Before you start using the Security and compliance studio, set the Security and compliance studio parameters.


Standard procedure

1. Click Security management.
2. Click Parameters.
3. Sub-task: Set general parameters.
  3.1 You can define the default prefix for roles that are created in the Security and compliance studio.
For example, if you create a role from Match roles or Merge roles.
  In the Prefix field, type a value.
  3.2

You can use a color to highlight:

  • On the Match roles page, the duties and privileges with the same securable object as the already selected duties and privileges. These records are highlighted if you click Find matched entry points.
  • On the Security explorer to highlight, for the pinned record, the references with the highest user license type.
  Select Yes in the Color for securable objects field.
 

Note: In the color box, you can move the + pointer to choose the desired color.

  3.3 During implementation, to make security configuration event logging possible, you must once initialize the Security and compliance studio IT audit. If you run the Security and compliance studio IT audit job again, all logged events are deleted. You can lock this job to prevent the deletion of logged events.
  Select Yes in the Lock 'Initialize Security and compliance IT audit' job field.
  3.4 You can define the number of snapshots that is kept if you delete snapshots automatically.
  In the Limit number of snapshots field, enter a number.
  3.5

You can enable automatic updates of security configuration changes to the latest snapshot. So, no new snapshot is required each time you change the security configuration.

Automatic updates of security configuration changes to the latest snapshot are done when you, for example:

  • Publish changes.
  • Approve security requests.
  • Update or create a role with the wizard.
  • Import security configurations.
  • Assign users to roles.
  Select Yes in the Enable dynamic snapshot field.
 

Note: If you use dynamic snapshots, you are advised to create a snapshot regularly. You do so to ensure that no security inconsistencies occur and to create a safety net,

  3.6

You can use a color to highlight securable objects that have access to sensitive data.
These securable objects are highlighted on the:

  • Create role wizard
  • Locked security roles page
  • Match roles page
  Select Yes in the Highlight sensitive data over SCS field.
 

Note: In the color box, you can move the + pointer to choose the desired color.

4. Sub-task: Set license count parameters.
  4.1 The purchased number of D365 FO licenses is stored in admin.microsoft.com. You can monitor the actual license usage compared to the purchased number of licenses. To do so, for each license type, fill in the purchased number of licenses in the parameters.
You can fill in the number of base licenses (no license name extension) and the number of attach licenses ('attach license' extension in license name).
Monitoring the license usage prevents you from over-usage or under-usage of licenses.
  Click the License count tab.
 

Note: On the License count tab, you can click 'Open admin.microsoft.com' to find the actual number of purchased D365 FO licenses for each license type.

5. Sub-task: Manage data migration.
  5.1 In Security and compliance studio, release 10.0.6.2, several data migration batch jobs are available. Run these batch jobs before you upgrade to future Security and compliance studio releases. This is required because of several data model changes and new data entities. You only need to run these batch jobs once.
  Click the Data migration tab.
  5.2

Before you upgrade Security and compliance studio to release 10.0.6.2, and in your environment:

  • Security scenarios exist, select No.
  • No security scenarios exist, select Yes.
  Select No in the Security scenarios migrated field.
  5.3 When you have upgraded Security and compliance studio to release 10.0.6.2 and security scenarios existed before the upgrade, migrate these security scenarios.
  Click Migrate security scenarios.
 

Note: When the security scenarios are migrated, in the Security scenarios migrated field, select Yes.

  5.4 Because of data model changes, the Scenario data entity must be recreated. As a result, the export and import of scenarios is enabled.
  Click Update Scenario data entity.
  5.5 Securable objects such as roles, duties, privileges, and entry points are global. So, these are independent of companies. In Security and compliance studio, some of this data was stored per company. These tables are now also made global. On migration to release 10.0.6.2, all existing securable objects must be made global. If a securable object exists for several companies, the securable object of the current company is kept and made global. The same securable objects in the other companies are deleted.
  Click Resolve cross-company data errors.
 

Note: Only run this batch job once.

6. Sub-task: Enable enhanced segregation of duties rules.
  6.1 Click the Enhanced SoD rules tab.
  6.2 With the enhanced segregation rules, you can not only define segregation rules on duty level, but also on privilege level, on entry point level, and with segregation security sets.
Select Yes to use the enhanced segregation of duties functionality. As a result, you can set up and manage segregation rules on several levels. Also, segregation rule validations are done for the relevant levels.
  Select Yes in the Enable enhanced SoD rules field.
  6.3 You can have existing segregation of duty rules when you switch to using enhanced segregation of duties rule. If so, copy the existing segregation of duty rules to the enhanced segregation of duty rules.
  Click Copy SoD to Enhanced SoD.
  6.4 Click OK.
7. Sub-task: Set number sequence.
  7.1 To be able to create risks, define the number sequence for risks.
After installation of Security and compliance studio, first generate the risk number sequence.
  Go to Organization administration > Number sequences > Number sequences.
  7.2 In the Area field, select 'Security and Compliance Studio'.
 

Note: Initially, no number sequence is available for the Security and compliance studio area.

  7.3 Reset the number sequences for the Security and compliance studio area to load the reference for risks. As a result, the "Risk ID" reference is loaded.
  Click Manual cleanup.
  7.4 Click Reset.
  7.5 Click Yes.
  7.6 Now the "Risk ID" reference is available for the Security and compliance studio area, generate the number sequence for this reference. When generated, the number sequence is automatically filled on the Security and compliance studio parameters.
  Click Generate and finish the wizard.
  7.7 You can Edit the generated number sequence as desired. You can do so from the Security and compliance studio parameters, on the Number sequences tab.
  Go to Default dashboard.
  7.8 Click Security management.
  7.9 Click Parameters.
8. Click the Number sequences tab.
9. Click to follow the link in the Number sequence code field.
10. Close the page.
11. Sub-task: Set logging parameters.
  11.1 Click the Logs tab.
  11.2 You can clean up the security history audit log. If you do so, the retention period is required. For security reasons, you cannot set the retention period on the Clean up audit log dialog.
Select the number of days for which you want to keep the audit log records. When you clean up the audit log, all audit log records that are older than the defined number of days, are deleted.
  In the Audit log retention period (In days) field, enter a number.
  11.3 You can clean up the sensitive data audit log. If you do so, the retention period is required. For security reasons, you cannot set the retention period on the Clean up sensitive data log dialog.
Select the number of days for which you want to keep the sensitive data log records. When you clean up the sensitive data log, all sensitive data log records that are older than the defined number of days, are deleted.
  In the Sensitive data log retention period (In days) field, enter a number.
  11.4 You can apply continuous user logging to log, for each user, which menu items are accessed by the user.
For each user, you can compare the accessed menu items with the permitted entry points. To limit license costs, you can remove permissions for not-accessed entry points.
  Select Yes in the Enable continuous user logging field.
12. Close the page.
Related to Notes

Define basic settings

 

See also

Provide feedback