¶ Basics
Authorization Monitoring is a self-audit tool that helps management to be ‘in control’ of the authorizations in Microsoft Dynamics 365 Business Central and Microsoft Dynamics 365 for Finance and Operations.
Authorization Monitoring provides insight into the quality of your Authorization Framework and Setup. Through the analysis of Critical Permissions, you detect flaws in Permission Sets, Organization Roles and User Authorizations. The analysis results will show you where Data Ownership and Segregation of Duties (SoD) in your Authorization Framework and Setup is established and where it is lacking.
Authorizations are set up to a concept whereby employees / organization roles are responsible for certain data in Business Central.
In addition, the authorizations ensure the segregation of duties in the organization.
Default Business Central has no functionality to analyze the quality of the authorizations. This means organizations have no instrument to control their setup.
Using the Monitoring module, you can evaluate the quality of the permissions assigned by asking questions, defined as Critical Permissions.
Critical Permissions might be grouped in processes for ease of analysis.
Furthermore, accepted risks might be excluded from analysis.
Conflicts are defined as a combination of Critical Permissions to be avoided for segregation of duties.
¶ Setup Authorization Monitoring
¶ Processes
For documentation and processing purposes of the Critical Permissions, you can define Processes as a subdivision on Critical Permissions. (e.g. Sales, Finance, Purchasing, Warehousing)
Go to Monitoring => Settings => Processes and click on ‘New’.
- Name : Short name for the Process.
- Description : More detailed description on the Process.
‘Save & Close’ : Saves the Process and closes the page.
‘Save & New’ : Saves the Process and clears the fields.
'Cancel' : Cancels adding the new Process and closes the page.
¶ Categories
For documentation and processing purposes of the Critical Permissions you can define Categories as a subdivision of the Processes assigned to the Critical Permissions. (e.g. Prospect, Ledger, Vendor, Shipping)
Go to Monitoring => Settings => Categories and click on 'New'.
- Name : Short name for the Category.
- Description : More detailed description on the Category.
‘Save & Close’ : Saves the Category and closes the page.
‘Save & New’ : Saves the Category and clears the fields.
‘Cancel' : Cancels adding the new Category and closes the page.
¶ Excluded Permission Sets
If the organization formally accepts risks, these may be excluded from analysis.
The permission set SUPER is an example which always results in a risk, because users with this role can modify all data in the system. If this role is included in the analysis, every analyzed permission would result in an actual risk, which leads to a complex analysis.
This is why you can exclude permission sets like SUPER from analysis.
If required, you can include any excluded role in the analysis by selecting the option “Analysis with excluded permission sets” on the Critical Permission.
Go to Monitoring => Settings => Excluded Permission Sets and click on ‘New’ to choose a Permission Set which has to be excluded.
You can also select several Permission Sets at once which you want to exclude, by clicking on more Sets. A check mark will be visible behind the chosen Sets.
'Save & Close' : Saves the exclusion of the chosen Permission Set(s) and closes the page.
'Cancel' : Cancels the exclusion of the chosen Permission Set(s) and closes the page.
¶ Critical Permissions
A Critical Permission is a question you can ask Authorization Box.
For example:
- Who is able to modify items?
- Who can create a payment proposal?
- Who is able to perform other tasks? (e.g. post invoices, modify setup, etc.)
To set up a Critical Permission, you need to configure three parts:
- The Critical Permission header.
- Objects (Permissions) you want to analyze for.
- Allowed Organization Roles for this Critical Permission.
¶ Set up a Critical Permission
Go to Monitoring => Critical Permissions . Click on ‘New’ to create a Critical Permission.
The header holds information for documentation and processing purposes:
- Name : The (short) name of the Critical Permission.
- Description : More detailed information of the Critical Permission.
- Risk : Which risk does assigning of the permission(s) pose?
- Impact : What is the impact of misuse of the permission; high, medium or low?
- Process Name : Select the process of the Critical Permission.
- Category Name : Select the Category in which the Critical Permission falls.
- Has to comply to :
- All objects : Select this option if you require all defined permissions for all defined objects are required to get a result.
All of the defined permissions need to be assigned to the user.
For example: to post a document a user needs permissions to both the table data posted header and posted line: Purch. Inv. Header and Purch. Inv. Line (irrespective of the permission set through which these are assigned). Microsoft Dynamics 365 Business Central blocks posting if the user is missing any of these, so it makes sense to analyze for assignment of this combination. - One object : Select this option if just one linked object has to be found in the analysis to get a result. Any of the permissions for any of the objects defined makes the user, organization role or permission set to which the permission is assigned, appear in the results. This is often used for analyzing permissions to master data and setup information. (for example table data accounting period, several posting groups and dimension.)
