Authorization Monitoring

Authorizations are setup to a concept where employees / organization profiles are responsible for certain data in Dynamics NAV. In addition, the authorizations ensure the segregation of duties in the organization. Default Dynamics NAV has no functionality to view the quality of the setted authorizations. This way the organizations have no instrument to control their authorizations. The module Authorization Monitoring provides a real-time functionality to monitor the quality of the assigned permissions to users. The module needs to be setup before use: generic, standard competences (who can do something?) and conflicts (which segregation of duties is reversed?).

Based upon setup of standard competences and conflicts separate analysis can be made. The assessor can evaluate and comment the results.

Refer to the links at the bottom of this page for more specific information.

You can read the following about the Authorization Monitoring in our documentation:

For analysis, all object authorizations in Dynamics NAV are processed, based upon the process or standard competence chosen. The results present all users who answer to the question asked in the standard competence and how through which role and profile they have those permissions. These results can be evaluated: agree or not agreed, including optional arguments and further comments. Storing all evaluations makes it a traceable process who when evaluated what with which results. Any field- and dataset security (another module of 2-Controlware) used is also visible in the results.

In a standard competence a question is asked, for example who can modify items? This is described by adding the permissions (read, insert, modify, delete and execute) required to do so. Standard competences also contain the process of which the activity is part of, settings for management of the analysis and for simplifying the evaluation. For each standard competence a organizational role (formerly user profiles, from 2-Controlware Authorization Management) which is correct in having those permissions might be set up, e.g. for modifying items.Examples of standard competences:

  • The auditor might ask questions such as: * Who is able to modify items?
    • Who is able to post purchase invoices?
  • For the first question, a line with object type Table Data and object id 27 (table Item) on the standard competence card is necessary. Put Yes at modify on the line for object id 27. The results will present all users able to modify a field on the item card. Insert and delete are not necessary to modify a field. * All users need permission to read from table data item. All users in the system will show up in analysis results for read permission. The read permission it is useless to change anything, but it is essential to open the item card and for using information from the table in other parts of the system, e.g. to create a line on a purchase order.
    • Objects of the type table data cannot be executed, therefore it does not make sense to analyze these permissions.
    • The above mentioned presumes direct permissions, which users need to perform an action on an item card or a list. Dynamics NAV also knows indirect permissions. These act as a service hatch: you cannot act yourself, but code does this for you. In other words: the code decides what field is modified, of which record and what the new value will be. This is often used for (cost) prices and logistic information: those item properties are administered by the system. Moreover, direct permissions also are sufficient to perform tasks which require indirect permissions, but this does not work the other way around.
  • The second example requires a different approach. Most posted documents are stored in two tables: the header and the line. Posting a document means creating new lines in those dedicated tables, apart from creating several types of entries. However, those entries are used for a multitude of actions, analyzing these permissions gives unreliable results. Posting a document is usually done by code, so you need to analyze indirect permissions. In the example you need to check on table 122 (Purch.Inv. Header) and 123 (Purch. Inv. Line).
  • As auditor, for translating your question into a standard competence you can open the page you want to analyze the permissions of. Then hit shortcut key Ctrl + Alt + F1 or open the application menu, Help, About this page.

Apart from analysis of permissions, the module Authorization Monitoring can also search for conflicting competences. These conflicts are configured on the standard competence or using a conflict matrix. An example of a conflict is if a user has permissions to process payments and modify the bank account of the beneficiary. Both need a standard competence for analysis. Set up of the combination of standard competences enables analysis of the conflict.

By searching conflicting competences in the object authorizations the software analyzes the permissions for both standard competences configured in a conflict. The results are composed of users in both result sets. Evaluation of those conflicts is identical to analysis of permissions.

  • 2-controlware/04authorizationmonitoring/overview.txt
  • Last modified: 2020/09/10 12:44
  • by luukvm