The 5 stages of the Dynamics AX security maturity model

Consider this model to give you an idea of where your ERP system may be in terms of maturity.

A Terrible Start.
During my consulting career, I have come across the same issue that appears to come up every time, and no-one wants to face it. I’m talking about security. Security has always been considered as an afterthought during an implementation, but what most partners won’t tell you is that you really should have a resource assigned to security from the start. If your business never considered the concept of application security, understanding security and how it works is crucial to a compliant environment. Most IT administrators end up assigning everyone as System Admin just to get by. It works for the time being but at this point, you have no security implemented. I consider this a terrible start.

Better Than Nothing.
Moving on to some sort of mitigation is better than nothing. Which is why you should at least use the out of the box roles. Why wouldn’t you want to add your AR Manager to the AR Manager role? It’s what they most likely do anyway. Sure, not all AR Managers are the same and you may have some folks doing things outside the normal access that the role provides, but at least you have removed System Admin from your AR Managers access.

Not Bad.
This is where things are starting to look better and your knowledge of security at this point has improved. Gathering requirements from the business is going to be crucial. Speaking to the right people in the departments and identifying what users do on day to day job, paints a clearer picture of how the application will be used. With this information, you will have identified where user risks may exist and already made custom configurations that are needed on a per user basis. Right now, would be an appropriate time to consider where risk exists when your user can do more than one function. Do you want your AR Manager creating fake customers and then shipping those products?

I Got the Hang of It.
At this point, you are well on your way to being a security pro. Your users are using the application based on the specific function requirements the business has provided, and risk is being mitigated of potential fraud. As users as they get added to the system, some may trigger SOD violations and you may have unresolved conflicts at this point. You will have to mitigate violations are they appear. However, from an auditing standpoint, you are well on your way of documenting risks and record keeping your resolutions. Good job! But you still have some work to do.

Pro.
This is eventually where you want to be. You are very familiar with the application security and any issue that come up are instantly mitigated. You have logs and reports ready for compliance and auditors as requested and your users have no issues with the configuration you have done. All things are working as designed and your system is stable. From an auditing perspective, all risks are resolved and closed. Congratulations!

All of these steps play a crucial role in a security maturity model. If you think about how quickly applications grow in complexity, it is easy to get lost with the changes that happen. Luckily, applications come with some sort of out of the box roles, however every business is unique. These roles only get you so far, and if you’re a business that is considering going public, then you will surely have a lot of work cut out for your security administrator. Working with security can take months, and to take it through the first stage up to a level of stability can be quiet a task. However, if you follow best practices and get familiar with how to use application security, you can quickly rise to pro level!