1. To-Increase Dynamics 365 for Finance & Operations
  2. Security and compliance studio
  3. Manage risks

Manage segregation of duties (enhanced)

You can set up rules to separate tasks that must be performed by different roles or users. This concept is named segregation of duties. For example, you might not want the same person both to acknowledge the receipt of goods and to process payment to the vendor. Segregation of duties helps you reduce the risk of fraud, and it also helps you detect errors or irregularities. You can also use segregation of duties to enforce internal control policies.

Why consider using the enhanced segregation rules? With the enhanced segregation rules, you can not only define segregation rules on duty level, but also on privilege level, on entry point level, and with segregation security sets.
With a segregation rule on duty level only, the related privileges or entry points can also be linked to another duty to which the segregation rule does not apply. By defining the segregation on a lower level (privilege or entry point), you can enforce segregation more precisely.
If you use enhanced segregation rules, the related validation and verification of user-role compliance is done on the defined level.
Example: 
SoD-rule1 segregates Duty1 and Duty2. So, these duties cannot be linked to the same role/users. For example, Role1.
Using the entry points of Duty1, a new duty is created: Duty3.
Using the entry points of Duty2, a new duty is created: Duty4.
As SoD-rule1 does not segregate Duty3 and Duty4, both can be linked to Role1. This gives Role1 all rights as defined by Duty1 and Duty2, which is not allowed by SoD-rule1.
SoD-rule2 segregates EntryPoint1 and EntryPoint5. By defining the segregation on entry point level, Duty3 and Duty4 are not allowed together for Role1.
Segregation on duty level only:
Segregation on entry point level:


