1. Data Management
  2. Security and Compliance Studio
  3. Flows

Manage segregation of duties
Activity Flow

You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. For example, you might not want the same person both to acknowledge the receipt of goods and to process payment to the vendor. Segregation of duties helps you reduce the risk of fraud, and it also helps you detect errors or irregularities. You can also use segregation of duties to enforce internal control policies.

Security administrator Security administrator The security administrator (SysSecSecurityAdministrator) maintains user and security setup in D365 F&SCM, grants the ability to create and maintain security roles, duties, and privileges and the ability to assign users to roles, define role assignment rules, and maintain data security policies. Set up segregation of duties rules Set up segregation of duties rules You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. For example, you might not want the same person both to acknowledge the receipt of goods and to process payment to the vendor. Segregation of duties helps you reduce the risk of fraud, and it also helps you detect errors or irregularities. You can also use segregation of duties to enforce internal control policies. Complete the following procedure to create a rule. Procedure 1. Click Security management. 2. Sub-task: Create rule. 3. Click the Segregation rules tab. 4. Click New. 5. In the Name field, type a value. 6. In the First duty field, enter or select a value. 7. In the Second duty field, enter or select a value. 8. In the Severity field, select an option. 9. In the Security risk field, type a value. 10. In the Security mitigation field, type a value. 11. Close the page. 12. Sub-task: Create rule for preselected duties. 13. Click the Duties tab. 14. In the list, find and select the first duty that is controlled by the rule. 15. In the list, find and select the second duty that is controlled by the rule. 16. Click Create SOD. 17. In the Name field, type a value. 18. In the Severity field, select an option. 19. In the Security risk field, type a value. 20. In the Security mitigation field, type a value. 21. Close the page. Validate segregation of duties Validate segregation of duties You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. Use Validate segregation of duties to verify whether existing roles comply with new rules for segregation of duties. So, it validates intra-role compliance. If any existing roles violate the selected rule, a message is displayed that contains the name of the role and the names of the conflicting duties. The security administrator must either indicate the mitigation for the security risk or modify the role so that it does not violate the rules for segregation of duties. If no roles violate the selected rule, a message indicates that all roles comply. Procedure 1. Click Security management. 2. Click the Segregation rules tab. 3. In the list, find and select the segregation of duties rule to be validated. 4. Click Validate duties and roles. Note: Check the resulting messages. If violations are indicated, solve these violations. Start Start Verify compliance of user-role assignments Verify compliance of user-role assignments You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. Use Verify compliance of user-roles assignments to verify whether user role assignments comply with new rules for segregation of duties. So, it verifies inter-role compliance and user-level validations. A notification displays the results of the validation. When the definition of a security role or the role assignments of a user violate the rules, the conflict is logged. The security administrator must resolve all conflicts. Complete the following procedure to identify conflicts. Procedure 1. Click Security management. 2. Sub-task: Verify compliance of user-role assignments in batch. 3. Click Verify compliance of user-role assignments. 4. Expand the Run in the background section. 5. Select Yes in the Batch processing field. Note: If required, define other batch processing settings. 6. Click Recurrence and set up the recurrence pattern for the batch job. 7. Click OK. 8. Click OK. Note: Check the displayed messages. 9. Sub-task: Verify compliance of user-role assignments for a specific segregation of duties rule. 10. Click the Segregation rules tab. 11. In the list, find and select the segregation of duties rule to be verified. 12. Click Verify compliance of user-role assignments. Note: Check the displayed messages. Use predefined segregation of duties rules on demand Use predefined segregation of duties rules on demand You can set up segregation of duties rules to separate tasks that must be performed by different users. On demand, a predefined set of segregation of duties rules is available.These predefined segregation of duties rules are set up based on this risk identification matrix for several transaction types:You can upload the predefined segregation of duties rules in Data management. Do you want to  use predefined  segregation of  duties rules? Do you want to  use predefined  segregation of  duties rules? Resolve segregation of duties conflicts Resolve segregation of duties conflicts You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. If on verification, the definition of a security role or the role assignments of a user violate the rules, the conflict is logged. All conflicts must be resolved by the security administrator. For each logged conflict, you can: Deny the role assignment – Deny the assignment of the user to the additional security role. If you deny an automatic role assignment, the user is marked as excluded from the role. The excluded user is not granted the access that is associated with the role, and the user cannot be assigned to the role until the security administrator removes the exclusion. Allow the role assignment – Override the conflict and allow the user to be assigned to both security roles. If you override a conflict, you must enter a reason in the Reason for override field. Complete the following procedure to view and resolve conflicts. Procedure 1. Click Security management. 2. Click the Segregation of duties rules tab. 3. Sub-task: Deny assignment. 4. In the Segregation of duties rules list, find and select the desired record. 5. In the Conflicts list, find, select, and review a conflict. 6. Click Deny assignment. 7. In the Select the role to exclude the user from field, select an option. 8. Click OK. 9. Sub-task: Allow assignment. 10. In the Segregation of duties rules list, find and select the desired record. 11. In the Conflicts list, find, select, and review a conflict. 12. Click Allow assignment. 13. In the Reason for override field, type a value. 14. Click OK. Are conflicts logged? Are conflicts logged? End End Yes No Yes No

Activities

Name Responsible Description

Set up segregation of duties rules

Security administrator
You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. For example, you might not want the same person both to acknowledge the receipt of goods and to process payment to the vendor. Segregation of duties helps you reduce the risk of fraud, and it also helps you detect errors or irregularities. You can also use segregation of duties to enforce internal control policies. Complete the following procedure to create a rule.

