Dynamics 365

Security Model
Workshop

24 August 2021
Security Model Workshop Agenda
Agenda Understand your security modeling requirements
and strategy.
Basics & Security Model Overview

Business Units & Teams

Implemented Security Mechanisms
User Interface
Scalability, Performance, Maintainability
Format: 1 hours Microsoft Teams call
Attendees: Key stakeholders from the
customer and partner teams. Solution
architects, functional and technical leads
are mandatory.

Security Testing Requirements: Solution Design WS

template completed.
Security Monitoring

Regulations and compliance

Security Beyond Dynamics 365

Q&A
The Role of Success by Design
In Scope Out of Scope
• Provide findings and • Define security model
recommendations following the • Train configurators or system
workshop presentation administrators
• Highlight technical risks and
issues (including unrealistic
product expectations)
• Point out best practices
 Customer slide (please
update)
Security model overview

Brief overview of your security model

Add info
 Customer slide (please
update)
Security model overview

How you are managing access to records?

Add info
 Customer slide (please
update)
Basics

How many users do you have (target)?

#

How many distinct security patterns / configurations do you

have in your model, and how many users are there in each
pattern configuration*?

What is the % of users that potentially have more complex

security requirements that the rest?
#

*By “security pattern”, we mean the different security configurations you want to implement to answer the requirements
e.g. X will use the standard use of user / business unit / security role, Y will use a combination of X and Manager Hierarchy, Z will only use Access Team… etc.
 Customer slide (please
update)
Basics
Do you really need to restrict access to data, or do you want Yes/No
to filter access to data?

Number of Security Roles? #

Have you created new security roles instead of customizing

Yes/No
existing ones?

Have you tried to reduce as much as possible the number of

Yes/No
security roles?

Number of security roles that an induvial persona need Yes/No

Are the security roles being created at the root BU level or the
Yes/No
child level?

What is your strategy to update the security roles as you roll

Yes/No
out new entities / functionality?
 Customer slide (please
update)
Business Units
Number of Business Units #

Business Unit Structure Number of depth levels #

Describe the hierarchical structure of business units

in the context of your security requirements.
 Customer slide (please
update)
Business Units
Number of Business Units #

Internal Organization Structure Number of depth levels #

Describe the hierarchical structure of your business organization

using the CRM application
 Customer slide (please
update)
Teams
Do you use Owner Teams to assign roles to users? Yes/No

Do you use Owner Teams to own records? Yes/No

Do you automate record assignment and how? Yes (detail) / No

Do you use Access Teams?

Yes/No
(System or manually managed)

Do you automate Access Team membership? Yes/No

How do you deploy Access Team Templates across

environments?
Do you use Azure-Active Directory synchronized groups to
manage access rights? Yes/No

Do you have any requirements that didn’t fit into the

standard model? Yes/No
 Customer slide (please
update)
Implemented Security Mechanisms

Do you automate sharing? Yes/No

Do you use field level security? Yes/No

Do you use hierarchy security? Yes/No

If yes: Manager or Position?

How many levels deep have you configured?

Do you use plugins on RetrieveMultiple messages to

Yes/No
implement security?

Have a you reviewed all relationship behaviors that could

Yes/No
impact security? (Share, Unshare, Reparent, Assign…)
 Customer slide (please
update)
User Interface
Do you use Security Roles to simplify access to:

Apps? Yes/No

Dashboards? Yes/No

Forms? Yes/No

Business Process Flows? Yes/No

Sitemap sub-areas? Yes/No

Command bar buttons? Yes/No

Document Templates? Yes/No

 Customer slide (please
update)
Scalability, Performance, Maintainability
Have you identified scenarios where there is no need for the
record to be owned by a user/team? Yes/No

Have you identified any potential scalability challenge in your

Yes/No
security design at higher volumes?

Have you considered the impact of your data and security

Yes/No
models on the PoA table?

Do you regularly update User, Team or Business Unit records? Yes/No

Have you considered the impact of a large reorganization to

the Users, Teams, Business Units, and Records? Yes/No

For users having already access to a very large % or records,

have you considered providing global access for better Yes/No
performance?

Do you bulk re-assign records when a user leaves? Are you

Yes/No
considering the impact of cascading relationship
 Customer slide (please
update)
Security Testing

Do you have test environments to validate the data in the

context of your security requirements? Yes/No

Do you have the security matrix Excel sheet with access levels
Yes/No
and privileges defined by your Business/customer?

Do you have test cases around the security matrix for all the
Yes/No
security roles?

Have you considered negative testing on Field level security

Yes/No
field and Teams?

Will you be performing Penetration Tests on the platform? Yes/No

 Customer slide (please
update)
Other Dynamics 365 security questions

Export to Excel privilege, have you considered it? Yes/No

If applicable, how are you planning to control security in Data

Yes/No
Export Service, Azure SQL or Export to Data Lake and Power BI?

If applicable, what is your security model strategy for

Yes/No
Dynamics Portals and USD?

In case your users inherit their security roles exclusively from

teams, have you considered leveraging the inheritance to Yes/No
direct user setting on security roles?

If virtual entity is planned to be used, have you considered

Yes/No
security model around them?
 Customer slide (please
update)
Security Monitoring
Do you have requirements to monitor user access to the
application?
Yes (detail) / No

Do you have requirements to implement alerts in case of

abnormal behavior
Yes (detail) / No

Do you plan to regularly check appropriate user permissions?

Yes (detail) / No
 Customer slide (please
update)
Regulations and compliance
What are legal requirements (e.g. GDPR) you must comply
with?

What are the steps you have taken to ensure compliance with
legal requirements applying to your implementation?

Do you plan to regularly check appropriate user permissions?

 Customer slide (please
update)
Security Beyond Dynamics 365 (1/2)
Have you associated your environments with a Security Group
to control users who have access to it? Yes/No

Do you use Azure Conditional Access to control how users

Yes/No
access your Office 365 / Dynamics 365 data?

Do you use Mobile Device Management to manage fleet of

Yes/No
devices (mobiles, etc.)?

Do you integrate with SharePoint? If yes, how are you

addressing security in SharePoint vs security in Dynamics?

Do you integrate with Power BI? If yes, how are you

addressing security in Power BI vs security in Dynamics?

Do you use other security mechanisms?

 Customer slide (please
update)
Security Beyond Dynamics 365 (2/2)
Does your security model hold dependencies on ISV
solutions? If yes what are they? Yes (detail) / No

What are your requirements for data integration security

patterns?

In case you are leveraging other Power Platform capabilities

such as Flow and PowerApps, what are your security
requirements and design?

Do you have specific infrastructure security requirements?

(encryption, etc.)
Q&A Session
Thank you.