Authorization Monitoring is a self-audit tool that helps management to be ‘in control’ of the authorizations in Microsoft Dynamics 365 Business Central and Microsoft Dynamics 365 for Finance and Operations.
Authorization Monitoring provides insight into the quality of your Authorization Framework and Setup. Through the analysis of Critical Permissions, you detect flaws in Permission Sets, Organization Roles and User Authorizations. The analysis results will show you where Data Ownership and Segregation of Duties (SoD) in your Authorization Framework and Setup is established and where it is lacking.
Authorizations are set up to a concept whereby employees / organization roles are responsible for certain data in Business Central.
In addition, the authorizations ensure the segregation of duties in the organization.
Default Business Central has no functionality to analyze the quality of the authorizations. This means organizations have no instrument to control their setup.
Using the Monitoring module, you can evaluate the quality of the permissions assigned by asking questions, defined as Critical Permissions.
Critical Permissions might be grouped in processes for ease of analysis.
Furthermore, accepted risks might be excluded from analysis.
Conflicts are defined as a combination of Critical Permissions to be avoided for segregation of duties.
For documentation and processing purposes of the Critical Permissions, you can define Processes as a subdivision on Critical Permissions. (e.g. Sales, Finance, Purchasing, Warehousing)
Go to Monitoring => Settings => Processes and click on ‘New’.
‘Save & Close’ : Saves the Process and closes the page.
‘Save & New’ : Saves the Process and clears the fields.
'Cancel' : Cancels adding the new Process and closes the page.
For documentation and processing purposes of the Critical Permissions you can define Categories as a subdivision of the Processes assigned to the Critical Permissions. (e.g. Prospect, Ledger, Vendor, Shipping)
Go to Monitoring => Settings => Categories and click on 'New'.
‘Save & Close’ : Saves the Category and closes the page.
‘Save & New’ : Saves the Category and clears the fields.
‘Cancel' : Cancels adding the new Category and closes the page.
If the organization formally accepts risks, these may be excluded from analysis.
The permission set SUPER is an example which always results in a risk, because users with this role can modify all data in the system. If this role is included in the analysis, every analyzed permission would result in an actual risk, which leads to a complex analysis.
This is why you can exclude permission sets like SUPER from analysis.
If required, you can include any excluded role in the analysis by selecting the option “Analysis with excluded permission sets” on the Critical Permission.
Go to Monitoring => Settings => Excluded Permission Sets and click on ‘New’ to choose a Permission Set which has to be excluded.
You can also select several Permission Sets at once which you want to exclude, by clicking on more Sets. A check mark will be visible behind the chosen Sets.
'Save & Close' : Saves the exclusion of the chosen Permission Set(s) and closes the page.
'Cancel' : Cancels the exclusion of the chosen Permission Set(s) and closes the page.
A Critical Permission is a question you can ask Authorization Box.
For example:
To set up a Critical Permission, you need to configure three parts:
Go to Monitoring => Critical Permissions . Click on ‘New’ to create a Critical Permission.
The header holds information for documentation and processing purposes:
'Save' : Links the objects which have to be analyzed and expands the page with the fasttabs Objects, Allowed Organization Roles, Conflicting Permissions and Subscribers Continuous Monitoring.
'Cancel' : Cancels the addition of the new Critical Permission and closes the page.
To link one or more Objects to the Critical Permission you want to analyze, follow these steps:
Open the Critical Permission and click 'Edit' or,
in case of a new Critical Permission go to the fasttab “Objects”.
Click on 'New' to set up the permission to analyze:
'Save & Close' : Saves the object and settings to the Critical Permission and closes the page.
'Save & New' : Saves linking the object to the Critical Permission and clears the fields to add a new object to link.
You can link “Allowed Organization Roles” to set up which permissions are allowed by default, according the authorization design / authorization framework :
In the analysis results the system will mark these results (Organization Roles and linked Permission sets) as Agreed Configuration.
Click on 'New' to link an Organization Role.
'Save & Close' : Saves the allowed organization role to the Critical Permission and closes the page.
'Save & New' : Saves the allowed organization role and clears the fields to add another Allowed Organization Role to the Critical Permission.
‘Cancel’ : Cancels the addition of the new allowed organization role and closes the page.
This column shows the number of change log entries retrieved from Business Central, in case this has been activated in Business Central for the applicable objects.
After using the button ‘Calculate Change Log’, this column will show the number of changes, made by that user on objects in that Critical Permission.
To see the logged changes , you have to open that result with the ‘eye-icon’, after which you can click on the number, mentioned in the “No. of Change Log Entries” column.
To automate retrieving the change log entries, the box “Retrieve change log automatically” has to be checked when adding / editing the Critical permission.
Conflicts are defined as a combination of Critical Permissions to be avoided for segregation of duties.
Go to Monitoring => Conflicts and click on ‘New’ to create a Conflict.
‘Save & Close’ : Saves the new Conflict and closes the page.
‘Cancel’ : Cancels the addition of the new Conflict and closes the page.
