1. Data Management
  2. Security and Compliance Studio
  3. Manage security
  4. Manage security scenarios and match roles

Match roles

You can search for a role that matches the security scenario. If no perfect match is found, you can create a role for the security scenario in several ways.
The match roles function gets the security configuration data from the latest snapshot.


Security administrator Security administrator The security administrator (SysSecSecurityAdministrator) maintains user and security setup in D365 F&SCM, grants the ability to create and maintain security roles, duties, and privileges and the ability to assign users to roles, define role assignment rules, and maintain data security policies. Create snapshot Create snapshot You create snapshots to be able to use Security and compliance studio functions, for example: Security explorer Match roles Compare snapshots Security role wizard Snapshot A snapshot is an image of the security configuration at a specific date and time. A snapshot consists of: All securable objects: roles, duties, privileges, and entry points, with the related license type and access level. The associations between the securable objects: user-role, role-duty, role-privilege, duty-privilege, and privilege-entry point. Snapshot creation You create a snapshot in these cases: The first time you want to explore the security configuration or match roles. Changes are made to the security configuration. So, these changes become available for the security explorer or match roles function. You want to compare the current security configuration with a previous security configuration. You are advised to create snapshots: In batch, if you frequently make changes to the security configuration. In the background, because the creation of a snapshot can take quite some time. Dynamic snapshot In the Security and compliance studio parameters, you can use the 'Enable dynamic snapshots' field to enable automatic updates of security configuration changes to the latest snapshot. So, no new snapshot is required each time you change the security configuration. Automatic updates of security configuration changes to the latest snapshot are done when you, for example: Publish changes. Approve security requests. Update or create a role with the wizard. Import security configurations. Assign users to roles. Note: If yo use dynamic snapshots, you are advised to create a snapshot regularly. You do so to ensure that no security inconsistencies occur and to create a safety net, Procedure 1. Click Security management. 2. Click the Snapshots tab. 3. Click Create snapshot. 4. Sub-task: Set recurrence and background processing. 5. Expand the Run in the background section. 6. Select Yes in the Batch processing field and fill in the other batch fields as required. 7. Click Recurrence and define the recurrence settings. 8. Click OK. 9. Click OK. Start Start Match security roles to security scenario Match security roles to security scenario Use match roles to match all securable objects, as defined in a security scenario, to security roles. In general, a match means that the securable object exists on the role with a given access level.   Which roles are a match, is defined by: The required access level for each securable object, as defined in the security scenario (only applicable for exact match).  How you match the security roles. The entry points as defined for the duties and privileges of each role. You can match roles in these ways: Exact match Only those security roles are a match that have the securable object with the required access level. Minimum/maximum match Only those security roles are a match that have the securable object with an access level that is in the range of the defined minimum access level and maximum access level. Each security role, with a match for at least one of the securable objects from the security scenario, is shown as a matched role. The matching degree of each matched security role indicates to what extent the role has matching entry points.   If you find a matched security role, you can assign users to it. Procedure 1. Click Security management. 2. Click the Scenarios tab. 3. In the list, find and select the desired record. 4. Sub-task: Exact match. 5. Click Match roles. 6. Select Yes in the Match using access level information field. 7. Click Yes in the Search for unmatched entry points? field. 8. Click OK. 9. Sub-task: Minimum/maximum match. 10. Click Match roles. 11. Select No in the Match using access level information field. 12. Select Yes in the Use minimum access right in match? field. 13. In the Minimum rights field, select an option. 14. Select Yes in the Use maximum access right in match? field. 15. In the Maximum rights field, select an option. 16. Click OK. 17. Sub-task: Analyze matches. 18. On the Roles tab, the matched security roles are shown. For each security role, the matching degree indicates to what extent the role has matching entry points. 19. In the list, find and select the desired record. 20. On the Securable objects tab, the securable objects from the security scenario are shown. You can analyze how the selected role matches to the securable objects. 