You can set up rules to separate tasks that must be performed by different roles or users. This concept is named segregation of duties. For example, you might not want the same person both to acknowledge the receipt of goods and to process payment to the vendor. Segregation of duties helps you reduce the risk of fraud, and it also helps you detect errors or irregularities. You can also use segregation of duties to enforce internal control policies.
Name | Responsible | Description |
---|---|---|
Set up segregation of duties rules (enhanced) |
Security administrator |
You can set up rules to separate tasks that must be performed by different roles or users. This concept is named segregation of duties. For example, you might not want the same person both to acknowledge the receipt of goods and to process payment to the vendor. Segregation of duties helps you reduce the risk of fraud, and it also helps you detect errors or irregularities. You can also use segregation of duties to enforce internal control policies. With the enhanced segregation rules, you can not only define segregation rules on duty level, but also on privilege level and entry point level. Why consider using the enhanced segregation rules? With the enhanced segregation rules, you can not only define segregation rules on duty level, but also on privilege level and entry point level. With a segregation rule on duty level only, the related privileges or entry points can also be linked to another duty to which the segregation rule does not apply. By defining the segregation on a lower level (privilege or entry point), you can enforce segregation more precisely. Complete the following procedure to create an enhanced segregation rule on one of these levels: duty, privilege, or entry point.
|
Verify compliance of user-role assignments (enhanced) |
Security administrator |
You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. Use
Verify compliance of user-roles assignments to verify whether user role assignments comply with new rules for enhanced segregation of duties. So, it verifies inter-role compliance and user-level validations.
A notification displays the results of the validation. When the definition of a security role or the role assignments of a user violate the rules, the conflict is logged. You must resolve all conflicts. Complete the following procedure to identify conflicts.
|
Validate segregation of duties (enhanced) |
Security administrator |
You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. Use
Validate segregation of duties to verify whether existing roles comply with new rules for enhanced segregation of duties. So, it validates intra-role compliance.
If any existing roles violate the selected rule, a message is shown that contains the name of the role and the names of the conflicting securable objects. You must either indicate the mitigation for the security risk or modify the role so that it does not violate the rules for enhanced segregation of duties. If no roles violate the selected rule, a message indicates that all roles comply.
|
Resolve segregation of duties conflicts (enhanced) |
Security administrator |
You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. If on verification, the definition of a security role or the role assignments of a user violate the rules, the conflict is logged. All conflicts must be resolved by the security administrator. For each logged conflict, you can:
|