In a Critical Permission, click on 'Edit' and go to the fasttab “Conflicting Permissions” ( or click on the fasttab “Conflicting Permissions” during the addition of a new Critical Permission).
Click on 'New'.
Conflicting Critical Permission Code : Select the conflicting Critical Permission.
Company : Optional: Select the company to which this conflict applies.
Impact : Select the impact of the conflict.
Risk : Describe the risk of the conflict.
‘Save & Close’ : Saves the new Conflict and closes the page.
‘Save & New’ : Saves the new Conflict and clears the fields to add a new Conflict with that Critical Permission.
‘Cancel’ : Cancels the addition of the new Conflict and closes the page.
Before starting an Analysis job, it is important that the Full Synchronization Monitoring task has recently run successfully.
If this has not been run recently, you will be analyzing with outdated information and the results will not be correct.
To analyze permissions, go to Monitoring => Critical Permissions.
On the right hand side you see three notification dots.
Permissions red dot : Shows how many Permissions are reviewed with “Disagreed”.
Permissions blue dot : Shows how many Permissions need "To be reviewed".
Permissions green dot : Shows how many Permissions are reviewed with “Agreed”.
Clicking on the specific dot will show the overview of the Permissions from that status.
Behind these 3 dots, there is also a pencil icon with which you can edit that particular Critical Permission.
In the overview of the Critical Permissions (Monitoring => Critical Permissions) you can analyze the Critical Permissions by selecting them all or just a few by using the check box.
You can select them all using the check box in the blue banner.
If you do not want to analyze all but only a few specific Critical Permissions, check the boxes in front of those Permissions.
Click on 'Analysis'.
A notification that the analysis has started pops up.
During the analysis, you can check the status by clicking ‘Refresh’ which will change the status from “Analysis sent” to “Analysis in progress” and finally into “Analysis done”.
If notification setup for analysis results has been set to “Yes”, a notification will be visible and/or a mail will be received when the analysis has been completed.
(How to setup a notification can be found here.)
In the Critical Permission, go to the fasttab “Analysis result Critical Permission”.
You can filter the findings in 4 ways :
Search : You can filter on what (part of a) word you would like to filter the results and everything that has that part in the Name will be filtered.
Filter Type : You can choose to filter on :
Eg. On type Organization Role :
Filter To review : You can choose to filter on :
Eg. On Disagreed :
You can also combine several options.
Eg. Search for “ing”,
Filter Type is “Organization Role” and
Filter To review has to be “To review”.
You can review a result by clicking on the ‘Eye’ button next to the Analysis Result
Or by ticking the checkbox in front of the result and click on the button ‘Review’ in the left top corner.
With this last option you can review multiple results at once.
When reviewing multiple results, these are summed up in the next screen, on the bottom of the Review page.
When you have chosen only one result to review, the next screen will show the specific finding(s) of the Critical Permission.
‘Save & Close’ : Saves the review and closes the page.
‘Cancel’ : Cancels the review and closes the page.
To select all Critical permissions at once, check the box in the title row.
Go to Monitoring => Analysis Results => Critical Permissions.
You can filter the findings in 4 ways :
Search : You can filter on what (part of a) word you would like to filter the results and everything that has that part in the Critical Permission Name, Type or Name will be filtered.
Eg. Filtering on “user” will show the results with User in the Critical Permission name, type User and User in the Name
Filter Type : You can choose to filter on :
Eg. On type Organization Role :
Filter To review : You can choose to filter on :
Eg. On Disagreed :
You can also combine several options.
Eg. Search for “ing”,
Filter Type is “Organization Role” and
Filter To review has to be “To review”.
In below example it shows that “ing” is filtered in the Critical Permission Name as well as in the Name (second line) :
You can review a result by clicking on the ‘Eye’ button next to the Analysis Result
Or by ticking the checkbox in front of the result and click on the button ‘Review’ in the left top corner.
With this last option you can review multiple results at once.
When reviewing multiple results, these are summed up on the bottom of the Review page.
When you have chosen only one result to review, the next screen will show the specific finding(s) of the Critical Permission.
‘Save & Close’ : Saves the review and closes the page.
‘Cancel’ : Cancels the review and closes the page.
To select all Critical permissions at once, check the box in the blue banner.
‘Save & Close’ : Saves the review and closes the page.
‘Cancel’ : Cancels the review and closes the page.
!Note : When reviewing an Organization Role, you will also review the Users and Permission Sets of that role.
The Conflicts can not be analyzed separately.
They will be analyzed at the same time an analysis for the Critical Permissions is run.
On the right hand side you will see three notification dots.
Conflicts red dot : Shows how many Conflicts are reviewed with “Disagreed”
Conflicts blue dot : Shows how many Conflicts need "To be reviewed"
Conflicts green dot : Shows how many Conflicts are reviewed with “Agreed”
Clicking on the specific dot will take you to the overview of the Conflicts from that category.
On the right side of these 3 dots, there is also a pencil icon with which you can edit that particular Conflict.