Validate segregation of duties

Security administrator

 		You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. Use Validate segregation of duties to verify whether existing roles comply with new rules for segregation of duties. So, it validates intra-role compliance.
If any existing roles violate the selected rule, a message is displayed that contains the name of the role and the names of the conflicting duties. The security administrator must either indicate the mitigation for the security risk or modify the role so that it does not violate the rules for segregation of duties. If no roles violate the selected rule, a message indicates that all roles comply.

Verify compliance of user-role assignments

Security administrator

You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. Use Verify compliance of user-roles assignments to verify whether user role assignments comply with new rules for segregation of duties. So, it verifies inter-role compliance and user-level validations.

A notification displays the results of the validation. When the definition of a security role or the role assignments of a user violate the rules, the conflict is logged. The security administrator must resolve all conflicts. Complete the following procedure to identify conflicts.

Use predefined segregation of duties rules on demand

Security administrator

You can set up segregation of duties rules to separate tasks that must be performed by different users. On demand, a predefined set of segregation of duties rules is available.

These predefined segregation of duties rules are set up based on this risk identification matrix for several transaction types:


You can upload the predefined segregation of duties rules in Data management.

Resolve segregation of duties conflicts

Security administrator

You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. If on verification, the definition of a security role or the role assignments of a user violate the rules, the conflict is logged. All conflicts must be resolved by the security administrator.

For each logged conflict, you can:

  • Deny the role assignment – Deny the assignment of the user to the additional security role. If you deny an automatic role assignment, the user is marked as excluded from the role. The excluded user is not granted the access that is associated with the role, and the user cannot be assigned to the role until the security administrator removes the exclusion.
  • Allow the role assignment – Override the conflict and allow the user to be assigned to both security roles. If you override a conflict, you must enter a reason in the Reason for override field.
Complete the following procedure to view and resolve conflicts.

Activities

Name Responsible Description

Set up segregation of duties rules

Security administrator
You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. For example, you might not want the same person both to acknowledge the receipt of goods and to process payment to the vendor. Segregation of duties helps you reduce the risk of fraud, and it also helps you detect errors or irregularities. You can also use segregation of duties to enforce internal control policies. Complete the following procedure to create a rule.

Validate segregation of duties

Security administrator

 		You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. Use Validate segregation of duties to verify whether existing roles comply with new rules for segregation of duties. So, it validates intra-role compliance.
If any existing roles violate the selected rule, a message is displayed that contains the name of the role and the names of the conflicting duties. The security administrator must either indicate the mitigation for the security risk or modify the role so that it does not violate the rules for segregation of duties. If no roles violate the selected rule, a message indicates that all roles comply.

Verify compliance of user-role assignments

Security administrator

You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. Use Verify compliance of user-roles assignments to verify whether user role assignments comply with new rules for segregation of duties. So, it verifies inter-role compliance and user-level validations.

A notification displays the results of the validation. When the definition of a security role or the role assignments of a user violate the rules, the conflict is logged. The security administrator must resolve all conflicts. Complete the following procedure to identify conflicts.

Use predefined segregation of duties rules on demand

Security administrator

You can set up segregation of duties rules to separate tasks that must be performed by different users. On demand, a predefined set of segregation of duties rules is available.

These predefined segregation of duties rules are set up based on this risk identification matrix for several transaction types:


You can upload the predefined segregation of duties rules in Data management.

Resolve segregation of duties conflicts

Security administrator

You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. If on verification, the definition of a security role or the role assignments of a user violate the rules, the conflict is logged. All conflicts must be resolved by the security administrator.

For each logged conflict, you can:

  • Deny the role assignment – Deny the assignment of the user to the additional security role. If you deny an automatic role assignment, the user is marked as excluded from the role. The excluded user is not granted the access that is associated with the role, and the user cannot be assigned to the role until the security administrator removes the exclusion.
  • Allow the role assignment – Override the conflict and allow the user to be assigned to both security roles. If you override a conflict, you must enter a reason in the Reason for override field.
Complete the following procedure to view and resolve conflicts.
Related to Notes

Manage segregation of duties (enhanced)

 		 

Manage segregation of duties

 		 

Manage segregation of duties

 		 

See also

Provide feedback