Flows

Flow Description

Audit security history

In the Security and compliance studio, you can audit the security configuration in several ways. You can also generate a security history log report for audit or other compliance requirements.

Compose security scenarios

You can use a security scenario to indicate all securable objects and related access levels that are required for a user to perform one or more tasks.

Explore security configuration

You can explore the security configuration for:
  • Each level in the security configuration.
  • Each page in Dynamics 365 for Finance and Operations.
You can use this, for example, to see if you can lower the license type for a user to reduce license cost.
The security explorer gets the security configuration data from the latest snapshot.

Manage security requests

Use security requests to register any required changes in the security setup.
You can create a security request in these ways:
  • As a system user, you can create a security request from any page.
  • In Security and compliance studio, you can create security requests from the Security management workspace.
Usually, a security request is approved by the security manager and implemented by the security administrator.

Manage security scenarios and match roles

You can use security scenarios to record and define all securable objects and related access levels that are required for a user to perform one or more tasks.
You can create a security role in several ways. In the Security and compliance studio, you can record the working tasks for a target user. The recording results are stored in a security scenario. You can use this security scenario to fine-tune all securable objects and related access levels that are required for the target user to perform the working tasks.
If the security scenario is complete, you can search for a role that matches the security scenario. If no perfect match is found, you can create a security role for the security scenario in several ways. You can link the matched or new security role to the applicable users.

Manage segregation of duties

You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. For example, you might not want the same person both to acknowledge the receipt of goods and to process payment to the vendor. Segregation of duties helps you reduce the risk of fraud, and it also helps you detect errors or irregularities. You can also use segregation of duties to enforce internal control policies.

Manage segregation of duties (enhanced)

You can set up rules to separate tasks that must be performed by different roles or users. This concept is named segregation of duties. For example, you might not want the same person both to acknowledge the receipt of goods and to process payment to the vendor. Segregation of duties helps you reduce the risk of fraud, and it also helps you detect errors or irregularities. You can also use segregation of duties to enforce internal control policies.

Why consider using the enhanced segregation rules? With the enhanced segregation rules, you can not only define segregation rules on duty level, but also on privilege level, on entry point level, and with segregation security sets.
With a segregation rule on duty level only, the related privileges or entry points can also be linked to another duty to which the segregation rule does not apply. By defining the segregation on a lower level (privilege or entry point), you can enforce segregation more precisely.
If you use enhanced segregation rules, the related validation and verification of user-role compliance is done on the defined level.
Example: 
SoD-rule1 segregates Duty1 and Duty2. So, these duties cannot be linked to the same role/users. For example, Role1.
Using the entry points of Duty1, a new duty is created: Duty3.
Using the entry points of Duty2, a new duty is created: Duty4.
As SoD-rule1 does not segregate Duty3 and Duty4, both can be linked to Role1. This gives Role1 all rights as defined by Duty1 and Duty2, which is not allowed by SoD-rule1.
SoD-rule2 segregates EntryPoint1 and EntryPoint5. By defining the segregation on entry point level, Duty3 and Duty4 are not allowed together for Role1.
Segregation on duty level only:
Segregation on entry point level:

Manage stand-ins

You can appoint a user as a stand-in for another user for a specified period. For example, if a user has a vacation, you can appoint a stand-in during this vacation. For auditing purposes, you cannot delete stand-in records with periods in the past.

Match roles

You can search for a role that matches the security scenario. If no perfect match is found, you can create a role for the security scenario in several ways.
The match roles function gets the security configuration data from the latest snapshot.

Merge security roles

You can merge existing security roles into another existing security role or a new security role.

Provide feedback