Fastpath is a comprehensive security auditing and governance tool that provides a platform to monitor user access and segregation of duties risks. The tool can be leveraged across Microsoft’s Dynamics product suite – Dynamics 365 Finance and Operations (D365FO), Dynamics AX, Dynamics GP, Dynamics 365 Business Central (D365BC), Dynamics NAV, Dynamics CRM, Dynamics SL and Dynamics 365 Customer Engagement (D365 CE). Fastpath’s user-friendly interface allows risk management and SOX compliance to be an accessible reality. Fastpath releases several updates each quarter that include new features and functionalities. In this quarterly blog series, we cover key new features for Fastpath Dynamics environments from this quarter’s releases.
Access Risk Monitor
Prior to the Q1 2022 release, Fastpath had the access reviews and segregation of duties modules split into two. However, numerous functionalities were duplicative across the two modules and, as a result, the access review and segregation of duties modules have been combined into a singular module titled access risk monitor. The following modifications will be made with the access risk monitor module:
- Both the concepts of conflicts within the segregation of duties module and critical access in the access reviews module will be merged into the singular concept, risks. Risks can either be segregation of duties (SoD) risk or sensitive access (SA) risk and can be combined into a singular risk ruleset if desired. The risk ruleset will reduce the setup required by the end-user.
- The concept of business processes will not change. SoD risks will be comprised of two or more business processes and will use AND logic. AND logic will require a role or user to have access to all business processes in order to be flagged as violating the risk. SA will review business processes with OR logic. OR logic will require a role or user to have access to at least one business process to be defined as having sensitive access.
- Critical access groups that were configured in Fastpath prior to the release will automatically be recreated as business processes and SA risks as a separate risk ruleset. This will facilitate a more seamless transition for the customer and reduce the setup required by the end-user. If customers would like to have both SA and SoD risks in a single risk ruleset, the customer will have to manually combine the two.
- SA risks will now be able to be mitigated using the same control library as SoD and appear mitigated in reports. This will provide customers visibility into which SA risks have mitigations and which do not, which will help customers more easily identify SA that may require mitigation.
- When creating or modifying a risk ruleset, users will have the ability to specify whether an SoD risk or SA risk is being added. The risk type (SoD or SA) will be visible throughout Fastpath to provide an easy distinction. Per Fastpath’s recommendation, if the customer intends to combine SoD and SA into a single risk ruleset, the customer should consider developing a prefix (e.g., SOD, SA) to help distinguish between the two.
- Reporting will look different. The previous critical access reports will be merged into other reports and will no longer be available separately. Report naming convention will be updated to include the word risk rather than conflict (a list of name changes can be found here under the headers titled Listing of… access requires a Fastpath login).
The new access risk monitor module will result in a domino effect throughout Fastpath. The following modules will be impacted by the change:
- Access certifications – Conflict reviews will be replaced with risk reviews and can be configured to require the business to review users’ access to both SoD and SA risks. Existing critical access reviews will be converted to business process reviews.
- Identity manager – When reviewing an identity manager request prior to the release, approvers had to review SoD conflicts and SA separately. With the release, the approver will now be able to view a single section that contains both SoD and SA risks. In addition, the business will be able to view the security roles that were assigned to a user prior to the approval of the identity manager request.
- Security designer – Similar to identity manager, when a user creates a security model and runs the risk analysis, the user will be able to view a single section that contains both SoD and SA risk.
Fastpath embraces customer feedback and actively works to improve the functionality and end-user experience of their Assure suite of tools. This release included significant modifications that may be more impactful than past or future releases. As such, be sure to review the change notes carefully to understand the impact on any existing environments. The release calendar is maintained on their website.