This post will unwrap the Segregation of Duty sub-menu in Dynamics along with a discussion on SOX Compliance.
There are 4 menu items:
- Segregation of duties rules. This is where you maintain SOD rules. There is also a button to validate the duties and roles against a rule. It's best to know the name of the duties you want to put in your rule first.
- Segregation of duties conflicts. After running the Verify compliance of user-role assignments menu item, all conflicts found will stored in a table here to then resolve. From this menu, you can decide to allow or deny the assignment. If you choose to allow the conflict, you need to enter in an override reason.
- Segregation of duties unresolved conflicts. This will show those conflicts that have NOT been allowed. Maintenance of the remaining conflicts can be done here.
- Verify compliance of user-role assignments. This menu item will parse through all defined SOD rules and user assignments. Any user that has a conflict will be reported in a log and results stored in a table.
Let's walk through an example.
The below compliance rule created using menu item Segregation of duties rules which states that you don't want someone that can create or maintain sales orders (Duty Maintain sales order entered into field First duty) to be able to ship a sales order (Duty Approve shipping operations into field Second duty). The reason is that then an employee could steal company products which you enter into field Security risk. If you allow some individuals to have this conflict in the system, then you can note what your mitigating process is into field Security mitigation. Below is the completed rule in AX and validation run showing no roles out of compliance:
Below is an example of a rule defined and one that has conflicts in roles that exist in the system. Likely the roles reported should be corrected, otherwise anyone that has the role will be in conflict.
Now let's run the verification of user-roles using menu item Verify compliance of user-role assignments. To simplify run, the example is assuming only the first rule is loaded.
These infolog message are also stored in the SOD conflicts table. Go to either the Segregation of duties conflicts or Segregation of duties unresolved conflicts menu item to resolve the conflicts.
If you want to Allow assignment, you will need to enter why you are override the rule:
Or if you Deny assignment, you will need to select the role to exclude:
AX will log the actions taken in the SOD conflicts table. Note the 2 conflicts that were address. The first line is noted with a Resolution of "Override" with a Reason for override of "Only user at this location.". The fourth line is noted a Resolution of "Exclude".
Using the Segregation of duties unresolved conflicts menu, AX filter only the conflicts that have not yet been addressed. From here you can process each conflict, as you resolve each conflict it will be removed from this menu.
A few additional words about the limitation of this function. In the above example, the rule was trying to discern who had the ability to ship a sales order and determine if they could maintain sales order. This really needs come down to the privilege. The privilege that actually performs the shipment in AX is Process sales packing slip which is in other duties, one duty is Maintain sales packing slip. To perform complete SOD compliance, you would need to create multiple rules for every duty that had this privilege! It can become quite onerous!