web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Microsoft Dynamics AX (Archived) / How to control HR data...
Microsoft Dynamics AX (Archived)

How to control HR data confidentiality??

(0) ShareShare
ReportReport
Posted on by Peter Samir 446

Hi,

We have MS Dynamics 2012 R3 CU9, We have a plan to use the Human Resources and Payroll modules. We finished all the setup and configurations on the test server and we are going to move to the production environment.

As you know the payroll data is confidential and the top management need to be sure that no one (even ERP team) will be able to access this data except the HR employees who are responsible for the payroll.

So, I would like to know how can I control the system admin and security admin accounts where:

The system admin can access all modules and all tables into the AOT.

The security admin can give an access to any user account (His/her account) on the payroll module.

I read about the client access log but I think it will not be useful for the system admin account.

So, What is the best practice into such this scenario. 

  https://blogs.msdn.microsoft.com/axperf/2011/10/14/client-access-log-dynamics-ax-2012/

 

*This post is locked for comments

I have the same question (0)
  • André Arnaud de Calavon Profile Picture
    André Arnaud de Cal... 301,025 Super User 2025 Season 2 on at

    Hi Peter,

    The best would be to have no system administrator users in production; besides the AX service account. You can create a custom role with all features; except the confidential data (HR, but probably also limited rights on bank accounts in general).

    A security administrator can assign roles to persons. He is not able to assign the system administrator role to anyone.

    If you also setup segregation of duties, you can prevent having persons incorrect access.

    In test environments, you can create a script to scramble data like names and earnings. Then it would be no issue to give some users system administrator rights in NON-production environments.

  • Suggested answer
    guk1964 Profile Picture
    guk1964 10,888 on at

    There are a few other considerations e.g related to finance

    What detail will you see in the GL? e.g. do you post only the total and leave the detail in payroll, or do you post by Employee dimension? 

    Will you use AP for cheque printing for employees? if so then if employees are set up as vendors then you need to consider who in AP is allowed to see those details. or bank interface payment files - what detail is available to be viewed by whom? or is the detail sent to the bank is a separate file from Payroll?

    Workflows for approval of e.g. pay increment may need to be controlled.

    Will you  processing separate payroll journals separately for e.g. directors,  management, and employees with different journals (and approvers).

    There are third party tools that can give you information about access.

    re client access log, the blog post you mention does not cover all you need to know e.g.

    1. By default this functionality is disabled.
    2. There is no form/UI available for this
    3. When enabled for all users,  everything is logged into database which will impact performance, database size, etc.
    4. This is a system table.
    5. We do not have clarity (even from Microsoft) on which forms are captured, what level of details, events are captured.
    6. By default only AX Administrators can write on the SysClientAccessLog table 
    7. The administrator can choose to enable client access log at the user level and the user actions will be recorded in a System table called SysClientAccessLog. The control field to enable or disable this feature is added to UserInfo table (Again a system table).
    8. This feature is compiled only for rich client and by default is turned off. Once enabled for user, user need to close and reopen the DAX, open/close some forms (e.g. Customers) and browse to this table to check the entry made. 
    9. etc

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Responsible AI policies

As AI tools become more common, we’re introducing a Responsible AI Use…

Neeraj Kumar – Community Spotlight

We are honored to recognize Neeraj Kumar as our Community Spotlight honoree for…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > 🔒一 Microsoft Dynamics AX (Archived)

#1
Martin Dráb Profile Picture

Martin Dráb 4 Most Valuable Professional

#1
Priya_K Profile Picture

Priya_K 4

#3
MyDynamicsNAV Profile Picture

MyDynamicsNAV 2

Last 30 days Overall leaderboard

Featured topics

Product updates

Dynamics 365 release plans