Work with Critical Permissions

A Critical Permission is a question you can ask Authorization Box, for example:

  • Who is able to modify items?
  • Who can create a payment proposal?
  • Who is able to perform other tasks, e.g. post invoices, modify setup, etc.

Critical Permissions have three types of setup:

  • The Critical Permission header,
  • Objects (Permissions) you want to analyse for and
  • Allowed Organization Roles for this Critical Permission.

Go in the menu to Monitoring, Critical Permissions . Click on the New button to create a Critical Permission:

The header holds information for documentation and processing purposes:

  • Name: the (short) name of the Critical Permission
  • Description: more detailed information on the Critical Permission
  • Risk: which risk does assignation of the permission(s) pose?
  • Impact: what is the impact of misuse of the permission; high, medium or low?
  • Process Name: select the process of the Critical Permission
  • Category Name: select the Category of the Critical Permission falls
  • Has to comply to:

All objects: Select all objects if you require all defined permissions for all defined objects are required to get a result. All of the defined permissions need to be assigned to the user; for example to post a document a user needs permissions to both the table data posted header and posted line: Purch. Inv. Header and Purch. Inv. Line (irrespective of the permission set through which these are assigned). Dynamics NAV blocks posting if the user is missing any of these, so it makes sense to analyze for assignment of this combination.

One object: Select one object if just one linked object has to be found in the analysis to get a result. Any of the permissions for any of the objects defined makes the user, organization role or permission set to which the permission is assigned appear in the results. This is often used for analyzing permissions to master data and setup information, for example table data accounting period, several posting groups and dimension.

  • Analysis with excluded permission sets: select this option to include the excluded Permission Set(s) with the analysis of this Critical Permission.

After saving the Critical Permission with the Save button you are able to link the objects to analyze.

You have to link one or more Objects to the Critical Permission that you want to analyze.
In the edit mode of the Critical Permission you can click on the button New under the fasttab Objects to setup the permission to analyze:

  • Type: select the object type
  • Id: select the object to analyze. You can find the object by typing the id or name of the object
  • And/Or RIMDX: select the option And if the Read, Insert, Modify, Delete and Execute permission should be exactly the same as defined. Select the option Or if just one of the object permissions should be found in the analyzes
  • Define the permissions you want to analyze for: indirect or direct (yes) permissions for read, insert, modify, delete and execute (RIMDX)

Click on the button Save & Close to close the page. Click the button Save & New to link another object to the Critical Permission.

In the edit mode of the Critical Permission you can link Allowed Organization Roles. In the analysis results the system will mark these results (Organization Roles and linked Permission sets) as Agree Configuration.

Click on the button New under fasttab Allowed Organization Roles to link an Organization Role:

  • Organization Role: select the role in which the permission should be included (no risk)
  • Company: select the company in which the Organization Role is allowed

With the button Save & Close you close the page Organization Role. With the button Save & New you can add another Allowed Organization Role to the Critical Permission.

You can Analyze the Critical Permissions by selecting them all or just a few. If you want to select them all, click on the box in the header.

Click on the button Analysis. Based on the selection the system will Analyze the permissions. This can take some time. When the analysis is finished you can find the results in the overview. By clicking on the number of results or clicking on the name of the Critical Permission, you open the Analysis result for the Critical Permission and the Analysis result for the Conflicting Critical Permissions.

The monitoring software generates results based on the objects (permissions) linked to the Critical Permissions. Results are depending on the setting Has to comply to the Critical Permission and the setting And/Or RIMDX. The analysis is based on the last synchronization (normally at night) from Access Control and Permissions. If needed you can manually start theses synchronizations (see General Setup Authorization Box).

Analysis results are from the type Permission Set, Organization Role or User.

  • Permission Set: the linked object is found in the Permission Set
  • Organization Role: the Permission Set (with the linked object) is found in the Organization Role
  • User: the Permission Set (with object) is linked to the User.

Analysis results in Conflicting Critical Permissions are based on defined Conflicts. Results are from the type Permission Set, Organization Role or User.

  • Permission Set: the Conflicting Permissions are found in the Permission Set
  • Organization Role: the Conflicting Permissions are found in Permission Sets that are linked to the Organization Role.
  • User: the User is authorized for the objects that are defined in the Conflict

It is also possible to review all the analysis results in the overview Analysis Results Critical Permission and the overview Analysis Results Conflicting Permissions in the menu Monitoring, Analysis Results.

After an initial analysis you will find the results with status To review or Agree configuration. Agree configuration means that based on the setup (Allowed Organization Roles) the result has no risk. If you have a lot of analysis results, it is an option to first analyze which Organization Roles are allowed and then link them to the Critical Permission. After a new analyze more results will have the status Agree configuration and less To review.

You are able to add your review by clicking on the eye button next to the Analysis Result (1 in the screenshot).

  • Previous Review: status based on the last review
  • Review: select a status for this review. If you just want to leave a comment you can select the last review status
  • Description: to substantiate your review
  • Reviewer: person who entered the review
  • Review data/time: moment of entering the review

Click on the button Save & Close to save the review.

It is also possible to review multiple analysis results at once. You do this by selecting the analysis results you want to review and then click on the button Review. On the page Review Analysis Results or Critical Permissions you can enter the review for multiple results at once:

  1. Select the results you wish to give the same review (2).
  2. Click the button Review (3).
  3. Enter the review as you need. The results for which you enter the review are presented at the bottom of the page.

Click on the button Save & Close to save the review.

To find all the analysis results for all the Critical Permission go to the menu Monitoring, Analysis Results from where you can review results.

In the menu Monitoring, Reviews you can find all Reviews. You are able to delete reviews (with the right permissions). Select the Reviews (check box) to be deleted and click on the button Delete.

If you want you can make an export to Excel with the button Export.

  • authorizationbox/5monitoring/2work_with_critcal_permissions.txt
  • Last modified: 2021/01/27 13:29
  • by luukvm