Fastpath is one of the most advanced tools available for monitoring user access and segregation of duties access in Microsoft Dynamics AX2012 and Dynamics 365 Finance and Operations (D365F&O). The Fastpath solution provides a simplified reporting structure for security access in Dynamics and provides a powerful tool to detect, manage and optimize the complicated security model that Dynamics has to offer. Fastpath’s Assure suite of tools is always evolving and several new releases each quarter often bring useful new features and functions. In this quarterly blog series, we will explore some of the best release features for Fastpath over the past few months.
Q1 2020
Security migration
This feature is technically from Q4, 2019, however, the demand we have seen for this update, combined with the fact that we have not yet covered it, means the security migration feature warrants a spot in this list. Previously, the Fastpath Security Designer tool allowed users to create security “models.” Within each “model,” roles, duties and privileges could be modified, inspected for segregation of duties (SoD), and then pushed into Dynamics. The tool only pushed the new security to one environment, and it was up to the system administrator to move those changes through the appropriate development, test and production environments using only the tools that Microsoft provided.
The Security Migration tool within Security Designer now offers a helping hand to security administrators, enabling a simpler and more precise way to move security changes. To use it, security administrators can simply upload security customizations of roles, duties and privileges using the XML export generated by D365F&O. Then, they can make changes to the name, label and description as desired, and export changes to either XML (for the user interface) or code (for the Application Object Tree, or AOT) to match their defined security migration policies. The tool also lets administrators select the specific object(s) that they want to move, granting even greater control over the change management process. There is also some clever analysis Fastpath performs to find dependencies on the security objects so that everything works as expected when objects are moved.
As an example of this analysis, I enabled the role “ZsecurityMigrationExampleRole” in the Security Migration tool screenshot below. Fastpath automatically enabled the duty and privilege associated with this role so that everything works as expected when imported into the next environment.
Associate person in Identity Manager
One commonly known challenge when creating new users in Dynamics is performing the extra step of setting up a person/worker within the HR module and associating it with the new user. Neglecting this step can result in end-user challenges such as errors in the configured system workflows. These can be difficult to track down and time-consuming to resolve.
Fastpath now simplifies this process by allowing the user ID to person/worker association to occur as part of the standard Identity Manager process. When creating a new or modify user request, security administrators will now see this option appear as a friendly reminder and a useful way to avoid the errors altogether.
Review delegation in access certifications
Things happen over the course of business. Employees go on vacation, take on different roles within an organization, and delegate tasks to others. The ability to delegate responsibility for reviews has been a feature in Fastpath for a while; however, it has now been updated to allow the delegation action to occur at any point in time, even when a review is in progress.
This new feature allows users to retain the valuable work they have performed during any given review and delegate the remaining pieces of review to a new person.
SoD reporting – conflict ruleset template
The ability to maintain SoD conflict rulesets is one of the most crucial capabilities that Fastpath provides. Ruleset owners can always maintain their rulesets one item at a time by using the setup menus provided in Fastpath; however, this next feature provides an easier way to make ruleset changes in mass.
There has been a way to export an SoD ruleset to MS Excel for a while now, but it has always required a few steps. A security administrator first needed to create a new SoD conflict ruleset, then export that ruleset to use it as a template for modifications. Fastpath now provides a download template directly in the create conflict ruleset dialog box. Security administrators can leverage this template to do mass ruleset modifications in Microsoft Excel, then upload them in Fastpath.
Of course, the new ruleset will still run through the same series of checks we’ve become accustomed to as it is imported. This helps resolve many of the common data import issues by providing useful error messages to point out incompatible data types or fields that may have been populated incorrectly before starting to rely on the new ruleset.
SoD reporting – associate product to business process group
One of Fastpath’s many useful features is the ability to connect to across multiple products (D365F&O, Oracle, SAP, and others) and run cross-application SoD analyses. Once the connections are made, security administrators have had the ability to create Business Process groups with objects from any of those connected systems. This functionality worked great, especially if the products are different since in most cases the underlying securable objects were different enough that they could be easily deciphered and only exist in one product.
That said, it created some challenges where systems were similar. Let’s say a company has two D365F&O production environments:
1. System 1: D365F&O used only for financials
2. System 2: D365F&O used only for HR and payroll
The security objects within both System 1 and System 2 will be the same since they are both D365F&O; however, the objects which cause risk in each will be different.
• In System 1: The company would only care about access to finance related activities and menus. Having access to HR and payroll data in System 1 is not really a risk, because that information is not maintained and does not drive any HR or finance related decisions.
• In System 2: Only HR and payroll related activities are risky. Having the ability to maintain financial information in this system is not risky because it does not drive any finance related decisions or impacts.
Fastpath has now modified their Business Process groups so that each group is specific to one product. Companies leveraging Fastpath to perform SoD monitoring over a single product will not see much of a change; however, companies that are using Fastpath for monitoring over multiple applications will now see many options when setting up the Business Process groups.
This provides greater control over a company’s risk by allowing for more granular control.
Conclusion
Fastpath embraces customer feedback and actively works to improve the functionality and end-user experience of its Assure suite of tools. New releases are made available on a regular basis and the release calendar is maintained on their website. If you have something that you think would be helpful please comment below or reach out to Fastpath directly at support@gofastpath.com. That’s all for this time. We’ll be back this summer with Q2 updates.
To learn more about Protiviti’s Microsoft capabilities, please visit our Microsoft Solutions site or contact us.