Security administrator Security administrator Start Start Set up segregation of duties rules (enhanced) Set up segregation of duties rules (enhanced) You can set up rules to separate tasks that must be performed by different roles or users. This concept is named segregation of duties. For example, you might not want the same person both to acknowledge the receipt of goods and to process payment to the vendor. Segregation of duties helps you reduce the risk of fraud, and it also helps you detect errors or irregularities. You can also use segregation of duties to enforce internal control policies. With the enhanced segregation rules, you can not only define segregation rules on duty level, but also on privilege level, on entry point level, and with segregation security sets. With a segregation rule on duty level only, the related privileges or entry points can also be linked to another duty to which the segregation rule does not apply. By defining the segregation on a lower level (privilege or entry point), you can enforce segregation more precisely. Complete the following procedure to create an enhanced segregation rule on one of these levels: duty, privilege, or entry point. Procedure 1. Click Integrated risk management. 2. Click the Enhanced SoD rules tab. 3. Click New. 4. In the Name field, type a value. 5. Define to which securable object level the segregation rule applies. The selected value defines what you can select in the First field and Second field. In the Type field, select an option. Note: If the First field and Second field are filled, and you change the type, these fields are emptied. 6. In the Effective from field, enter a date and time. 7. In the Effective to field, enter a date and time. 8. Select Yes in the Enabled field. 9. In the First field, enter or select a value. 10. In the First access level field, select an option. 11. In the Second field, enter or select a value. 12. In the Second access level field, select an option. 13. Sub-task: Define risks. 14. Expand the Risk section. 15. Click Add. 16. In the Organization Risk field, enter or select a value. 17. Close the page. Notes If you define a segregation rule on entry point level, also define the access level. This defines the valid and invalid entry point permission combinations. On validation, the defined access level combinations are taken into account.The access levels that are:Lower than the defined access level, are valid.Equal to or higher than the defined access level, are invalid.Example:SoD-rule2 segregates these entry points:First = EntryPoint1; First access level = Create (so, permission is Create).Second = EntryPoint2; Second access level = Update (so, permission is Edit).For this example, when assigned to Role1, some examples of entry point permission combinations that are:Valid:EntryPoint1, Update - EntryPoint2, ReadEntryPoint1, Read - EntryPoint2, UpdateEntryPoint1, Create - EntryPoint2, ReadInvalid:EntryPoint1, Create - EntryPoint2, UpdateEntryPoint1, Create - EntryPoint2, CreateEntryPoint1, Delete - EntryPoint2, Update Verify compliance of user-role assignments (enhanced) Verify compliance of user-role assignments (enhanced) You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. Use Verify compliance of user-roles assignments to verify whether user role assignments comply with new rules for enhanced segregation of duties. So, it verifies inter-role compliance and user-level validations. A notification displays the results of the validation. When the definition of a security role or the role assignments of a user violate the rules, the conflict is logged. You must resolve all conflicts.Complete the following procedure to identify conflicts. Procedure 1. Click Integrated risk management. 2. Click the Enhanced SoD rules tab. 3. In the list, find and select the enhanced segregation of duties rule to be verified. 4. Click Verify compliance of user-role assignments. Note: Check the displayed messages. Validate segregation of duties (enhanced) Validate segregation of duties (enhanced) You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. Use Validate segregation of duties to verify whether existing roles comply with new rules for enhanced segregation of duties. So, it validates intra-role compliance. If any existing roles violate the selected rule, a message is shown that contains the name of the role and the names of the conflicting securable objects. You must either indicate the mitigation for the security risk or modify the role so that it does not violate the rules for enhanced segregation of duties. If no roles violate the selected rule, a message indicates that all roles comply. Procedure 1. Click Integrated risk management. 2. Click the Enhanced SoD rules tab. 3. In the list, find and select the enhanced segregation of duties rule to be validated. 4. Click Validate duties and roles. Note: Check the resulting messages. If violations are indicated, solve these violations. Do you want to use a  predefined set of  segregation of duties  rules (enhanced)? Do you want to use a  predefined set of  segregation of duties  rules (enhanced)? Are conflicts logged? Are conflicts logged? Use predefined segregation of duties rules (enhanced) on demand Use predefined segregation of duties rules (enhanced) on demand You can set up segregation of duties rules (enhanced) to separate tasks that must be performed by different roles or users. With the enhanced segregation rules, you can not only define segregation rules on duty level, but also on privilege level, on entry point level, and with segregation security sets. On demand, a predefined set of segregation rules (enhanced) is available. Predefined segregation rules The set of segregation rules (enhanced) consists of: Segregation security sets: The segregation security sets have lists of entry points. Segregation of duty rules (enhanced): The segregation rules are based on segregation security sets or privileges. The predefined segregation rules (enhanced) are mainly related to these functional areas: Purchase Sales Production Warehouse management Import You can import the predefined segregation of duties rules (enhanced) with the Data management import function. To import the set of predefined segregation rules (enhanced): Create an import project. Add a file with source data format 'Package'. Upload the data file. As a result, these entities are added to the import project: Segregation security sets Segregation security set lines Enhanced SoD rules Run the import project. On import: The segregation security sets and lines are imported. The segregation rules (enhanced) are imported. These rules are set up for segregation security sets or for privileges. For each imported segregation rule that is set up for segregation security sets, child segregation rules are generated. A child segregation rule is generated for each combination of entry points, as defined in the two segregation security sets of the segregation rule. Resolve segregation of duties conflicts (enhanced) Resolve segregation of duties conflicts (enhanced) You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. If on verification, the definition of a security role or the role assignments of a user violate the rules, the conflict is logged. All conflicts must be resolved by the security administrator.For each logged conflict, you can:Deny the role assignment – Deny the assignment of the user to the additional security role. If you deny an automatic role assignment, the user is marked as excluded from the role. The excluded user is not granted the access that is associated with the role, and the user cannot be assigned to the role until the security administrator removes the exclusion.Allow the role assignment – Override the conflict and allow the user to be assigned to both security roles. If you override a conflict, you must enter a reason in the Reason for override field.Complete the following procedure to view and resolve conflicts. Procedure 1. Click Integrated risk management. 2. Click the Enhanced SoD conflicts tab. 3. Sub-task: Deny assignment. 4. In the list, find, select, and review a conflict. 5. Click Edit. 6. Click Deny assignment. 7. In the Select the role to exclude the user from field, select an option. 8. Click OK. 9. Close the page. 10. Sub-task: Allow assignment. 11. In the list, find, select, and review a conflict. 12. Click Edit. 13. Click Allow assignment. 14. In the Override reason field, type a value. 15. Click OK. 16. Close the page. Do you want to use  segregation security sets? Do you want to use  segregation security sets? Set up segregation security sets Set up segregation security sets With the segregation rules (enhanced) functionality, you can use segregation security sets to generate entry point level segregation rules. Use a segregation security set to list and group entry points for which segregation rules are desired. You can use these segregation security sets to set up segregation rules. For each segregation rule with segregation security sets, child segregation rules are generated automatically. A child segregation rule is generated for each combination of entry points from the two segregation security sets of the segregation rule. Procedure 1. Go to Security and compliance > Setup > Segregation security sets. 2. Click New. 3. In the Segregation security sets field, type a value. 4. In the Description field, type a value. 5. In the Segregation security set lines section. click Add. 6. In the Securable object field, enter or select a value. 7. In the Access level field, select an option. 8. Close the page. End End Yes No Yes No Yes No