- All objects : Select this option if you require all defined permissions for all defined objects are required to get a result.
- Analysis with excluded permission sets : Select this option to include the excluded Permission Set(s) with the analysis of this Critical Permission.
- Analysis with inactive users : When the box is not checked (default option), inactive users are to be excluded from the analysis.
- Retrieve change log automatically : Select this option when you want the system to show records from the change log of Business Central for this Critical Permission.
'Save' : Links the objects which have to be analyzed and expands the page with the fasttabs Objects, Allowed Organization Roles, Conflicting Permissions and Subscribers Continuous Monitoring.
'Cancel' : Cancels the addition of the new Critical Permission and closes the page.
¶ Linking Objects to a Critical Permission
To link one or more Objects to the Critical Permission you want to analyze, follow these steps:
Open the Critical Permission and click 'Edit' or,
in case of a new Critical Permission go to the fasttab “Objects”.
¶ Fasttab Objects
Click on 'New' to set up the permission to analyze:
- Type : Select the object type.
- Id : Select the object to analyze. You can find the object by typing the id or name of the object.
- Name : Will be filled in automatically after the Id was selected.
- And/Or RIMDX : Select the option "And” if the Read, Insert, Modify, Delete and Execute permission should be exactly the same as defined.
Select the option “Or” if just one of the object permissions should be found in the analyzes. - Execute : Define the permissions you want to analyze for: indirect or direct (yes) permissions for read, insert, modify, delete (RIMD) for TableData and execute (X) for other object types. In case of TableData you can choose between Yes and Indirect. For other object types, you can only choose Yes.
'Save & Close' : Saves the object and settings to the Critical Permission and closes the page.
'Save & New' : Saves linking the object to the Critical Permission and clears the fields to add a new object to link.
¶ Allowed Organization Roles for a Critical Permission
You can link “Allowed Organization Roles” to set up which permissions are allowed by default, according the authorization design / authorization framework :
- In the “Edit” mode of the Critical Permission, or
- In the process of a new Critical Permission in the fasttab “Allowed Organization Roles”.
In the analysis results the system will mark these results (Organization Roles and linked Permission sets) as Agreed Configuration.
¶ Fasttab Allowed Organization Roles
Click on 'New' to link an Organization Role.
- Organization Role : Select the role in which the permission should be included (no risk).
- Company : Select the company in which the Organization Role is allowed.
'Save & Close' : Saves the allowed organization role to the Critical Permission and closes the page.
'Save & New' : Saves the allowed organization role and clears the fields to add another Allowed Organization Role to the Critical Permission.
‘Cancel’ : Cancels the addition of the new allowed organization role and closes the page.
¶ No. of Change Log Entries
This column shows the number of change log entries retrieved from Business Central, in case this has been activated in Business Central for the applicable objects.
After using the button ‘Calculate Change Log’, this column will show the number of changes, made by that user on objects in that Critical Permission.
To see the logged changes , you have to open that result with the ‘eye-icon’, after which you can click on the number, mentioned in the “No. of Change Log Entries” column.
To automate retrieving the change log entries, the box “Retrieve change log automatically” has to be checked when adding / editing the Critical permission.
¶ Conflicts
Conflicts are defined as a combination of Critical Permissions to be avoided for segregation of duties.
¶ Set up a Conflict (not through a Critical Permission)
Go to Monitoring => Conflicts and click on ‘New’ to create a Conflict.
¶ Adding a Conflict
- Critical Permission : Select the Critical Permission you want to add a Conflict to.
- Conflicting Critical Permission : Select the other Critical Permission to create the Conflict.
- Company : Select the company in which this conflict applies (optional).
- Impact : Select the impact of the Conflict.
- Risk : Describe the risk of the Conflict.
‘Save & Close’ : Saves the new Conflict and closes the page.
‘Cancel’ : Cancels the addition of the new Conflict and closes the page.
¶ Setup a Conflict (through a Critical Permission)
In a Critical Permission, click on 'Edit' and go to the fasttab “Conflicting Permissions” ( or click on the fasttab “Conflicting Permissions” during the addition of a new Critical Permission).
¶ Fasttab Conflicting Permissions
Click on 'New'.