21. Sub-task: Assign users to role. 22. On the Roles tab, select a role. 23. Click Assign users to role. 24. On the Assign users to roles page, you can, for example: - Add a rule to automatically assign users to the security role. - Manually assign users to the security role. Note: The role assignment is validated for segregation of duties violations. Note: If enhanced segregation of duties rules are enabled, the role assignment is validated against the enhanced segregation of duties rules. 25. Close the page. 26. Close the page. Is the  latest snapshot  up-to-date? Is the  latest snapshot  up-to-date? Create segregation of duty Create segregation of duty You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. For example, you might not want the same person both to acknowledge the receipt of goods and to process payment to the vendor. Segregation of duties helps you reduce the risk of fraud, and it also helps you detect errors or irregularities. You can also use segregation of duties to enforce internal control policies. Complete the following procedure to create a rule from the Match roles page. Procedure 1. Click Security management. 2. Sub-task: Match roles. 3. Click the Scenarios tab. 4. In the list, find and select the desired record. 5. Click Match roles. 6. On the dialog, fill in the fields as required. 7. Click OK. 8. Sub-task: Create segregation of duties rule. 9. Go to the Matched duties tab. Note: If filled with different duties, you can also select the duties on the Duties that give access to the securable objects that cannot be accessed with the selected role tab. 10. In the list, find and select the first duty that is controlled by the rule. 11. In the list, find and select the second duty that is controlled by the rule. 12. Click Create SOD. 13. In the Name field, type a value. 14. In the Severity field, select an option. 15. In the Security risk field, type a value. 16. In the Security mitigation field, type a value. 17. Close the page. Duplicate role Duplicate role It is advisable to create a subset of security roles that are actually used in your company. This way, the security administrator has a better overview of the security roles that are used in your company. So, if a standard security role matches a scenario, you can create an exact copy of this standard security role and assign this copy to the applicable users. Procedure 1. Click Security management. 2. Sub-task: Match roles. 3. Click the Scenarios tab. 4. In the list, find and select the desired record. 5. Click Match roles. 6. On the dialog, fill in the fields as required. 7. Click OK. 8. Review the matched roles and the matching degree of these roles. 9. Sub-task: Duplicate role. 10. In the list, find and select the role with the best match. 11. Click Duplicate role. 12. In the Role Name field, type a value. Note: The default role name consists of these elements: - The prefix as defined in the Security and compliance studio parameters. - The name of the selected role. 13. In the Description field, type a value. 14. Click OK. Create segregation  of duty? Create segregation  of duty? Create role from scenario based on selected role and selected duties and/or privileges Create role from scenario based on selected role and selected duties and/or privileges If a partially matched security role is found, you can create a new security role based on the selected role and selected duties and/or privileges.  Procedure 1. Click Security management. 2. Click the Scenarios tab. 3. In the list, find and select the desired record. 4. Sub-task: Match roles. 5. Click Match roles. 6. Decide on whether you want to do an exact match or minimum/maximum match and fill in the fields accordingly. 7. Select yes in the Search for unmatched entry points? field. 8. Click OK. 9. Sub-task: Select security role and duties and/or privileges. 10. On the Roles tab, in the list, select a partially matched role. 11. On the Duties that give access to the securable objects that cannot be accessed with the selected role tab, select the duties that you want to add to the new role. 12. On the privileges that give access to the securable objects that cannot be accessed with the selected role tab, select the privileges that you want to add to the new role. 13. Click Find matched entry points. 14. Sub-task: Create role. 15. Click Create role. 16. In the Role Name field, type a value. Note: The default role name consists of these elements: - The prefix as defined in the Security and compliance studio parameters. - The name of the selected role. 17. In the Description field, type a value. 18. You can create the new role with only the securable objects as defined in the security scenario. To do so, all other entry points of the selected role, duties, and privileges must be excluded. As a result, for each securable object type, a new privilege is created with the related securable objects and added to the new role. Select the Remove excess menu items check box. Note: The selected role, duties, and privileges, are not changed. Only the relevant entry points are copied from these entities and added to the new privileges. 19. Select the Use access level from recorded entry point check box. 20. Select the Add entry points outside privileges to new privilege check box. 21. Click OK. Note: Once the security role is created, it is validated automatically to verify if it complies with the segregation of duties rules. If enhanced segregation of duties rules are enabled, the role is validated against the enhanced segregation of duties rules. 