1. Data Management
  2. Security and Compliance Studio
  3. Audit security

Track changes to sensitive data

You can track changes that are made to sensitive data. To be able to do so, first set up the sensitive data change tracking by field.


Security administrator Security administrator The security administrator (SysSecSecurityAdministrator) maintains user and security setup in D365 F&SCM, grants the ability to create and maintain security roles, duties, and privileges and the ability to assign users to roles, define role assignment rules, and maintain data security policies. Security auditor Security auditor Start Start Set up sensitive data change tracking Set up sensitive data change tracking You can set up the tracking of changes to sensitive data. You set up sensitive data change tracking by field. You can define the fields, for which sensitive data changes must tracked, in these ways: With the field picker Manually Procedure 1. Go to Security and compliance > Setup > Sensitive data setup. 2. Click New. 3. In the Name field, type a value. 4. In the Description section, type a value. 5. Sub-task: Use the Field picker. 6. In the General section, click Field picker. 7. When the Field picker dialog is opened, go to the form from which you want to select one or more fields. 8. For each desired field, click the '+' sign to add the field to the Field picker. 9. When you are finished selecting fields, on the dialog, click Stop recording.Click Close and open or click Close. Note: As a result, the selected fields are added to the sensitive data setup. If you click Close and open, you return to the Sensitive data form. 10. Sub-task: Add a field manually. 11. In the General section, click New. 12. In the Table name field, enter or select a value. 13. In the Reference field name field, enter or select a value. 14. Close the page. Notes If a date-effective or inheritance structure table is defined on the sensitive data change tracking setup, an observation message is shown. In this case, the table cannot be used to enable change logging for sensitive data. Instead, the related staging table must be used to enable change logging for sensitive data. Set up the staging table mapping to enable change logging for sensitive data. When the staging table mapping is set up, the observation message is no longer shown. Track changes on  date-effective table or  inheritance structure table? Track changes on  date-effective table or  inheritance structure table? Set up staging table mapping to track sensitive data changes Set up staging table mapping to track sensitive data changes You can add any field from any table to the sensitive data setup. However, the table can be date-effective or part of an inheritance structure. In this case, the table cannot be used to enable change logging for sensitive data. Instead, the related staging table must be used to enable change logging for sensitive data. To define which staging table must be used to enable change logging, map the date-effective table or inheritance structure table to the desired staging table. Also, map the applicable fields of the date-effective table or inheritance structure table to the related fields of the staging table. Examples of date-effective tables or inheritance structure tables and related staging tables are: DirPartyTable -> DirPartyAttachmentStaging DirPerson -> DirPersonStaging LogisticsPostalAddress -> LogisticsPostalAddressElectronicContactStaging Procedure 1. Go to Security and compliance > Setup > Sensitive data condition setup. Note: You can open the Sensitive data condition setup page also from the Action Pane of the Sensitive data setup page. 2. Click New. 3. In the Main table field, enter or select a value. 4. In the Main table field, enter or select a value. 5. In the Staging table field, enter or select a value. 6. Sub-task: Map fields manually. 7. In the Field mapping section, click Add. 8. In the Main table field field, enter or select a value. 9. In the Stagging table field field, enter or select a value. 10. Sub-task: Generate field mapping. 11. Click Generate mapping. 12. Click Yes. Note: To complete the generated field mapping, you can: Remove the field mapping for the fields which data is not sensitive. Manually add the field mapping for sensitive data fields that have different names in the mapped tables. 13. Close the page. Notes The sensitive data staging setup applies to all sensitive data change tracking setup. So, you only need to set up a sensitive data staging setup once for each table. Edit query for sensitive data change tracking Edit query for sensitive data change tracking On the sensitive data change tracking setup, you define the table fields for which sensitive data changes must tracked. For each table that is defined in the General section of the Sensitive data setup page, a query is created automatically. If the the defined table is a: Common table, when the record is saved, the query is created. If the query already exists for the sensitive data setup, the query is automatically added to the record. Date-effective table or an inheritance structure table, the query is created when the table is mapped to a related staging table. A query is applied on record level to the related table. You can edit an automatically created query. Usually, you edit a query only in specific cases. For example, if a table record has a type field, you can make the query type-specific. For the LogisticsElectronicAddress table, you can, for example, track sensitive data changes only for addresses that are marked as Private. To do so, add a range to the related query with the Private field, and Criteria set to Yes. Procedure 1. Go to Security and compliance > Setup > Sensitive data setup. 2. In the List pane, find and select the desired sensitive data setup record. 3. In the General section, in the list, find and select the desired record. 4. In the Query section, click Edit query. 5. Click OK. 6. Close the page. Define users who can view sensitive data change log Define users who can view sensitive data change log On the sensitive data change tracking setup, you can define the users who can view the changes that are logged for the sensitive data setup. If you: Do not define users, all users with access to the Sensitive data log page, can view all logged changes. Define users, only these users can view the logged changes for the sensitive data change tracking setup. Procedure 1. Go to Security and compliance > Setup > Sensitive data setup. 2. In the List pane, find and select the desired sensitive data setup record. 3. In the Users section, click New. 4. In the User ID field, enter or select a value. 5. Close the page. Monitor sensitive data change log Monitor sensitive data change log When you have set up and activated the tracking of sensitive data changes, changes to sensitive data are logged. Who can view the sensitive data log is defined on the related sensitive data change tracking users setup. If on the sensitive data setup: No users are defined, all users with access to the Sensitive data log page, can view all logged changes. Users are defined, only these users can view the logged changes for the sensitive data change tracking setup. On the Sensitive data log page, in the: Upper grid, view the sensitive data change events. Each time sensitive data is changed, an event is logged by table, user, sensitive data setup, and date/time. Details grid, for the selected sensitive data change event, view the data changes to one or more fields with sensitive data. Procedure 1. Go to Security and compliance > Inquiries > Sensitive data log. 2. Sub-task: Filter the sensitive data log. 3. In the From date field, enter a date. 4. In the To date field, enter a date. 5. In the User ID field, enter or select a value. 6. In the Table name field, enter or select a value. Activate sensitive data tracking Activate sensitive data tracking When you have finished setting up the tracking of changes to sensitive data, to apply the sensitive data setup, activate it. If you want to stop applying a sensitive data setup, you can deactivate it. Procedure 1. Go to Security and compliance > Setup > Sensitive data setup. 2. Sub-task: Activate sensitive data setup. 3. In the List pane, find and select the desired inactive sensitive data setup record. 4. On the Action Pane, click Activate. 5. Sub-task: Deactivate sensitive data setup. 6. In the List pane, find and select the desired active sensitive data setup record. 7. On the Action Pane, click Deactivate. 8. Close the page. Do you want to  clean up the  sensitive data log? Do you want to  clean up the  sensitive data log? Clean up sensitive data log Clean up sensitive data log When you have set up the tracking of sensitive data changes, changes to sensitive data are logged. You can clean up the sensitive data log manually or in a recurring mode. Procedure 1. Go to Security and compliance > Inquiries > Sensitive data log. 2. Click Clean-up sensitive data log. Note: You cannot change the sensitive data log retention period on the dialog. You can change the retention period on the Security and compliance studio parameters page on the Log tab. 3. Sub-task: Set up batch processing. 4. Expand the Run in the background section. 5. Select Yes in the Batch processing field and fill in the fields as desired. 6. Click Recurrence and fill in the fields as desired. 7. Click OK. 8. Click OK. End End Yes No Yes No