Conflicting Critical Permission Code : Select the conflicting Critical Permission.
Company : Optional: Select the company to which this conflict applies.
Impact : Select the impact of the conflict.
Risk : Describe the risk of the conflict.
‘Save & Close’ : Saves the new Conflict and closes the page.
‘Save & New’ : Saves the new Conflict and clears the fields to add a new Conflict with that Critical Permission.
‘Cancel’ : Cancels the addition of the new Conflict and closes the page.
¶ Analyzing results
Before starting an Analysis job, it is important that the Full Synchronization Monitoring task has recently run successfully.
If this has not been run recently, you will be analyzing with outdated information and the results will not be correct.
¶ Analyze Critical Permissions
To analyze permissions, go to Monitoring => Critical Permissions.
On the right hand side you see three notification dots.
Permissions red dot : Shows how many Permissions are reviewed with “Disagreed”.
Permissions blue dot : Shows how many Permissions need "To be reviewed".
Permissions green dot : Shows how many Permissions are reviewed with “Agreed”.
Clicking on the specific dot will show the overview of the Permissions from that status.
Behind these 3 dots, there is also a pencil icon with which you can edit that particular Critical Permission.
In the overview of the Critical Permissions (Monitoring => Critical Permissions) you can analyze the Critical Permissions by selecting them all or just a few by using the check box.
You can select them all using the check box in the blue banner.
If you do not want to analyze all but only a few specific Critical Permissions, check the boxes in front of those Permissions.
Click on 'Analysis'.
A notification that the analysis has started pops up.
During the analysis, you can check the status by clicking ‘Refresh’ which will change the status from “Analysis sent” to “Analysis in progress” and finally into “Analysis done”.
If notification setup for analysis results has been set to “Yes”, a notification will be visible and/or a mail will be received when the analysis has been completed.
(How to setup a notification can be found here.)
¶ Review the findings for Critical Permissions in the Critical Permission
In the Critical Permission, go to the fasttab “Analysis result Critical Permission”.
You can filter the findings in 4 ways :
- Search
- Filter To review (Agreed, Disagreed, To be reviewed, “blank”)
- Filter Type (User, Organization Role, Permission Set, “blank”)
- A combination of the above
Search : You can filter on what (part of a) word you would like to filter the results and everything that has that part in the Name will be filtered.
Filter Type : You can choose to filter on :
- User
- Organization Role
- Permission Set
- ‘blank’ (show all)
Eg. On type Organization Role :
.png)
Filter To review : You can choose to filter on :
- Agreed
- Disagreed
- To review
- ‘blank’ (show all)
Eg. On Disagreed :
.png)
You can also combine several options.
Eg. Search for “ing”,
Filter Type is “Organization Role” and
Filter To review has to be “To review”.
You can review a result by clicking on the ‘Eye’ button next to the Analysis Result
Or by ticking the checkbox in front of the result and click on the button ‘Review’ in the left top corner.
With this last option you can review multiple results at once.
.png)
When reviewing multiple results, these are summed up in the next screen, on the bottom of the Review page.
When you have chosen only one result to review, the next screen will show the specific finding(s) of the Critical Permission.
.png)
- Previous Review: Status based on the last review.
- Review: Select a status for this review. If you just want to leave a comment you can select the last review status.
- Comment: To substantiate your review.
- Reviewer: Person who entered the review.
- Review date/time: Moment of entering the review.
- No. of Field Securities : Shows the number of Field Securities that match this result. (Field Securities would have to be active in Business Central to be shown here).
- No. of Filtered Securities : Shows the number of Filtered Securities that match this result (Filter Securities would have to be active in Business Central to be shown here).
‘Save & Close’ : Saves the review and closes the page.
‘Cancel’ : Cancels the review and closes the page.
To select all Critical permissions at once, check the box in the title row.
.png)
¶ Review the findings for Critical Permissions with “Analysis Results”
Go to Monitoring => Analysis Results => Critical Permissions.
You can filter the findings in 4 ways :
- Search
- Filter To review (Agreed, Disagreed, To be reviewed, “blank”)
- Filter Type (User, Organization Role, Permission Set, “blank”)
- A combination of the above
Search : You can filter on what (part of a) word you would like to filter the results and everything that has that part in the Critical Permission Name, Type or Name will be filtered.
