1. To-Increase Dynamics 365 for Finance & Operations
  2. Security and compliance studio
  3. Manage risks

Manage segregation of duties (enhanced)

You can set up rules to separate tasks that must be performed by different roles or users. This concept is named segregation of duties. For example, you might not want the same person both to acknowledge the receipt of goods and to process payment to the vendor. Segregation of duties helps you reduce the risk of fraud, and it also helps you detect errors or irregularities. You can also use segregation of duties to enforce internal control policies.

With the enhanced segregation rules, you can not only define segregation rules on duty level, but also on privilege level and entry point level.
Why consider using the enhanced segregation rules? With the enhanced segregation rules, you can not only define segregation rules on duty level, but also on privilege level and entry point level.
With a segregation rule on duty level only, the related privileges or entry points can also be linked to another duty to which the segregation rule does not apply. By defining the segregation on a lower level (privilege or entry point), you can enforce segregation more precisely.
If you use enhanced segregation rules, the related validation and verification of user-role compliance is done on the defined level.
Example: 
SoD-rule1 segregates Duty1 and Duty2. So, these duties cannot be linked to the same role/users. For example, Role1.
Using the entry points of Duty1, a new duty is created: Duty3.
Using the entry points of Duty2, a new duty is created: Duty4.
As SoD-rule1 does not segregate Duty3 and Duty4, both can be linked to Role1. This gives Role1 all rights as defined by Duty1 and Duty2, which is not allowed by SoD-rule1.
SoD-rule2 segregates EntryPoint1 and EntryPoint5. By defining the segregation on entry point level, Duty3 and Duty4 are not allowed together for Role1.
Segregation on duty level only:

Segregation on entry point level:


Security administrator Security administrator Start Start Set up segregation of duties rules (enhanced) Set up segregation of duties rules (enhanced) You can set up rules to separate tasks that must be performed by different roles or users. This concept is named segregation of duties. For example, you might not want the same person both to acknowledge the receipt of goods and to process payment to the vendor. Segregation of duties helps you reduce the risk of fraud, and it also helps you detect errors or irregularities. You can also use segregation of duties to enforce internal control policies.With the enhanced segregation rules, you can not only define segregation rules on duty level, but also on privilege level and entry point level.Why consider using the enhanced segregation rules? With the enhanced segregation rules, you can not only define segregation rules on duty level, but also on privilege level and entry point level.With a segregation rule on duty level only, the related privileges or entry points can also be linked to another duty to which the segregation rule does not apply. By defining the segregation on a lower level (privilege or entry point), you can enforce segregation more precisely.Complete the following procedure to create an enhanced segregation rule on one of these levels: duty, privilege, or entry point. Procedure 1. Click Integrated risk management. 2. Click the Enhanced SoD rules tab. 3. Click New. 4. In the Name field, type a value. 5. Define to which securable object level the segregation rule applies. the selected value defines what you can select the First field and Second field. In the Type field, select an option. Note: If the First field and Second field are filled and you change the type, these fields are emptied. 6. In the Effective from field, enter a date and time. 7. In the Effective to field, enter a date and time. 8. Select Yes in the Enabled field. 9. In the First field, enter or select a value. 10. In the First access level field, select an option. 11. In the Second field, enter or select a value. 12. In the Second access level field, select an option. 13. In the Risk field, enter or select a value. 14. Close the page. Notes If you define a segregation rule on entry point level, also define the access level. This defines the valid and invalid entry point permission combinations. On validation, the defined access level combinations are taken into account.The access levels that are:Lower than the defined access level, are valid.Equal to or higher than the defined access level, are invalid.Example:SoD-rule2 segregates these entry points:First = EntryPoint1; First access level = Create (so, permission is Create).Second = EntryPoint2; Second access level = Update (so, permission is Edit).For this example, when assigned to Role1, some examples of entry point permission combinations that are:Valid:EntryPoint1, Update - EntryPoint2, ReadEntryPoint1, Read - EntryPoint2, UpdateEntryPoint1, Create - EntryPoint2, ReadInvalid:EntryPoint1, Create - EntryPoint2, UpdateEntryPoint1, Create - EntryPoint2, CreateEntryPoint1, Delete - EntryPoint2, Update Verify compliance of user-role assignments (enhanced) Verify compliance of user-role assignments (enhanced) You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. Use Verify compliance of user-roles assignments to verify whether user role assignments comply with new rules for enhanced segregation of duties. So, it verifies inter-role compliance and user-level validations. A notification displays the results of the validation. When the definition of a security role or the role assignments of a user violate the rules, the conflict is logged. You must resolve all conflicts.Complete the following procedure to identify conflicts. Procedure 1. Click Integrated risk management. 2. Click the Enhanced SoD rules tab. 3. In the list, find and select the enhanced segregation of duties rule to be verified. 4. Click Verify compliance of user-role assignments. Note: Check the displayed messages. Validate segregation of duties (enhanced) Validate segregation of duties (enhanced) You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. Use Validate segregation of duties to verify whether existing roles comply with new rules for enhanced segregation of duties. So, it validates intra-role compliance. If any existing roles violate the selected rule, a message is shown that contains the name of the role and the names of the conflicting securable objects. You must either indicate the mitigation for the security risk or modify the role so that it does not violate the rules for enhanced segregation of duties. If no roles violate the selected rule, a message indicates that all roles comply. Procedure 1. Click Integrated risk management. 2. Click the Enhanced SoD rules tab. 3. In the list, find and select the enhanced segregation of duties rule to be validated. 4. Click Validate duties and roles. Note: Check the resulting messages. If violations are indicated, solve these violations. Are conflicts logged? Are conflicts logged? Resolve segregation of duties conflicts (enhanced) Resolve segregation of duties conflicts (enhanced) You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. If on verification, the definition of a security role or the role assignments of a user violate the rules, the conflict is logged. All conflicts must be resolved by the security administrator.For each logged conflict, you can:Deny the role assignment – Deny the assignment of the user to the additional security role. If you deny an automatic role assignment, the user is marked as excluded from the role. The excluded user is not granted the access that is associated with the role, and the user cannot be assigned to the role until the security administrator removes the exclusion.Allow the role assignment – Override the conflict and allow the user to be assigned to both security roles. If you override a conflict, you must enter a reason in the Reason for override field.Complete the following procedure to view and resolve conflicts. Procedure 1. Click Integrated risk management. 2. Click the Enhanced SoD conflicts tab. 3. Sub-task: Deny assignment. 4. In the list, find, select, and review a conflict. 5. Click Edit. 6. Click Deny assignment. 7. In the Select the role to exclude the user from field, select an option. 8. Click OK. 9. Close the page. 10. Sub-task: Allow assignment. 11. In the list, find, select, and review a conflict. 12. Click Edit. 13. Click Allow assignment. 14. In the Override reason field, type a value. 15. Click OK. 16. Close the page. End End Yes No