Activities

Name Responsible Description

Set up sensitive data change tracking

Security administrator

You can set up the tracking of changes to sensitive data. You set up sensitive data change tracking by field.

You can define the fields, for which sensitive data changes must tracked, in these ways:

  • With the field picker
  • Manually

Set up staging table mapping to track sensitive data changes

Security administrator

You can add any field from any table to the sensitive data setup. However, the table can be date-effective or part of an inheritance structure. In this case, the table cannot be used to enable change logging for sensitive data. Instead, the related staging table must be used to enable change logging for sensitive data.

To define which staging table must be used to enable change logging, map the date-effective table or inheritance structure table to the desired staging table. Also, map the applicable fields of the date-effective table or inheritance structure table to the related fields of the staging table.

Examples of date-effective tables or inheritance structure tables and related staging tables are:

  • DirPartyTable -> DirPartyAttachmentStaging
  • DirPerson -> DirPersonStaging
  • LogisticsPostalAddress -> LogisticsPostalAddressElectronicContactStaging

Edit query for sensitive data change tracking

Security administrator

On the sensitive data change tracking setup, you define the table fields for which sensitive data changes must tracked.

For each table that is defined in the General section of the Sensitive data setup page, a query is created automatically. If the the defined table is a:

  • Common table, when the record is saved, the query is created. If the query already exists for the sensitive data setup, the query is automatically added to the record.
  • Date-effective table or an inheritance structure table, the query is created when the table is mapped to a related staging table.

A query is applied on record level to the related table.

You can edit an automatically created query. Usually, you edit a query only in specific cases. For example, if a table record has a type field, you can make the query type-specific. For the LogisticsElectronicAddress table, you can, for example, track sensitive data changes only for addresses that are marked as Private. To do so, add a range to the related query with the Private field, and Criteria set to Yes.

Define users who can view sensitive data change log

Security administrator

On the sensitive data change tracking setup, you can define the users who can view the changes that are logged for the sensitive data setup.

If you:

  • Do not define users, all users with access to the Sensitive data log page, can view all logged changes.
  • Define users, only these users can view the logged changes for the sensitive data change tracking setup.

Monitor sensitive data change log

Security auditor

When you have set up and activated the tracking of sensitive data changes, changes to sensitive data are logged.

Who can view the sensitive data log is defined on the related sensitive data change tracking users setup.

If on the sensitive data setup:

  • No users are defined, all users with access to the Sensitive data log page, can view all logged changes.
  • Users are defined, only these users can view the logged changes for the sensitive data change tracking setup.

On the Sensitive data log page, in the:

  • Upper grid, view the sensitive data change events. Each time sensitive data is changed, an event is logged by table, user, sensitive data setup, and date/time.
  • Details grid, for the selected sensitive data change event, view the data changes to one or more fields with sensitive data.

Activate sensitive data tracking

Security administrator

When you have finished setting up the tracking of changes to sensitive data, to apply the sensitive data setup, activate it.

If you want to stop applying a sensitive data setup, you can deactivate it.

Clean up sensitive data log

Security administrator

When you have set up the tracking of sensitive data changes, changes to sensitive data are logged.

You can clean up the sensitive data log manually or in a recurring mode.

Provide feedback