Activities

Name Responsible Description

Set up segregation of duties rules (enhanced)

Security administrator
You can set up rules to separate tasks that must be performed by different roles or users. This concept is named segregation of duties. For example, you might not want the same person both to acknowledge the receipt of goods and to process payment to the vendor. Segregation of duties helps you reduce the risk of fraud, and it also helps you detect errors or irregularities. You can also use segregation of duties to enforce internal control policies.
With the enhanced segregation rules, you can not only define segregation rules on duty level, but also on privilege level, on entry point level, and with segregation security sets.
With a segregation rule on duty level only, the related privileges or entry points can also be linked to another duty to which the segregation rule does not apply. By defining the segregation on a lower level (privilege or entry point), you can enforce segregation more precisely.
Complete the following procedure to create an enhanced segregation rule on one of these levels: duty, privilege, or entry point.

Verify compliance of user-role assignments (enhanced)

Security administrator

 		You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. Use Verify compliance of user-roles assignments to verify whether user role assignments comply with new rules for enhanced segregation of duties. So, it verifies inter-role compliance and user-level validations.
A notification displays the results of the validation. When the definition of a security role or the role assignments of a user violate the rules, the conflict is logged. You must resolve all conflicts.
Complete the following procedure to identify conflicts.

Validate segregation of duties (enhanced)

Security administrator

 		You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. Use Validate segregation of duties to verify whether existing roles comply with new rules for enhanced segregation of duties. So, it validates intra-role compliance.
If any existing roles violate the selected rule, a message is shown that contains the name of the role and the names of the conflicting securable objects. You must either indicate the mitigation for the security risk or modify the role so that it does not violate the rules for enhanced segregation of duties. If no roles violate the selected rule, a message indicates that all roles comply.

Use predefined segregation of duties rules (enhanced) on demand

Security administrator

You can set up segregation of duties rules (enhanced) to separate tasks that must be performed by different roles or users. With the enhanced segregation rules, you can not only define segregation rules on duty level, but also on privilege level, on entry point level, and with segregation security sets.

On demand, a predefined set of segregation rules (enhanced) is available.

Predefined segregation rules

The set of segregation rules (enhanced) consists of:

  • Segregation security sets: The segregation security sets have lists of entry points.
  • Segregation of duty rules (enhanced): The segregation rules are based on segregation security sets or privileges.

The predefined segregation rules (enhanced) are mainly related to these functional areas:

  • Purchase
  • Sales
  • Production
  • Warehouse management

Import

You can import the predefined segregation of duties rules (enhanced) with the Data management import function.

To import the set of predefined segregation rules (enhanced):

  1. Create an import project.
  2. Add a file with source data format 'Package'.
  3. Upload the data file. As a result, these entities are added to the import project:
    • Segregation security sets
    • Segregation security set lines
    • Enhanced SoD rules
  4. Run the import project.

On import:

  1. The segregation security sets and lines are imported.
  2. The segregation rules (enhanced) are imported. These rules are set up for segregation security sets or for privileges.
  3. For each imported segregation rule that is set up for segregation security sets, child segregation rules are generated. A child segregation rule is generated for each combination of entry points, as defined in the two segregation security sets of the segregation rule.

Resolve segregation of duties conflicts (enhanced)

Security administrator

You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. If on verification, the definition of a security role or the role assignments of a user violate the rules, the conflict is logged. All conflicts must be resolved by the security administrator.

For each logged conflict, you can:

  • Deny the role assignment – Deny the assignment of the user to the additional security role. If you deny an automatic role assignment, the user is marked as excluded from the role. The excluded user is not granted the access that is associated with the role, and the user cannot be assigned to the role until the security administrator removes the exclusion.
  • Allow the role assignment – Override the conflict and allow the user to be assigned to both security roles. If you override a conflict, you must enter a reason in the Reason for override field.
Complete the following procedure to view and resolve conflicts.

Set up segregation security sets

Security administrator

With the segregation rules (enhanced) functionality, you can use segregation security sets to generate entry point level segregation rules.

Use a segregation security set to list and group entry points for which segregation rules are desired. You can use these segregation security sets to set up segregation rules.

For each segregation rule with segregation security sets, child segregation rules are generated automatically. A child segregation rule is generated for each combination of entry points from the two segregation security sets of the segregation rule.

See also

Provide feedback