In the Security and compliance studio, you can audit the security configuration in several ways. You can also generate a security history log report for audit or other compliance requirements.


Security administrator Security administrator The security administrator (SysSecSecurityAdministrator) maintains user and security setup in D365 F&SCM, grants the ability to create and maintain security roles, duties, and privileges and the ability to assign users to roles, define role assignment rules, and maintain data security policies. Security auditor Security auditor Start Start Is the  IT audit  already initialized? Is the  IT audit  already initialized? Initialize Security and compliance IT audit Initialize Security and compliance IT audit During implementation, to make security configuration event logging possible, you initialize the Security and compliance studio IT audit. You initialize just once. You can also use this job to clean up the security log. As a result: All already logged events are deleted. The existing role and user assignments are entered as events. Procedure 1. Go to Security and compliance > Periodic tasks > Initialize Security management IT audit. 2. Click OK. Analyze security configuration history Analyze security configuration history In the Security and compliance studio, you can audit the security configuration in several ways: Global security history - Shows all security configuration change events on all users, all security roles, duties, privileges, segregation of duties, stand-ins, and across all legal entities. User security history - Shows all security configuration change events on the selected user across all legal entities. Role security history - Shows all security configuration change events on the selected role across all legal entities. Events done on the security configuration are logged in the security history. So, you can analyze the changes to the security configuration. These events are logged: AAD group created AAD group deleted Audit log initialized Duty access to sensitive data given Duty access to sensitive data undone Duty created Duty deleted Duty modified Entry point access to sensitive data given Entry point access to sensitive data undone Entry point created Entry point deleted Entry point modified Objects published Privilege access to sensitive data given Privilege access to sensitive data undone Privilege created Privilege deleted Privilege modified Role access to sensitive data given Role access to sensitive data undone Role activated Role assigned  Role assigned dynamically Role created Role deleted Role inactivated Role locked Role merged Role modified Role removed  Role removed dynamically Role unlocked Security configuration exported Security configuration imported SoD conflict allowed SoD conflict denied SoD rule created SoD rule deleted SoD rule modified SoD rules validated Stand-in role assigned Stand-in role removed Stand-in rule conflict Stand-in rule created Stand-in rule deleted Stand-in rules applied User access to sensitive data given User access to sensitive data undone User created User deleted User disabled User enabled User modified Procedure 1. Click Security audit. 2. Sub-task: Analyze global security history. 3. On the Security history tab, analyze all events that are logged on the security configuration. 4. Click More. 5. On the Security history page, in the upper section, in the list, find and select the desired record. Analyze the information in the Details section. 6. Close the page. 7. On the Security history tab, in the list, find and select the desired security-request-related event. 8. Click Open security request history. 9. Close the page. 10. Sub-task: Analyze role security history. 11. Click the Role history tab. 12. On the upper pane, all available security roles are shown. 13. In the list, find and select the desired record. 14. On the lower pane, analyze all events that are logged on the security configuration of the selected role. 15. Sub-task: Analyze user security history. 16. Click the User history tab. 17. On the upper pane, all available users are shown. 18. In the list, find and select the desired record. 19. On the lower pane, analyze all events that are logged on the security configuration of the selected user. Notes You can analyze the changes made to the security configuration of a specific user and/or role during a specific time period. To do so, on the Security audit workspace, in the Links section, click Security user log. Use the Date range, User ID, and Roles fields to filter the logged security changes. Click Collect and refresh data to apply the defined filters. Report required? Report required? Create security log report Create security log report You can generate a security history log report for audit or other compliance requirements. These compliance requirements can be internal or external. You can generate the report with: Selected logged events. Events logged for selected users. Events logged for selected roles. Procedure 1. Click Security audit. 2. Sub-task: Report with selected events. 3. In the list, find and select the desired events. 4. Click Audit log report. 5. In the From date field, enter a date and time. 6. In the To date field, enter a date and time. 7. Click Change. 8. If not yet selected, in the list, select Screen. 9. Click OK. 10. Expand the Records to include section. 11. Click Filter. 12. Click OK. 13. Click OK. 14. Close the page. 15. Sub-task: Report for selected roles. 16. Click the Role history tab. 17. In the list, find and select the desired roles. 18. Click Audit log report. 19. In the From date field, enter a date and time. 20. In the To date field, enter a date and time. 21. Click OK. 22. Close the page. 23. Sub-task: Report for selected users. 24. Click the User history tab. 25. In the list, find and select the desired users. 26. Click Audit log report. 27. In the From date field, enter a date and time. 28. In the To date field, enter a date and time. 29. Click OK. 30. Close the page. Create security audit report Create security audit report You can use the security audit report to analyze permissions and permission changes that are made to recorded elements during a specific period. You can create the report based on: Scenario - The report shows any permission changes to the securable objects as made in the selected scenario. Data security record - The report shows any permission changes to the tables and table fields as made in the selected data security record. You can only create this report if Security and compliance IT audit is initialized. Procedure 1. Click Security audit. 2. Click Print audit report. 3. In the Scenario field, enter or select a value. 4. In the Data security field, enter or select a value. 5. In the From field, enter a date. 6. In the To field, enter a date. 7. You can select several users. To do so, in the Users field, open the look-up, and click in front of the desired user records. So, the check mark is shown. Then click Select. In the Users field, enter or select a value. Note: You can also enter a range of users. To do so, select the first and last user of the range and click Select. In the user field, replace the comma (,) with a dash (-). 8. In the Sort order field, select an option. 9. Click Change. 10. Click OK. 11. Click OK. View Security and compliance studio data on person search report View Security and compliance studio data on person search report For Security and compliance studio, an extension is added to the Person search report.   On the Person search report, in the Security and compliance studio results section, you can find this security information: Security requests of which the user is the owner. Stand-ins in which the user is involved. Both possibilities are shown: The user is the stand-in for another user. Another user is the stand-in for the user. Scenarios of which the user is the owner. Table security recordings of which the user is the owner. For more information, refer to Person search report. Do you want to  clean up  the audit log? Do you want to  clean up  the audit log? Clean up audit log Clean up audit log If security and compliance IT audit is initialized, events done on the security configuration are logged in the security history audit log. You can clean up the security history audit log manually or in a recurring mode. Procedure 1. Click Security audit. 2. Click More. 3. Click Clean-up audit log. Note: You cannot change the security history audit log retention period on the dialog. You can change the retention period on the Security and compliance studio parameters page on the Log tab. 4. Sub-task: Set up batch processing. 5. Expand the Run in the background section. 6. Select Yes in the Batch processing field and fill in the fields as desired. 7. Click Recurrence and fill in the fields as desired. 8. Click OK. 9. Click OK. End End No Yes Security log  report Security audit  report Person search  report Yes No