Eg. Filtering on “user” will show the results with User in the Critical Permission name, type User and User in the Name
Filter Type : You can choose to filter on :
- User
- Organization Role
- Permission Set
- ‘blank’ (show all)
Eg. On type Organization Role :
Filter To review : You can choose to filter on :
- Agreed
- Disagreed
- To review
- ‘blank’ (show all)
Eg. On Disagreed :
You can also combine several options.
Eg. Search for “ing”,
Filter Type is “Organization Role” and
Filter To review has to be “To review”.
In below example it shows that “ing” is filtered in the Critical Permission Name as well as in the Name (second line) :
You can review a result by clicking on the ‘Eye’ button next to the Analysis Result
Or by ticking the checkbox in front of the result and click on the button ‘Review’ in the left top corner.
With this last option you can review multiple results at once.
When reviewing multiple results, these are summed up on the bottom of the Review page.
When you have chosen only one result to review, the next screen will show the specific finding(s) of the Critical Permission.
- Previous Review: Status based on the last review.
- Review: Select a status for this review. If you just want to leave a comment you can select the last review status.
- Comment: To substantiate your review.
- Reviewer: Person who entered the review.
- Review date/time: Moment of entering the review.
- No. of Field Securities : Shows the number of Field Securities that match this result. (Field Securities would have to be active in Business Central to be shown here).
- No. of Filtered Securities : Shows the number of Filtered Securities that match this result (Filter Securities would have to be active in Business Central to be shown here).
‘Save & Close’ : Saves the review and closes the page.
‘Cancel’ : Cancels the review and closes the page.
To select all Critical permissions at once, check the box in the blue banner.
‘Save & Close’ : Saves the review and closes the page.
‘Cancel’ : Cancels the review and closes the page.
!Note : When reviewing an Organization Role, you will also review the Users and Permission Sets of that role.
¶ Analyze Conflicts
The Conflicts can not be analyzed separately.
They will be analyzed at the same time an analysis for the Critical Permissions is run.
On the right hand side you will see three notification dots.
Conflicts red dot : Shows how many Conflicts are reviewed with “Disagreed”
Conflicts blue dot : Shows how many Conflicts need "To be reviewed"
Conflicts green dot : Shows how many Conflicts are reviewed with “Agreed”
Clicking on the specific dot will take you to the overview of the Conflicts from that category.
On the right side of these 3 dots, there is also a pencil icon with which you can edit that particular Conflict.
¶ Review the findings for Conflicts with “Analysis Results”
Go to Monitoring => Analysis Results => Conflicts
The review of the Conflicts can be done in the same way as for Critical Permissions. (“Review the selected finding(s) for Critical Permissions”)
As with the Analysis Results of the Critical Permissions screen, you can filter 4 ways :
- Search
- Filter To review (Agreed, Disagreed, To be reviewed, “blank”)
- Filter Type (User, Organization Role, Permission Set, “blank”)
- A combination of the above
You can choose to review one or multiple conflicts.
If you click on the Eye button, that conflict will be opened.
To export the reviews to Excel, select the result(s) with the check box(es) and click on the button 'Export'.
To select all Conflicts at once, check the box in the blue banner.
¶ Review the findings for Conflicts in the Critical Permission
In the Critical Permission, go to the fasttab “Analysis result conflicting Critical Permissions”.
You can filter the findings in 4 ways :
- Search
- Filter To review (Agreed, Disagreed, To be reviewed, “blank”)
- Filter Type (User, Organization Role, Permission Set, “blank”)
- A combination of the above
.png)
Search : You can filter on what (part of a) word you would like to filter the results and everything that has that part in the Name will be filtered.
Filter Type : You can choose to filter on :
- User
- Organization Role
- Permission Set
- ‘blank’ (show all)
Eg. On type Organization Role :
.png)
Filter To review : You can choose to filter on :
- Agreed
- Disagreed
- To review
- ‘blank’ (show all)
Eg. On Agreed :
.png)
You can also combine several options.
Eg. Search for “ing”,
Filter Type is “Organization Role” and
Filter To review has to be “To review”.
You can review a result by clicking on the ‘Eye’ button next to the Analysis Result
Or by ticking the checkbox in front of the result and click on the button ‘Review’ in the left top corner.
With this last option you can review multiple results at once.
.png)
When reviewing multiple results, these are summed up in the next screen, on the bottom of the Review page.
.png)
When you have chosen only one result to review, the next screen will show the specific finding(s) of the Critical Permission.
- Previous Review: Status based on the last review.
- Review: Select a status for this review. If you just want to leave a comment you can select the last review status.
- Comment: To substantiate your review.
