Segregation of duties is a security practice that can help prevent breaches and protect an organisation’s data. It is an internal control intended to prevent or decrease the occurrence of innocent errors or intentional fraud. This is done by ensuring that no single individual has control over specific combination of access in a business transaction.
Segregation of duties helps reduce the risk of fraud, and it also helps detect errors or irregularities. Companies can use segregation of duties to enforce internal control policies.
In Dynamics 365
Dynamics 365 Finance and Supply Chain Management provides a Segregation of Duties capability as part of its standard User Security offering.
User-defined rules are created that are based on the selection of two security duties, which are then used to interrogate the security roles (duties and privileges) assigned to all users to identify any and all users that have any specified combination of security duties.
To define these rules, navigate to System administration > Security > Segregation of duties > Segregation of duties rules. You must be a system administrator to complete the procedure.
Create and name new rule. Next, select the first duty to check for the rule, and select a second duty that might be a conflict for the rule. Set the Severity property (risk) to low, medium, or high. Finally, add a Security mitigation value (the action to take when a violation occurs).
Once complete click on the Validate duties and roles at the top of the page and any violations will show.
Once the rules are in place it is important to verify the compliance of the user-role assignments. This will show a list of violations that can be allowed or denied. To run this process proceed to System administration > Security > Segregation of duties > Verify compliance of user-role assignments and click OK to run the process.
After the compliance is run the user is able to approve or deny the violations. Navigate to System administration > Security > Segregation of duties > Segregation of duties conflicts, at this point you are able to allow or deny the violations that have been identified. For any override a reason will be required in order to proceed.