Skip to the content

Menu

SoD not possible with the Dynamics NAV security role

Setup authorizations a lot of work

Getting a decent setup of the authorizations within Dynamics NAV, which satisfies the auditor and internal audit, is a major challenge. Because setting up the authorizations is a lot of work, many organizations choose to grant all users SUPER rights. And even when you succeed in setting the authorization correctly you need to manage the authorization afterwards. After all, roles change constantly.

The weakest link in security policy

The management of the authorizations often assigned to the application manager with SUPER rights or, if no application manager is available , to an administrative assistant. A weak link within the security policy aside from the fact that an application manager is usually not the person who can assess which rights belong to which user. Usually this belongs to the role of the controller.

Security role

To delegate security administration in Dynamics NAV without granting SUPER rights, Microsoft invented the SECURITY role (also known as permission set). How Microsoft describes it: if you want to create an ‘’area super-user’’ you should give the person the SECURITY role and permissions for the areas, such as Purchases & Payables, for which they can grant and revoke permissions for other users. For a SECURITY user it’s only possible to grant permissions which he has himself. This prevents that the user grants himself more permissions than desirable.

Breaking segregation of duties

From an internal control perspective, this isn’t a convenient approach. One of the most important objectives of authorization set-up in an ERP-system is to guarantee the segregation of duties. E.g.: Imagine that I make the head of administration responsible for the authorizations on the financial department, this user will need all rights for financial activities to be able to grant permissions to  other users of that department. Therefor there is no segregation of duties and the authorization manager stays the weakest link.

Conclusion

In an ideal situation you would like to have an authorization manager, who only grants permissions on behalf of data owners. He or she may not be able to change their own permissions. Unfortunately, without the right add-on or customization Microsoft Dynamics doesn’t support this functionality.

Contact

Do you have a question? Get in touch with one of our IT audit professionals. We are pleased to help you.

Ask the expert