by lawsuits that ultimately changed how e-commerce works.... BLOGS Cloud synergy: Microsoft Azure and its relationship to Microsoft 365 As organisations increasingly embrace cloud-based technologies to enhance productivity and efficiency, understanding the dynamic relationship between Microsoft Azure and Microsoft 365 becomes crucial for maximising their potential. With the power of... BLOGS Microsoft SharePoint Premium simplifies content management and governance Content management involves the creation, organisation, storage and distribution of digital content within an organisation, ranging from documents and images to videos and web pages. One of the biggest problems businesses face with content management... BLOGS 9 common errors to avoid while implementing security in Microsoft Dynamics 365 Finance and Operations Microsoft Dynamics 365 Finance and Operations (D365FO) is a comprehensive ERP solution that empowers businesses to optimise financial management and operational efficiency. With its integrated approach, powerful analytics, scalability and continuous... BLOGS Navigating the GenAI course with Microsoft Copilot Generative artificial intelligence (GenAI) is a hot topic these days, and not just in the IT world. The statistics indicate off-the-charts interest in GenAI’s capabilities, with AI spending predicted to more than double to $300 billion by 2026.... BLOGS Azure DevOps: 3 tips to organise work items using standard functionality To effectively manage software development projects, it’s crucial to organise work items efficiently. Proper organisation not only boosts productivity but also enhances collaboration among team members. Microsoft Azure DevOps (ADO) is a powerful... BLOGS Capabilities, limitations of Microsoft’s native SoD tool Segregation of duties (SoD) is a well-known term among auditors and anyone who has ever been audited. SoD is the understanding that no user should have access to two conflicting business functions that would allow a user to commit fraud or error (e.g... BLOGS Creating Read-Only Roles for Microsoft Dynamics 365 Finance and Supply Chain Management This blog post was authored by Sarah Guthrie - Senior Consultant, Enterprise Application Solutions on Protiviti's technology insights blog. In today’s fast-paced business landscape, organisations rely heavily on robust enterprise resource planning... Button Button Featured client stories Global Hospitality Company Achieves Efficiencies with Microsoft and Nintex A global hospitality company needed to transition their highly manual process for RFPs to one that was more automated. The need to update their processes was driven by the changes required to address the Covid-19 pandemic, which created a dynamic... Global Retailer Goes Digital: Revitalising Store Operations and Enhancing Community Commitment Protiviti leveraged Microsoft Power BI to help this client transform its operational analytics. We built a user interface that generates analytics every 15 minutes and is easy to use with little training required. From staffing and sales targets to... Intelligent Document Retrieval System, Powered by Responsible AI, Helps Reduce Air Pollution This company is a leader in the supply of after-sale services to the world’s engine and compressor markets and is trusted by nuclear power plants, the U.S. military and both public and private electricity generators around the globe. With the EPA’s... Global Health Services Company Modernises Data and Applications with Microsoft A global health services company needed to execute on its corporate promise to deliver affordability and convenience to its patients. However, the company discovered that there was a disconnect between that promise and intended delivery. Further... Manufacturer Optimises Supply Chain Analytics With Azure Machine Learning Global Manufacturer optimises supply chain analytics with Microsoft Azure Machine Learning significantly improving its ability to adapt to rapid changes in both processes and cost analyses. Button Button