How Does PowerApprovals Keep My Data Safe?

 

  Brenda-01.png

By Peter Vien - Infrastructure Engineer
October 27, 2021                      

As a Cloud Infrastructure Engineer and member of the Mekorma Customer Success team, I spend time with customers and partners discussing and deploying Mekorma PowerApprovals. PowerApprovals provides executives and managers with the ability to approve their organization’s outgoing payments on a mobile device or browser, without the need to log into GP.

In this blog, I would like to address some of the most frequently asked questions about the underlying architecture of PowerApprovals, how the information flows between the application and Microsoft Dynamics GP, and how we ensure your data travels securely.

security-01.png

Constructed for Convenience and Maximum Security

Mekorma PowerApprovals is built on four layers of security:

  1. Only designated users can access the app - The app must be explicitly shared from within your Power Platform environment, and only authorized users can launch it.

  2. Authentication is handled by Microsoft Azure Active Directory - Users will sign in with either a Microsoft work or school account. This account is your organization account (If you are running Office 365, it’s simply your email account). This requires a client’s IT system admin team to register, create and sync their on-prem Active Directory objects via AD Connect, or provision as a new tenant on the Microsoft cloud.

  3. UPN mapping allows access to GP sensitive data – In order for an approver to view GP data in the PowerApprovals interface, their User Principal Name (UPN) account must be mapped to their Dynamics GP user account. Without this mapping, a user would not be able to view or approve payment transactions or batches from the Mekorma PowerApprovals application even if the application has been shared with them.

  4. Mekorma’s secure approval logic must be configured - Mekorma task-based security roles and approval threshold levels must be defined and setup in Dynamics GP.

What is the exposure surface of my data?

Customers are rightfully concerned about keeping data transmission between their Dynamics GP on-premises application and Mekorma’s cloud-based PowerApprovals app safe.

PowerApprovals is built on the Microsoft Power Apps and Power Automate platforms to display relevant payment information for approval, allowing designated approvers to take action on those transactions. Approval or rejection business logic is executed server-side on your Microsoft Dynamics GP SQL Server.

As part of PowerApprovals security-conscious design, client’s data is never stored in the cloud. We rely on Microsoft On-premises Data Gateway’s built-in security infrastructure to enable secured communications between your Dynamics GP SQL server and the PowerApprovals app.

The messaging flows from a PowerApprovals user in the cloud to your Microsoft Dynamics GP on-premises SQL Server, and then back. At each stage within the process (described below), information is encrypted whether at rest or during transport.

How is my data being transmitted?

It’s a bit like a relay race - here’s what happens behind the scenes:

flow.png
  1. When an authorized user launches Mekorma PowerApprovals from his/her device, the Microsoft Power Apps cloud service creates a query along with the encrypted credentials for your n-premises Dynamics GP SQL Server. The query and credentials are sent to the Gateway Cloud Service for processing.

  2. The Gateway Cloud Service validates the encrypted credentials and analyzes the query, pushing it down to the Azure Service Bus.

  3. Azure Service Bus is a fully managed multi-tenant cloud messaging service (MAAS). It is a brokered messaging system. Azure Service Bus sends the pending query requests to the On-premises Data Gateway.

  4. The On-premises Data Gateway gets the query, decrypts the credentials, and connects to your Dynamics GP SQL Server with those credentials.

  5. The Dynamics GP SQL Server executes the query business logic under the credentials established by the SQL connector in the cloud.

  6. The results are sent from your Dynamics GP SQL Server back to the Gateway. The Gateway encrypts and transmits the data to Mekorma PowerApprovals. At this point, the approver will be able to view and act upon transactions needing their approval.

  7. As the approver acts on transactions, the data query is encrypted via the on-premises data gateway using the Azure Service Bus and a stored procedure will execute that query in the SQL server.

  8. Once SQL server receives the query, approved or rejected transactions can be viewed in GP and payments can go on to be processed.

Do I need to open proprietary firewall ports to support this set up? Do I need to do anything on my network security side?

The transmission of query requests and data back and forth is encrypted via the Azure Service Bus infrastructure and Microsoft On-Premises Data Gateway using TLS 1.2 encryption protocol. All this happens over https, so the only firewall port that needs to be open is the standard 443 port.

PowerApprovals is a powerful tool for extending payment approval functionality beyond Dynamics GP – and we have designed it to rigorously protect your data.
 

From October 1st – December 31st, 2021, you can get the app for 50% off!
If you have further questions or want to discuss how your organization could benefit from PowerApprovals, please reach us at sales@mekorma.com.