22. Click Yes. 23. Close the page. Did you find  a role match? Did you find  a role match? Create role from scenario with selected duties Create role from scenario with selected duties If you match roles to the securable objects from a security scenario, you can choose to create a new role from a selection of matched duties. So, you can create a specific security role, which is still based on the security scenario.   The matched duties have at least one of the securable objects from the scenario. In determining the match, the access level for the securable objects, as defined in the security scenario, are not considered.   Note that: A duty can be shown several times, for a different securable object. A securable object can be shown several times as it can be linked to several duties. For each entry, the related license types are shown. This information offers the opportunity to reduce license costs. You can search for and select the duties with the lowest license type.   Procedure 1. Click Security management. 2. Click the Scenarios tab. 3. In the list, find and select the desired record. 4. Sub-task: Match roles. 5. Click Match roles. 6. Fill in the fields as desired. 7. Click OK. 8. Sub-task: Select matched duties. 9. On the Matched duties tab, select the duties that you want to use for the new role. 10. Click Find matched entry points. 11. Sub-task: Create security role. 12. Click Create role from duties. 13. In the Role Name field, type a value. Note: The default prefix for the role name is defined in the Security and compliance studio parameters. 14. In the Description field, type a value. 15. You can create the new role with only the securable objects as defined in the security scenario. To do so, all other entry points of the selected duties must be excluded. As a result, for each securable object type, a new privilege is created with the related securable objects and added to the new role. Select the Remove excess menu items check box. Note: The selected duties are not changed. Only the relevant entry points are copied from these duties and added to the new privileges. 16. Select the Use access level from recorded entry point check box. 17. Select the Add entry points outside privileges to new privilege check box. 18. Click OK. Note: Once the security role is created, it is validated automatically to verify if it complies with the segregation of duties rules. If enhanced segregation of duties rules are enabled, the role is validated against the enhanced segregation of duties rules. 19. Click Yes. 20. Close the page. Create  new role? Create  new role? Create role from scenario with selected privileges Create role from scenario with selected privileges If you match roles to the securable objects from a security scenario, you can choose to create a new role from a selection of matched privileges. So, you can create a specific security role, which is still based on the security scenario. The matched privileges have at least one of the securable objects from the scenario. In determining the match, the access level for the securable objects, as defined in the security scenario, are not considered. Note that: A privilege can be shown several times, for a different securable object. A securable object can be shown several times as it can be linked to several privileges. For each entry, the related license types are shown. This information offers the opportunity to reduce license costs. You can search for and select the privileges with the lowest license type. Procedure 1. Click Security management. 2. Click the Scenarios tab. 3. Sub-task: Match roles. 4. In the list, find and select the desired record. 5. Click Match roles. 6. Fill in the fields as desired. 7. Click OK. 8. Sub-task: Select matched privileges. 9. On the Matched privileges tab, select the privileges that you want to use for the new role. 10. Click Find matched entry points. 11. Sub-task: Create security role. 12. Click Create role from privileges. 13. In the Role Name field, type a value. Note: The default prefix for the role name is defined in the Security and compliance studio parameters. 14. In the Description field, type a value. 15. You can create the new role with only the securable objects as defined in the security scenario. To do so, all other entry points of the selected privileges must be excluded. As a result, for each securable object type, a new privilege is created with the related securable objects and added to the new role. Select the Remove excess menu items check box. Note: The selected privileges are not changed. Only the relevant entry points are copied from these privileges and added to the new privileges. 16. Select the Use access level from recorded entry point check box. 17. Select the Add entry points outside privileges to new privilege check box. 18. Click OK. Note: Once the security role is created, it is validated automatically to verify if it complies with the segregation of duties rules. If enhanced segregation of duties rules are enabled, the role is validated against the enhanced segregation of duties rules. 19. Click Yes. 20. Close the page. End End Need to  duplicate a role? Need to  duplicate a role? No Yes Yes No Yes No Based on  existing  role Based on  selected  duties Based on  selected  privileges No Yes No

