The request to track everything a user assigned the SysAdmin role is something we see quite often; the problem is that this request is not feasible within D365FO. Let’s explain where this request normally comes from, why it not feasible, and what we can do to address this.
Where This Request Comes From
Normally this type of request comes from an internal/external auditor that has experience in another enterprise ERP system (SAP, Oracle, etc). In these other systems, there is an internal audit trail controlled by the ERP that tracks every transaction in the system. Because of this, you can query this audit trail and get every transaction a user performed. This means reporting on every transaction a user performs is a valid request in these systems.
Why This is Not a Valid Request in D365FO
Change tracking in D365FO is not built into the transaction themselves and is user defined at the table level. This means that the only way to track everything a user assigned the SysAdmin role does would be to track every table in the system. If you have worked with the Database Log (or any other tracking system in D365FO) you know this is not possible because of the performance impact this would have as well as the storage/reporting requirements that would come out of this type of tracking.
What Can We Do to Address This?
There are a couple different options when you get a request like this:
- Reduce the number of users assigned SysAdmin in your environment – this is straight forward but by reducing the number of users assigned this role you limit the amount of time and effort you have to exert to track down what these users are doing. Ask questions like
- Does this user really need this elevated access to perform their day-to-day operations?
- Can this access be temporary instead of permanent?
- Have a review/sign off process for the assignment of the SysAdmin role to a user – assigning this role should not be something that can be done without multiple reviews and approvals. This will also help when it comes time for audit reviews as you now have a record of when this role was assigned.
- Take a ‘risk-based approach’ to what you are tracking – while we cannot track everything a user does; we can place tracking around high-risk areas that we care about and/or would have a financial impact if a change was made undetected. An example of this is you may not care if a user changes a vendor’s birthday, but you would care if they changed a vendor’s bank account information.
- Do not use the D365FO Database Log – if you have used this tool in the past you recognize the many shortcomings of the tool. In this case, having a tool like Fastpath Audit Trail that is built from the ground up to be an audit change tracking tool with a separate tracking methodology, built in reports, and data management capabilities means you can precisely track the changes you want to report on.
- If this request is coming from an internal/external auditor, talk with them and explain why this request is not valid/feasible within D365FO. You can also show them what steps you are taking to address this situation.
To have a deeper discussion with one of our security experts on how Fastpath Assure can help with your security, risk and compliance, please contact us. To learn more about D365FO security best practices and how to develop a risk-based approach to your security, please download the eBook, "Using Microsoft Dynamics 365 for Finance & Operations to Manage Risk".