Activities

Name Responsible Description

Set up segregation of duties rules (enhanced)

Security administrator
You can set up rules to separate tasks that must be performed by different roles or users. This concept is named segregation of duties. For example, you might not want the same person both to acknowledge the receipt of goods and to process payment to the vendor. Segregation of duties helps you reduce the risk of fraud, and it also helps you detect errors or irregularities. You can also use segregation of duties to enforce internal control policies.
With the enhanced segregation rules, you can not only define segregation rules on duty level, but also on privilege level and entry point level.
Why consider using the enhanced segregation rules? With the enhanced segregation rules, you can not only define segregation rules on duty level, but also on privilege level and entry point level.
With a segregation rule on duty level only, the related privileges or entry points can also be linked to another duty to which the segregation rule does not apply. By defining the segregation on a lower level (privilege or entry point), you can enforce segregation more precisely.
Complete the following procedure to create an enhanced segregation rule on one of these levels: duty, privilege, or entry point.

Verify compliance of user-role assignments (enhanced)

Security administrator

 		You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. Use Verify compliance of user-roles assignments to verify whether user role assignments comply with new rules for enhanced segregation of duties. So, it verifies inter-role compliance and user-level validations.
A notification displays the results of the validation. When the definition of a security role or the role assignments of a user violate the rules, the conflict is logged. You must resolve all conflicts.
Complete the following procedure to identify conflicts.

Validate segregation of duties (enhanced)

Security administrator

 		You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. Use Validate segregation of duties to verify whether existing roles comply with new rules for enhanced segregation of duties. So, it validates intra-role compliance.
If any existing roles violate the selected rule, a message is shown that contains the name of the role and the names of the conflicting securable objects. You must either indicate the mitigation for the security risk or modify the role so that it does not violate the rules for enhanced segregation of duties. If no roles violate the selected rule, a message indicates that all roles comply.

Resolve segregation of duties conflicts (enhanced)

Security administrator

You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. If on verification, the definition of a security role or the role assignments of a user violate the rules, the conflict is logged. All conflicts must be resolved by the security administrator.

For each logged conflict, you can:

  • Deny the role assignment – Deny the assignment of the user to the additional security role. If you deny an automatic role assignment, the user is marked as excluded from the role. The excluded user is not granted the access that is associated with the role, and the user cannot be assigned to the role until the security administrator removes the exclusion.
  • Allow the role assignment – Override the conflict and allow the user to be assigned to both security roles. If you override a conflict, you must enter a reason in the Reason for override field.
Complete the following procedure to view and resolve conflicts.

Provide feedback