Getting started with authorizations in Dynamics? With the right approach and software, a sound authorization structure is closer than you think. However, there are a lot of things that you can overlook so the desired result is not achieved, and risks remain.
With the right tips you will ensure a sound authorization structure that ensures good security and internal control.
For each phase in the authorization cycle, our partners at 2 Control have listed tips for you:
- Make sure you talk to the right and relevant people for an authorization process. The right people from IT and controlling are essential for an authorization project to succeed. It is also advisable to involve the management team.
- Create two matrices for designing the authorization structure o A matrix of permission sets per function; o A matrix of function per user.
- Always create permission sets on task level. It is important to make these very detailed in order to keep Dynamics NAV as manageable as possible. o Think about separating the creation and booking of invoices.
- Use the need-to-use principle instead of the need-to-know principle. o What is the risk of users reading certain information i.e. order prices or personal data?
- The goal of your design is to implement a desired segregation of duties. So, take segregation of duties into account in the design.
- Use a recorder. It may seem obvious, but there are enough cases in which all tables have been searched manually. Our partner 2 Control offers a recorder with Authorization Box, but if you work with Dynamics NAV 2017 or newer you can use the standard available recorder.
- Think about which types of documents you use in Dynamics NAV. a. I.E. when it’s about purchase invoices, think about the warehouse administration, fixed assets, VAT and customization. Does all of this have to be in one set of permissions?
- When building authorizations, take the indirect rights into account. Risks seem to be limited with direct rights, but they are still present.
- See if and how you want to authorize master data separately, for example in logistic, administrative and financial fields.
- Perform test! Let key users test what you have built: o Different scenarios per document type o Partial tests of individual authorization set and o Integral testing of entire functions
- Take document approval into account. o Users must be authorized to send and approve documents.
- Ensure document approval. Document approval can help to implement segregation of duties. If a user must create and book purchase invoices, approval functionality can prevent the booking of unauthorized documents. In Dynamics NAV you’ll find purchase and sales rules in the same table. In relation to risk management, you want these separated. This can be done by describing this in terms of a procedure, but that’s not enough. An external auditor will not agree to this either. Our Field and Dataset Security module can help you with this. a. Dataset security makes it possible to limit the rights of a user to e.g. one document type.
- In Dynamics NAV it is not possible to distinguish between e.g. logistic fields and fields on the article card. This can be done with the Field and Dataset Security module. a. Field protection is built to authorize every desired field as a separate task.
- Decentralize master data, otherwise too much information will be accessible to everyone. This can be done with customization, but that is the expensive solution and makes the upgrade process difficult.
- Make sure that an user cannot see all the general ledger entries. This can be adjusted with our Field and Dataset Security module. a. Dataset security makes it possible to completely hide fields.
- Ensure effective troubleshooting. Problems will emerge from the management of the authorizations. These problems must be solved as soon as possible. For troubleshooting you must make sure that:
- o Screenshots are always requested or, if necessary, look together with the client
- o Notification and solution are logged
- o Control department is involved
- o Authorization design is modified
- Ensure a clear procedure for entering and leaving the company. Your proper authorization structure will be blurred in no time at all when you don’t do this. This is important not only regarding to Dynamics NAV, but also throughout the entire organization.
- Use a clear procedure for holidays and leaves. Employees go on holiday and rights are 'temporarily' transferred to a colleague. Potential risks arise as a result. A clear procedure should also be used for holidays and workflow during leave. Make sure that temporary rights do not remain permanent.
- Temporarily assign an additional function with start and end dates in the absence of colleagues. Authorization Box offers the solution for efficient authorization management.
- Log everything that never changes! You need enough information to monitor the authorizations. To do so, activate the changelog. Take the following into account: o Settings / configuration data that never change: integral logging. o Master data: fields such as booking groups and prices certainly log and think about what you want to look back; integral logging makes the change log unclear. o Process data as needed. When the organization does something with it. o View also the blog article about the change log in Dynamics NAV.
- Check authorizations at least once a year. Authorization monitoring in Authorization Box supports this by means of demand-driven (conflict) analyses and reports with activity. Test the actual assigning of authorizations compared with the design. This is to check whether the assigning has been done correctly.
Do you want more tips? Or would you like to talk with an authorization specialist about a quick, simple and efficient set-up of authorizations in your company? We will arrange for 2 Control to demonstrate the solution specified to your questions and wishes.