- Reviewer: Person who entered the review.
- Review date/time: Moment of entering the review.
- No. of Field Securities : Shows the number of Field Securities that match this result. (Field Securities would have to be active in Business Central to be shown here).
- No. of Filtered Securities : Shows the number of Filtered Securities that match this result (Filter Securities would have to be active in Business Central to be shown here).
‘Save & Close’ : Saves the review and closes the page.
‘Cancel’ : Cancels the review and closes the page.
To select all Critical permissions at once, check the box in the title row.
¶ Analyse results by Organization Role
You can review the results by Organization role by going to Monitoring => Organization roles.
On this page the analysis results can be reviewed per organization role, so the display is more in line with the way in which the permissions within the Authorization Box can be maintained.
For each organization role, it is shown which users this role has been assigned to and which rights this role gives based on the set up research questions/the critical privileges.
There are a few filter options on top of the organization roles analysis page.
.png)
The first 2 filters, filter users on company group and filter users on company are used to filter the users on basis of the assigned organization role to the user. This way you can review per company group or company.
The 'Filter users on company group" will only show the organization roles in that particular group.
The ‘Filter users on company’ will show the organization roles in that company, including when that company is part of a company group.
There is also the option to filter through 2 checkboxes;
Show only used roles : if you only want to have used organization roles shown
Show only roles to be reviewed : if you want to see only organization roles that have not been reviewed yet.
¶ The fasttab Critical Permissions
The fasttab Critical Permissions shows all the Critical Permissions where this organization role is part of in the analysis.
You can click on the name of a critical permission to open it, to check what exactly it entails.
When you click on the number of permission sets, an overview of the permission sets will pop-up, with the rights assigned which are the reason why this organization role is shown as an analysis result for that critical permission.
.png)
.png)
You can quickly review a result by clicking on the checkmark to agree or cross to disagree.
.png)
When a review has been chosen, a small pop-up will allow you to add additional information regarding the made review.
.png)
When you want to add a review on a critical permission for the first time, you also have the option to cancel the review. This option will also be available when you are reviewing with an other assessment as the previous one.
In case you forgot to add some information to your assessment, you can add the information by clicking on the same assessment.
.png)
The pop-up will ask if you would like to add information or if you would like to add a new assessment.
¶ Review of multiple critical permissions.
To review multiple critical permissions at once, you have to check the boxes of the ones you would like to assess in bulk and then click on the Agree or Disagree button.
.png)
A pop-up will appear where you can add information regarding the bulk assessment.
.png)
¶ Fasttab Users
Here you will find the users that are assigned the organization role which resulted in an analysis result.
When you click on a user name or name in this fasttab, you will open the user card.
.png)
As in the fasttab of the critical permissions, you can assess a user by clicking on the checkmark to agree or cross to disagree with that user being assigned that organization role.
Here too a pop-up will appear in which you can add information regarding the review made.
To assess users in bulk, you can use the checkboxes and add a review by using the Agree and Disagree button in the fasttab Users.
¶ History of assessments
A given assessment on a critical permission or user will be visible in the reviews history.
.png)
The latest review with additional information, will become visible when hovering over the Reviews history icon.
Clicking on the icon will show a pop-up with the history of all the assessments and additional information given, who made the assessment and when it was made.
¶ Filtering
As well as in the fasttab of the critical permissions as in the fasttab of the users, you have the option to filter the overview on review status, Agreed, disagreed or to review.
Depending on a chosen filter (like e.g. Agreed), the analysis results will be shown. When no filter is chosen, all the analysis results will be visible.
Using the Search option will help you find certain entries easier, like for instance all the critical permissions mentioning sales.
.png)
A short video of this menu option (Monitoring through Organization Roles) can be found on 2-Control - YouTube
¶ Evaluate findings of an analysis
Go to Monitoring => Reviews
Here you will find the results with status “To review”, “Agreed” or “Disagreed” after an initial analysis.
You can filter from which date on you would like to have the results shown.
“Agreed” means that based on the setup (Allowed Organization Roles) the result has no risk. If you have a lot of analysis results, it is an option to first analyze which Organization Roles are allowed and then link them to the Critical Permission. After a new analysis more results will have the status “Agreed” and less “To review”.
If you have the right permissions, you can delete reviews by selecting the results (check box) to be deleted and click on 'Delete'.
You can also choose to select all results by checking the box in the blue banner.
If you want, you can export the reviews to Excel by selecting the results by using the check box and click on 'Export'.