Segregation of Duties (SOD) End to End Setup and Security Control in Microsoft Dynamics 365 Finance and Operations

Dear Microsoft BizApps Community,

Welcome to my next blog on Security framework series, this article talks about segregation of duties, the concept is articulated below.

Concept

This concept is named segregation of duties. For example, you might not want the same person to acknowledge the creation of vendor and vendor bank details and to process payment to the vendor. Segregation of duties helps you reduce the risk of fraud, and it also helps you detect errors or irregularities. You can also use segregation of duties to enforce internal control policies.

In other word, we can setup a set of duties, which won’t be assigned in the same role, nor in the same user with different role.

Let’s explore this feature in detail in Microsoft Dynamics 365 Finance and Operations.

Configurations

Navigate to System administration module->> Security->> Segregation of duties

This module has four different forms, see below, we will discuss in detail ion this blog.

The scenario we are configuring here, “Maintain Vendor Master” and “Maintain Vendor Payments” duty won’t be assigned to same role or same user, for this we will place the duty conflicts rule here.

The main configurations to be done in “Segregation of duties rules” form.

Name- We can write a name of the rules as identical to identify later. 

First duty- we select the first duty here, for example, in our case we can add Maintain Vendor Master.

Second Duty- We select the second duty, for example, in our case we can add Maintain Vendor Payments.

In any role if these two duties are assigned, this will create conflicts.

In any user if these two duties are assigned in two or multiple roles, it will create conflicts.

Severity- Three severity is there, High, medium, and low, it can be assigned based on the decision is made.

Security Risk- We can add some risk under this field, this is free text field.

Security mitigation – Here we add the mitigation if this violation happens for a reference purpose.

Once done save the rule and the configuration is done

Security Control

There are three types of checks we can do by having the above rules added.

1. One with validate the Duties and roles, it will validate and identify the conflicts in same role if the two duties are assigned.

For our case if duty ‘Maintain vendor master’ and ‘Maintain Vendor Payments’ is assigned in any role it will trigger the conflicts.

See below, system is giving the error and informing which role/s are having these two duty assigned in same role.

2. Second check we can, if any user having two or multiple roles and any two roles are having the first and second duty assigned, system will trigger the conflicts.

For this we need to select the “Verify compliance of user-role assignments with rules for segregation of duties”.

Then Run the same

Once this is run, system will trigger the conflicts in the notification action center, see below.

Once this is completed, the same security conflicts in user can be seen in “Segregation of duties conflicts” form.

3. Another security control we can have at the time of assigning roles to users.

Example, we are assigning roles to users, and between two roles, the duty is matching with the control rule we have setup, hence it will trigger the conflicts and will ask if we are allowing to use this conflicts.

If we click yes, it will take us to the new form, from there we can either allow assignments or deny assignments of the role

If we click no, system wont assign the role on which the conflicts are there.

The below screen will appear after clicking Yes, from where we can allow assignment or deny assignment.

If we Select “Allow assignment”- we have to give the “Reason for Override”, because we are intentionality overriding the conflicts which we have created.

Once done, the role will be assigned.

Also, the same conflicts can be seen in the below screen with the Resolution and Overrides reason we wrote

Segregation of duties conflicts

And all the Unresolved conflicts will be visible in the “Segregation of duties unresolved conflicts” form.

From the same form, we can resolve by the same way we have resolved by allowing or denying the assignment.

By the above whole process business can put a robust control on security framework, which will prevent the data fraud and help improving the internal control on the security policies

That’s it for this article, thanks for going through

Happy days