For as long as organizations have been using information technology, the granting of access to an organization’s information (authorizations) has played an important role. After all, information is a very important asset for most companies. It is therefore important that someone has access to the correct information and that unauthorized persons do not have access to information that is used for the control and execution of primary processes.
In addition to getting authorizations in order, it is at least as important to keep these authorizations in order. Organizations need to know whether the granted authorizations are correct and have a good up-to-date overview of the granted authorizations. By means of authorization management, authorizations can be canceled or granted (temporarily).
This is important when you are saying goodbye to employees, in case of (maternity) leave or job changes. By keeping the authorizations in order, you prevent fraud and errors, and handing work over to a colleague becomes easier. It is therefore very important that the authorizations are set up in a clear and manageable manner in order to prevent errors in authorization management.
But when are authorizations set up in a clear and manageable manner?
Points of Attention for Setting Up Authorization Management
Authorization management enables the verifiability of authorizations and the execution of these controls and therefore deserves attention. The following issues are important for the set-up of authorization management:
- Clear working instructions. These must contain all the activities that apply to the management of authorizations.
- Clear and consistent naming of permission sets and user groups or organization roles. Can someone who has no knowledge of authorizations understand what you want to achieve with the setup?
- The naming must be comprehensible so that the risk of errors is limited.
- Use as many terms as possible that appear in the interface; this provides recognition.
- Use function names as a name for user groups or organization roles.
- No mixing or misusing the set-up to achieve a different purpose than that for which it is intended.
- One person should be responsible for the management of authorizations.
- Authorization management procedures should be the same for all Dynamics companies to avoid confusion.
- Include authorizations in the change management for Dynamics NAV. When installing new objects, authorizations often have to be modified as well.
- Test authorization set-up twice: yourself and a (key) user. The goal must be to remove as many errors as possible beforehand.
- Record error messages in a ticket system including screenshots of the entire screen, user name, and what the user is trying to achieve.
- Log changes in the setup as much as possible in tickets. Often a remark can be made at the setup, so refer to the relevant ticket.
- Documentation on the authorization structure must be complete and up-to-date.
Authorization Request Procedure
Requests for changes or new authorizations must follow a procedure. This is important in order to prevent the authorization structure from becoming cloudy and to avoid errors or unpleasant consequences. The authorization management procedure should contain at least the following points:
- Authorization requests must be approved by at least one approver who is authorized to do so. Think of the CFO or the person in charge of controlling or the HR department.
- It should not be possible for users to approve their own requests. The responsibility for approving authorization requests should lie with a single responsible party.
- Authorization requests must be archived or logged. It must be possible to track any changes to user authorizations.
- Comments on authorization requests should also be archived or logged.
- An authorization request does not have to be approved immediately. A note from the person responsible for approval is then required in order to justify the change at a later moment.
- Authorizations that are temporarily granted to an existing user profile must be requested in advance with an end date. This prevents temporary rights from becoming permanent.
- This also applies to authorizations granted to temporary employees. Holiday or interim employees are some examples of users who need permission sets with an end date.
Authorization Changes in Dynamics
When making changes to authorizations, it is important to take into account the impact that changes have on existing permission sets. Make sure that the procedure includes the following:
- It is important to check the changes to the authorizations to see whether the rights that are granted give users access to critical tables.
- Authorization changes should be checked for segregation of duties. Due to changes, the segregation of duties within Dynamics may be compromised.
- Major modifications of the authorizations should be tested on a test or acceptance environment if possible.
Efficient Authorization Management
Due to an increasingly complex application landscape, mergers, and business requirements with regard to IT, it is a constant challenge for organizations to get and keep authorizations in order.
Professional management of authorizations in Dynamics NAV / Dynamics 365 Business Central will claim a large part of the workweek of the person in charge.
We can solve this for you with Authorization Box. In this application, authorizations can be assigned as well as managed. With the help of a visual organizational chart, management is quick and assigning, modifying and analyzing is flexible and simple.
This blog is syndicated from our ISV partner 2-Control and originally appeared at https://2-control.nl/en/topics/blogs/posts/2019/june/managing-authorizations/.