Enterprise Security for Microsoft Dynamics GP Jeff Soelberg soelberg@gofastpath.com Fastpath Facts Founded 2004 Headquarters in Des Moines, IA Microsoft Gold Certified ISV Microsoft Gold Certified Partner Staff includes CPAs and CIAs Audit. Security. Compliance. Get on the Fastpath. Can we prove it? 400+ customers 30+ countries 6 continents IIA Industry Leader Audit. Security. Compliance. Get on the Fastpath. Security and Compliance Products Audit Trail Assure • Robust audit trail solution designed for the auditor • Sarbanes-Oxley compliance and segregation of duties solution Config AD • Active Directory integration offers single sign on for Dynamics GP Audit View • Report design and scheduling tool allows non-technical users to build reports Audit. Security. Compliance. Get on the Fastpath. Minimizing the use of ‘sa’ with Dynamics GP Problem ‘sa’ is the only GP user out of the box that is assigned to the SQL fixed server role of sysadmin ‘sa’ must create users, and assign them to companies out of the box ‘sa’ must create new companies out of the box ‘sa’ is also assigned POWERUSER role within from within GP out of the box This dependence on the ‘sa’ account creates significant financial, system and organizational risk. First, ‘sa’ is a generic account name and not a named account. This makes it difficult to isolate who used the ‘sa’ account to make critical changes and verify if those changes were authorized. Second, the ‘sa’ account can view, update and delete data from within Dynamics GP, SQL Server Management Studio and any other tools that provide database connectivity including Microsoft Excel. Finally, ‘sa’ access enables user to make sweeping and powerful changes to critical data. This increases the risk of malicious or unintentional database catastrophes. Audit. Security. Compliance. Get on the Fastpath. Minimizing the use of ‘sa’ with Dynamics GP Solution There are many solutions that are better than using the out of the box ‘sa’ access for these tasks. Some options are listed on page 37 of the SecurityPlanning.pdf provided by Microsoft. Designate a standard GP user as your organization’s GP Access administrator Assign SQL Server Fixed server role to a GP SQL Login Revoke Security Setup within GP This user is responsible for: Creating and deleting all Dynamics GP users Assigning users to companies in your Dynamics GP environment Resetting forgotten user passwords This user should NOT have access to assign security rights from within Dynamics GP. Audit. Security. Compliance. Get on the Fastpath. Minimizing the use of ‘sa’ with Dynamics GP Designate a standard GP user as your organization’s GP Security Administrator. This user is responsible for: Assigning Users to Roles, as well as their Mod-Alt profile Assigning Tasks to Roles and creating or deleting Roles Assigning Windows and Reports to Tasks and creating or deleting Tasks Managing Mod-Alt profile setups This user should NOT have the ability to create GP Users, or assign them to GP Companies Audit. Security. Compliance. Get on the Fastpath. Minimizing the use of ‘sa’ with Dynamics GP Revoke the POWERUSER role from ‘sa’. Give ‘sa’ the minimum permissions required to perform duties within Dynamics GP. Places where ‘sa’ is still required: Performing 3rd party upgrades (Not all 3rd parties require ‘sa’) Using Professional Services Tools Library Audit. Security. Compliance. Get on the Fastpath. Thank you! Jeff Soelberg soelberg@gofastpath.com