Setup authorizations a lot of work
Getting a decent setup of the authorizations within Dynamics NAV, which satisfies the auditor and internal audit, is a major challenge. Because setting up the authorizations is a lot of work, many organizations choose to grant all users SUPER rights. And even when you succeed in setting the authorization correctly you need to manage the authorization afterwards. After all, roles change constantly.
The weakest link in security policy
The management of the authorizations often assigned to the application manager with SUPER rights or, if no application manager is available , to an administrative assistant. A weak link within the security policy aside from the fact that an application manager is usually not the person who can assess which rights belong to which user. Usually this belongs to the role of the controller.
To delegate security administration in Dynamics NAV without granting SUPER rights, Microsoft invented the SECURITY role (also known as permission set). How Microsoft describes it: if you want to create an â€˜â€™area super-userâ€™â€™ you should give the person the SECURITY role and permissions for the areas, such as Purchases & Payables, for which they can grant and revoke permissions for other users. For a SECURITY user itâ€™s only possible to grant permissions which he has himself. This prevents that the user grants himself more permissions than desirable.
Breaking segregation of duties
From an internal control perspective, this isnâ€™t a convenient approach. One of the most important objectives of authorization set-up in an ERP-system is to guarantee the segregation of duties. E.g.: Imagine that I make the head of administration responsible for the authorizations on the financial department, this user will need all rights for financial activities to be able to grant permissions toÂ other users of that department. Therefor there is no segregation of duties and the authorization manager stays the weakest link.
In an ideal situation you would like to have an authorization manager, who only grants permissions on behalf of data owners. He or she may not be able to change their own permissions. Unfortunately, without the right add-on or customization Microsoft Dynamics doesnâ€™t support this functionality.