Activities

Name Responsible Description

Create snapshot

Security administrator

You create snapshots to be able to use Security and compliance studio functions, for example:

  • Security explorer
  • Match roles
  • Compare snapshots
  • Security role wizard

Snapshot

A snapshot is an image of the security configuration at a specific date and time. A snapshot consists of:
  • All securable objects: roles, duties, privileges, and entry points, with the related license type and access level.
  • The associations between the securable objects: user-role, role-duty, role-privilege, duty-privilege, and privilege-entry point.

Snapshot creation

You create a snapshot in these cases:

  • The first time you want to explore the security configuration or match roles.
  • Changes are made to the security configuration. So, these changes become available for the security explorer or match roles function.
  • You want to compare the current security configuration with a previous security configuration.

You are advised to create snapshots:

  • In batch, if you frequently make changes to the security configuration.
  • In the background, because the creation of a snapshot can take quite some time.

Dynamic snapshot

In the Security and compliance studio parameters, you can use the 'Enable dynamic snapshots' field to enable automatic updates of security configuration changes to the latest snapshot. So, no new snapshot is required each time you change the security configuration.

Automatic updates of security configuration changes to the latest snapshot are done when you, for example:

  • Publish changes.
  • Approve security requests.
  • Update or create a role with the wizard.
  • Import security configurations.
  • Assign users to roles.

Note: If yo use dynamic snapshots, you are advised to create a snapshot regularly. You do so to ensure that no security inconsistencies occur and to create a safety net,

Match security roles to security scenario

Security administrator

Use match roles to match all securable objects, as defined in a security scenario, to security roles.

In general, a match means that the securable object exists on the role with a given access level.
 
Which roles are a match, is defined by:
  • The required access level for each securable object, as defined in the security scenario (only applicable for exact match). 
  • How you match the security roles.
  • The entry points as defined for the duties and privileges of each role.
You can match roles in these ways:
  • Exact match
    Only those security roles are a match that have the securable object with the required access level.
  • Minimum/maximum match
    Only those security roles are a match that have the securable object with an access level that is in the range of the defined minimum access level and maximum access level.
Each security role, with a match for at least one of the securable objects from the security scenario, is shown as a matched role. The matching degree of each matched security role indicates to what extent the role has matching entry points.
 
If you find a matched security role, you can assign users to it.

Create segregation of duty

Security administrator

 		You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. For example, you might not want the same person both to acknowledge the receipt of goods and to process payment to the vendor. Segregation of duties helps you reduce the risk of fraud, and it also helps you detect errors or irregularities. You can also use segregation of duties to enforce internal control policies. Complete the following procedure to create a rule from the Match roles page.

Duplicate role

Security administrator

It is advisable to create a subset of security roles that are actually used in your company. This way, the security administrator has a better overview of the security roles that are used in your company.

So, if a standard security role matches a scenario, you can create an exact copy of this standard security role and assign this copy to the applicable users.

Create role from scenario based on selected role and selected duties and/or privileges

Security administrator
If a partially matched security role is found, you can create a new security role based on the selected role and selected duties and/or privileges. 

Create role from scenario with selected duties

Security administrator

If you match roles to the securable objects from a security scenario, you can choose to create a new role from a selection of matched duties. So, you can create a specific security role, which is still based on the security scenario.

 
The matched duties have at least one of the securable objects from the scenario. In determining the match, the access level for the securable objects, as defined in the security scenario, are not considered.
 
Note that:
  • A duty can be shown several times, for a different securable object.
  • A securable object can be shown several times as it can be linked to several duties.
  • For each entry, the related license types are shown.
This information offers the opportunity to reduce license costs. You can search for and select the duties with the lowest license type.
 

Create role from scenario with selected privileges

Security administrator

If you match roles to the securable objects from a security scenario, you can choose to create a new role from a selection of matched privileges. So, you can create a specific security role, which is still based on the security scenario.
The matched privileges have at least one of the securable objects from the scenario. In determining the match, the access level for the securable objects, as defined in the security scenario, are not considered.
Note that:

  • A privilege can be shown several times, for a different securable object.
  • A securable object can be shown several times as it can be linked to several privileges.
  • For each entry, the related license types are shown.

This information offers the opportunity to reduce license costs. You can search for and select the privileges with the lowest license type.

Provide feedback