Go to Monitoring => Analysis Results => Conflicts
The review of the Conflicts can be done in the same way as for Critical Permissions. (“Review the selected finding(s) for Critical Permissions”)
As with the Analysis Results of the Critical Permissions screen, you can filter 4 ways :
You can choose to review one or multiple conflicts.
If you click on the Eye button, that conflict will be opened.
To export the reviews to Excel, select the result(s) with the check box(es) and click on the button 'Export'.
To select all Conflicts at once, check the box in the blue banner.
In the Critical Permission, go to the fasttab “Analysis result conflicting Critical Permissions”.
You can filter the findings in 4 ways :
Search : You can filter on what (part of a) word you would like to filter the results and everything that has that part in the Name will be filtered.
Filter Type : You can choose to filter on :
Eg. On type Organization Role :
Filter To review : You can choose to filter on :
Eg. On Agreed :
You can also combine several options.
Eg. Search for “ing”,
Filter Type is “Organization Role” and
Filter To review has to be “To review”.
You can review a result by clicking on the ‘Eye’ button next to the Analysis Result
Or by ticking the checkbox in front of the result and click on the button ‘Review’ in the left top corner.
With this last option you can review multiple results at once.
When reviewing multiple results, these are summed up in the next screen, on the bottom of the Review page.
When you have chosen only one result to review, the next screen will show the specific finding(s) of the Critical Permission.
‘Save & Close’ : Saves the review and closes the page.
‘Cancel’ : Cancels the review and closes the page.
To select all Critical permissions at once, check the box in the title row.
You can review the results by Organization role by going to Monitoring => Organization roles.
On this page the analysis results can be reviewed per organization role, so the display is more in line with the way in which the permissions within the Authorization Box can be maintained.
For each organization role, it is shown which users this role has been assigned to and which rights this role gives based on the set up research questions/the critical privileges.
There are a few filter options on top of the organization roles analysis page.
The first 2 filters, filter users on company group and filter users on company are used to filter the users on basis of the assigned organization role to the user. This way you can review per company group or company.
The 'Filter users on company group" will only show the organization roles in that particular group.
The ‘Filter users on company’ will show the organization roles in that company, including when that company is part of a company group.
There is also the option to filter through 2 checkboxes;
Show only used roles : if you only want to have used organization roles shown
Show only roles to be reviewed : if you want to see only organization roles that have not been reviewed yet.
The fasttab Critical Permissions shows all the Critical Permissions where this organization role is part of in the analysis.
You can click on the name of a critical permission to open it, to check what exactly it entails.
When you click on the number of permission sets, an overview of the permission sets will pop-up, with the rights assigned which are the reason why this organization role is shown as an analysis result for that critical permission.
You can quickly review a result by clicking on the checkmark to agree or cross to disagree.
When a review has been chosen, a small pop-up will allow you to add additional information regarding the made review.
When you want to add a review on a critical permission for the first time, you also have the option to cancel the review. This option will also be available when you are reviewing with an other assessment as the previous one.
In case you forgot to add some information to your assessment, you can add the information by clicking on the same assessment.
The pop-up will ask if you would like to add information or if you would like to add a new assessment.
To review multiple critical permissions at once, you have to check the boxes of the ones you would like to assess in bulk and then click on the Agree or Disagree button.
A pop-up will appear where you can add information regarding the bulk assessment.
Here you will find the users that are assigned the organization role which resulted in an analysis result.
When you click on a user name or name in this fasttab, you will open the user card.
As in the fasttab of the critical permissions, you can assess a user by clicking on the checkmark to agree or cross to disagree with that user being assigned that organization role.
Here too a pop-up will appear in which you can add information regarding the review made.
To assess users in bulk, you can use the checkboxes and add a review by using the Agree and Disagree button in the fasttab Users.
A given assessment on a critical permission or user will be visible in the reviews history.
The latest review with additional information, will become visible when hovering over the Reviews history icon.
Clicking on the icon will show a pop-up with the history of all the assessments and additional information given, who made the assessment and when it was made.
As well as in the fasttab of the critical permissions as in the fasttab of the users, you have the option to filter the overview on review status, Agreed, disagreed or to review.
Depending on a chosen filter (like e.g. Agreed), the analysis results will be shown. When no filter is chosen, all the analysis results will be visible.
Using the Search option will help you find certain entries easier, like for instance all the critical permissions mentioning sales.
A short video of this menu option (Monitoring through Organization Roles) can be found on 2-Control - YouTube
Go to Monitoring => Reviews
Here you will find the results with status “To review”, “Agreed” or “Disagreed” after an initial analysis.
You can filter from which date on you would like to have the results shown.
“Agreed” means that based on the setup (Allowed Organization Roles) the result has no risk. If you have a lot of analysis results, it is an option to first analyze which Organization Roles are allowed and then link them to the Critical Permission. After a new analysis more results will have the status “Agreed” and less “To review”.
If you have the right permissions, you can delete reviews by selecting the results (check box) to be deleted and click on 'Delete'.
You can also choose to select all results by checking the box in the blue banner.
If you want, you can export the reviews to Excel by selecting the results by using the check box and click on 'Export'.