You can audit the setup of rules to separate tasks that must be performed by different users. This concept is named segregation of duties. For example, you might not want the same person both to acknowledge the receipt of goods and to process payment to the vendor. Segregation of duties helps you reduce the risk of fraud, and it also helps you detect errors or irregularities. You can also use segregation of duties to enforce internal control policies.


Security administrator Security administrator Security auditor Security auditor Analyze segregation of duties Analyze segregation of duties You can analyze the setup of rules to separate tasks that must be performed by different users. This concept is named segregation of duties. For example, you might not want the same person both to acknowledge the receipt of goods and to process payment to the vendor. Segregation of duties helps you reduce the risk of fraud, and it also helps you detect errors or irregularities. You can also use segregation of duties to enforce internal control policies.This procedure explains how you can analyze the segregation of duties setup. Procedure 1. Click Security audit. 2. Sub-task: Analyze rules and conflicts. 3. Click the Segregation of duties rules tab. 4. In the list, find and select the desired record. 5. On the Conflicts pane, you can review the segregation of duties conflicts for the selected rule. You can, for example, review if a conflict is already solved or what resolution is chosen. 6. Sub-task: Analyze charts. 7. Click the Charts tab. Note: The SOD rules and conflicts (Resolved/Unresolved) chart shows the total number of: - Segregation of duties rules. - Unresolved segregation of duties conflicts. - Resolved segregation of duties conflicts. 8. Click the Compliant versus incompliant roles and users tab. Note: This chart shows the number of users and roles that are compliant or incompliant with the segregation of duties rules. Start Start Validate segregation of duties Validate segregation of duties You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. Use Validate segregation of duties to verify whether existing roles comply with new rules for segregation of duties. So, it validates intra-role compliance. If any existing roles violate the selected rule, a message is displayed that contains the name of the role and the names of the conflicting duties. The security administrator must either indicate the mitigation for the security risk or modify the role so that it does not violate the rules for segregation of duties. If no roles violate the selected rule, a message indicates that all roles comply. Procedure 1. Click Security management. 2. Click the Segregation rules tab. 3. In the list, find and select the segregation of duties rule to be validated. 4. Click Validate duties and roles. Note: Check the resulting messages. If violations are indicated, solve these violations. Any issues found? Any issues found? Verify compliance of user-role assignments Verify compliance of user-role assignments You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. Use Verify compliance of user-roles assignments to verify whether user role assignments comply with new rules for segregation of duties. So, it verifies inter-role compliance and user-level validations. A notification displays the results of the validation. When the definition of a security role or the role assignments of a user violate the rules, the conflict is logged. The security administrator must resolve all conflicts. Complete the following procedure to identify conflicts. Procedure 1. Click Security management. 2. Sub-task: Verify compliance of user-role assignments in batch. 3. Click Verify compliance of user-role assignments. 4. Expand the Run in the background section. 5. Select Yes in the Batch processing field. Note: If required, define other batch processing settings. 6. Click Recurrence and set up the recurrence pattern for the batch job. 7. Click OK. 8. Click OK. Note: Check the displayed messages. 9. Sub-task: Verify compliance of user-role assignments for a specific segregation of duties rule. 10. Click the Segregation rules tab. 11. In the list, find and select the segregation of duties rule to be verified. 12. Click Verify compliance of user-role assignments. Note: Check the displayed messages. Are conflicts logged? Are conflicts logged? Resolve segregation of duties conflicts Resolve segregation of duties conflicts You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. If on verification, the definition of a security role or the role assignments of a user violate the rules, the conflict is logged. All conflicts must be resolved by the security administrator. For each logged conflict, you can: Deny the role assignment – Deny the assignment of the user to the additional security role. If you deny an automatic role assignment, the user is marked as excluded from the role. The excluded user is not granted the access that is associated with the role, and the user cannot be assigned to the role until the security administrator removes the exclusion. Allow the role assignment – Override the conflict and allow the user to be assigned to both security roles. If you override a conflict, you must enter a reason in the Reason for override field. Complete the following procedure to view and resolve conflicts. Procedure 1. Click Security management. 2. Click the Segregation of duties rules tab. 3. Sub-task: Deny assignment. 4. In the Segregation of duties rules list, find and select the desired record. 5. In the Conflicts list, find, select, and review a conflict. 6. Click Deny assignment. 7. In the Select the role to exclude the user from field, select an option. 8. Click OK. 9. Sub-task: Allow assignment. 10. In the Segregation of duties rules list, find and select the desired record. 11. In the Conflicts list, find, select, and review a conflict. 12. Click Allow assignment. 13. In the Reason for override field, type a value. 14. Click OK. End End Yes No

Activities

Name Responsible Description

Analyze segregation of duties

Security auditor

You can analyze the setup of rules to separate tasks that must be performed by different users. This concept is named segregation of duties. For example, you might not want the same person both to acknowledge the receipt of goods and to process payment to the vendor. Segregation of duties helps you reduce the risk of fraud, and it also helps you detect errors or irregularities. You can also use segregation of duties to enforce internal control policies.
This procedure explains how you can analyze the segregation of duties setup.

Validate segregation of duties

Security administrator

You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. Use Validate segregation of duties to verify whether existing roles comply with new rules for segregation of duties. So, it validates intra-role compliance.
If any existing roles violate the selected rule, a message is displayed that contains the name of the role and the names of the conflicting duties. The security administrator must either indicate the mitigation for the security risk or modify the role so that it does not violate the rules for segregation of duties. If no roles violate the selected rule, a message indicates that all roles comply.

Verify compliance of user-role assignments

Security administrator

You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. Use Verify compliance of user-roles assignments to verify whether user role assignments comply with new rules for segregation of duties. So, it verifies inter-role compliance and user-level validations.

A notification displays the results of the validation. When the definition of a security role or the role assignments of a user violate the rules, the conflict is logged. The security administrator must resolve all conflicts. Complete the following procedure to identify conflicts.

Resolve segregation of duties conflicts

Security administrator

You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. If on verification, the definition of a security role or the role assignments of a user violate the rules, the conflict is logged. All conflicts must be resolved by the security administrator.

For each logged conflict, you can:

  • Deny the role assignment – Deny the assignment of the user to the additional security role. If you deny an automatic role assignment, the user is marked as excluded from the role. The excluded user is not granted the access that is associated with the role, and the user cannot be assigned to the role until the security administrator removes the exclusion.
  • Allow the role assignment – Override the conflict and allow the user to be assigned to both security roles. If you override a conflict, you must enter a reason in the Reason for override field.
Complete the following procedure to view and resolve conflicts.

Provide feedback