Set up segregation of duties rules (enhanced)
Application task
You can set up rules to separate tasks that must be performed by different roles or users. This concept is named segregation of duties. For example, you might not want the same person both to acknowledge the receipt of goods and to process payment to the vendor. Segregation of duties helps you reduce the risk of fraud, and it also helps you detect errors or irregularities. You can also use segregation of duties to enforce internal control policies.
With the enhanced segregation rules, you can not only define segregation rules on duty level, but also on privilege level, on entry point level, and with segregation security sets.
With a segregation rule on duty level only, the related privileges or entry points can also be linked to another duty to which the segregation rule does not apply. By defining the segregation on a lower level (privilege or entry point), you can enforce segregation more precisely.
Complete the following procedure to create an enhanced segregation rule on one of these levels: duty, privilege, or entry point.
Standard procedure
| 1. | Click Integrated risk management. |
| 2. | Click the Enhanced SoD rules tab. |
| 3. | Click New. |
| 4. | In the Name field, type a value. |
| 5. | Define to which securable object level the segregation rule applies. The selected value defines what you can select in the First field and Second field. |
| In the Type field, select an option. | |
|
Note: If the First field and Second field are filled, and you change the type, these fields are emptied. |
|
| 6. | Enter the date from which the segregation rule is effective. |
| In the Effective from field, enter a date and time. | |
| 7. | Enter the date to which the segregation rule is effective. |
| In the Effective to field, enter a date and time. | |
| 8. | Indicate if the segregation rule is active. |
| Select Yes in the Enabled field. | |
| 9. | Select the first securable object or segregation security set that is controlled by the rule. |
| In the First field, enter or select a value. | |
| 10. | If you define a segregation rule on entry point level, define the access level for the first entry point. This defines the valid and invalid entry point permission combinations. On validation, the defined access level combinations are taken into account. |
| In the First access level field, select an option. | |
| 11. | Select the second securable object or segregation security set that is controlled by the rule. |
| In the Second field, enter or select a value. | |
| 12. | If you define a segregation rule on entry point level, define the access level for the second entry point. This defines the valid and invalid entry point permission combinations. On validation, the defined access level combinations are taken into account. |
| In the Second access level field, select an option. | |
| 13. | Sub-task: Define risks. |
| 13.1 | To an enhanced segregation of duties rule, you can link a risk that helps mitigating the risk. |
| Expand the Risk section. | |
| 13.2 | Click Add. |
| 13.3 | In the Organization Risk field, enter or select a value. |
| 14. | Close the page. |
Notes
If you define a segregation rule on entry point level, also define the access level. This defines the valid and invalid entry point permission combinations. On validation, the defined access level combinations are taken into account.
The access levels that are:
- Lower than the defined access level, are valid.
- Equal to or higher than the defined access level, are invalid.
Example:
SoD-rule2 segregates these entry points:
- First = EntryPoint1; First access level = Create (so, permission is Create).
- Second = EntryPoint2; Second access level = Update (so, permission is Edit).
For this example, when assigned to Role1, some examples of entry point permission combinations that are:
- Valid:
- EntryPoint1, Update - EntryPoint2, Read
- EntryPoint1, Read - EntryPoint2, Update
- EntryPoint1, Create - EntryPoint2, Read
- Invalid:
- EntryPoint1, Create - EntryPoint2, Update
- EntryPoint1, Create - EntryPoint2, Create
- EntryPoint1, Delete - EntryPoint2, Update
| Related to | Notes |
|---|---|
|
Manage segregation of duties (enhanced) |