Activities

Name Responsible Description

Initialize Security and compliance IT audit

Security administrator

During implementation, to make security configuration event logging possible, you initialize the Security and compliance studio IT audit. You initialize just once.

You can also use this job to clean up the security log.
As a result:
  • All already logged events are deleted.
  • The existing role and user assignments are entered as events.

Analyze security configuration history

Security auditor

In the Security and compliance studio, you can audit the security configuration in several ways:
  • Global security history - Shows all security configuration change events on all users, all security roles, duties, privileges, segregation of duties, stand-ins, and across all legal entities.
  • User security history - Shows all security configuration change events on the selected user across all legal entities.
  • Role security history - Shows all security configuration change events on the selected role across all legal entities.
Events done on the security configuration are logged in the security history. So, you can analyze the changes to the security configuration.
These events are logged:
  • AAD group created
  • AAD group deleted
  • Audit log initialized
  • Duty access to sensitive data given
  • Duty access to sensitive data undone
  • Duty created
  • Duty deleted
  • Duty modified
  • Entry point access to sensitive data given
  • Entry point access to sensitive data undone
  • Entry point created
  • Entry point deleted
  • Entry point modified
  • Objects published
  • Privilege access to sensitive data given
  • Privilege access to sensitive data undone
  • Privilege created
  • Privilege deleted
  • Privilege modified
  • Role access to sensitive data given
  • Role access to sensitive data undone
  • Role activated
  • Role assigned 
  • Role assigned dynamically
  • Role created
  • Role deleted
  • Role inactivated
  • Role locked
  • Role merged
  • Role modified
  • Role removed 
  • Role removed dynamically
  • Role unlocked
  • Security configuration exported
  • Security configuration imported
  • SoD conflict allowed
  • SoD conflict denied
  • SoD rule created
  • SoD rule deleted
  • SoD rule modified
  • SoD rules validated
  • Stand-in role assigned
  • Stand-in role removed
  • Stand-in rule conflict
  • Stand-in rule created
  • Stand-in rule deleted
  • Stand-in rules applied
  • User access to sensitive data given
  • User access to sensitive data undone
  • User created
  • User deleted
  • User disabled
  • User enabled
  • User modified

Create security log report

Security auditor

You can generate a security history log report for audit or other compliance requirements. These compliance requirements can be internal or external.
You can generate the report with:
  • Selected logged events.
  • Events logged for selected users.
  • Events logged for selected roles.

Create security audit report

Security auditor

You can use the security audit report to analyze permissions and permission changes that are made to recorded elements during a specific period.

You can create the report based on:
  • Scenario - The report shows any permission changes to the securable objects as made in the selected scenario.
  • Data security record - The report shows any permission changes to the tables and table fields as made in the selected data security record.
You can only create this report if Security and compliance IT audit is initialized.

View Security and compliance studio data on person search report

Security auditor

For Security and compliance studio, an extension is added to the Person search report.

 

On the Person search report, in the Security and compliance studio results section, you can find this security information:

  • Security requests of which the user is the owner.
  • Stand-ins in which the user is involved. Both possibilities are shown:
    • The user is the stand-in for another user.
    • Another user is the stand-in for the user.
  • Scenarios of which the user is the owner.
  • Table security recordings of which the user is the owner.

For more information, refer to Person search report.

Clean up audit log

Security administrator

If security and compliance IT audit is initialized, events done on the security configuration are logged in the security history audit log.

You can clean up the security history audit log manually or in a recurring mode.

Provide feedback