You can set up rules to separate tasks that must be performed by different roles or users. This concept is named segregation of duties. For example, you might not want the same person both to acknowledge the receipt of goods and to process payment to the vendor. Segregation of duties helps you reduce the risk of fraud, and it also helps you detect errors or irregularities. You can also use segregation of duties to enforce internal control policies.
Name | Responsible | Description |
---|---|---|
Use predefined segregation of duties rules (enhanced) on demand |
Security administrator |
You can set up segregation of duties rules (enhanced) to separate tasks that must be performed by different roles or users. With the enhanced segregation rules, you can not only define segregation rules on duty level, but also on privilege level, on entry point level, and with segregation security sets. On demand, a predefined set of segregation rules (enhanced) is available. Predefined segregation rulesThe set of segregation rules (enhanced) consists of:
The predefined segregation rules (enhanced) are mainly related to these functional areas:
ImportYou can import the predefined segregation of duties rules (enhanced) with the Data management import function. To import the set of predefined segregation rules (enhanced):
On import:
|
Set up segregation security sets |
Security administrator |
With the segregation rules (enhanced) functionality, you can use segregation security sets to generate entry point level segregation rules. Use a segregation security set to list and group entry points for which segregation rules are desired. You can use these segregation security sets to set up segregation rules. For each segregation rule with segregation security sets, child segregation rules are generated automatically. A child segregation rule is generated for each combination of entry points from the two segregation security sets of the segregation rule. |
Set up segregation of duties rules (enhanced) |
Security administrator |
You can set up rules to separate tasks that must be performed by different roles or users. This concept is named segregation of duties. For example, you might not want the same person both to acknowledge the receipt of goods and to process payment to the vendor. Segregation of duties helps you reduce the risk of fraud, and it also helps you detect errors or irregularities. You can also use segregation of duties to enforce internal control policies.
With the enhanced segregation rules, you can not only define segregation rules on duty level, but also on privilege level, on entry point level, and with segregation security sets.
With a segregation rule on duty level only, the related privileges or entry points can also be linked to another duty to which the segregation rule does not apply. By defining the segregation on a lower level (privilege or entry point), you can enforce segregation more precisely.
Complete the following procedure to create an enhanced segregation rule on one of these levels: duty, privilege, or entry point.
|
Validate segregation of duties (enhanced) |
Security administrator |
You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. Use
Validate segregation of duties to verify whether existing roles comply with new rules for enhanced segregation of duties. So, it validates intra-role compliance.
If any existing roles violate the selected rule, a message is shown that contains the name of the role and the names of the conflicting securable objects. You must either indicate the mitigation for the security risk or modify the role so that it does not violate the rules for enhanced segregation of duties. If no roles violate the selected rule, a message indicates that all roles comply.
|
Verify compliance of user-role assignments (enhanced) |
Security administrator |
You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. Use
Verify compliance of user-roles assignments to verify whether user role assignments comply with new rules for enhanced segregation of duties. So, it verifies inter-role compliance and user-level validations.
A notification displays the results of the validation. When the definition of a security role or the role assignments of a user violate the rules, the conflict is logged. You must resolve all conflicts. Complete the following procedure to identify conflicts.
|
Resolve segregation of duties conflicts (enhanced) |
Security administrator |
You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. If on verification, the definition of a security role or the role assignments of a user violate the rules, the conflict is logged. All conflicts must be resolved by the security administrator. For each logged conflict, you can:
|