D365 Finance & Operations and Dynamics AX Forum

  • 1.  AX2012 R3 - Segregation of Duties

    Posted Aug 20, 2018 05:25 AM
    Hi

    Does anyone have any experience of using Segregation of Duties within AX and could explain how it works, what are the benefits of using it, if there are any drawbacks. ​

    AX - Segregation of Duties
    If there are any links to demo's or documentation it would be appreciated.

    Thanks
    Andrea

    ------------------------------
    Andrea Warner
    Domino's Pizza Group PLC
    ------------------------------


  • 2.  RE: AX2012 R3 - Segregation of Duties

    Posted Aug 20, 2018 11:06 AM
    Andrea,
    SOD in AX is designed to help companies identify and prevent previously identified privilege conflicts. For example, a user should not be able to create a vendor and then place a PO. The last time I checked, there are no templates available from Microsoft for the rule creation, it is on the company to define them. Your partner may have some predefined templates, but since most companies have a different idea of what SOD means, templates are scarce. Obviously if you are looking for SOX compliance or something similar then it is easy to define and that may be where a partner has a template.
    The benefits of using it is that it is free and works at the system level, so it will not only allow you to audit compliance, it will alert you any time you change a user's role that would cause a conflict. Conflicts can be overridden and documented so auditors can see the reason behind the exception.
    From a downside perspective, you need to have a pretty good understanding of the security setup in AX in order to be able to add rules. If you have a lot of rules, this can be very time consuming. The other big drawback - and this one has prevented most companies I know who need SOD from using the built in functionality - is that the audit data is stored in the same database that is being audited. Someone with sysadmin access can alter the logs. Most auditors will not accept this kind of setup.
    There are other companies that provide similar functionality that auditors will accept and have templates (like Fastpath), but that will up the cost.
    So, if you are looking to self-audit and have no compliance to meet, it can be a great solution to help prevent conflicts. If you have external auditors that you need to work with, step one should be to confirm that they will accept the logging location.
    The only Microsoft documentation I know of is pretty limited. Your partner may have more. The Microsoft doc can be found at Set up segregation of duties
    Microsoft remove preview
    Set up segregation of duties
    For duties that are typically separated, separate sample roles and default duties are included with Microsoft Dynamics AX. By default, no rules are set up for segregation of duties.
    View this on Microsoft >

     Hope that helps!

    ------------------------------
    Scott Morley

    ------------------------------



  • 3.  RE: AX2012 R3 - Segregation of Duties

    MICROSOFT MVP
    Posted Aug 21, 2018 09:31 AM
    Hi Andrea,

    Just to add on to what Scott has already said:

    1) The SOD tool from Microsoft is done at the duty level (within the role -> duty - > privilege hierarchy). So basically you set up  rules that a user should not have access to duty 1 and duty 2, if they do, that would be considered a conflict.
    2) As Scott mentioned there are no out of the box rules from Microsoft so that will have to be done via the end user
    3) It is a preventative control which means that once the rule is set up, a user cannot be assigned a role that would cause an SOD conflict. While this might sound like a good idea, in smaller companies/or departments within companies people normally wear multiple hats/have multiple responsibilities and sometimes those cause SOD conflicts. This can lead to either a company not implementing a rule they know they should have because it stops a user from performing their tasks or just not using the SOD tool at all.
    4) Because it is done at the duty level, any changes to security done at the duty or privilege level will require that you revalidate your entire SOD ruleset to see if you created new conflicts or removed conflicts based on your security changes. If this is not done, it can lead to false positives and false negatives in your SOD reports.

    Depending on your SOD/audit requirements the above information might be OK for your use case or it might require you look at another solution.

    Feel free to reach out with any questions you might have about this tool or SOD/audit in general.

    ------------------------------
    Alex Meyer
    Director of Dynamics AX/365 for Finance & Operations Development
    Fastpath
    Des Moines, IA
    ------------------------------



  • 4.  RE: AX2012 R3 - Segregation of Duties

    D365UG/AXUG ALL STAR
    Posted Aug 21, 2018 12:06 PM
    Hi Andrea,

    I've have an article on my blog that describes the Microsoft functionality.  Here is the link: AX 2012 Security Unwrapped Series - SOX Compliance
    Erpprojecttips remove preview
    AX 2012 Security Unwrapped Series - SOX Compliance
    This post willunwrap the Segregation of Duty sub-menu in Dynamics along with a discussion on SOX Compliance. The Segregation of duties sub-menu in Dynamics AX 2012 is under System Administration> Setup> Security menu. It provides functions to set up SOD rules, however it is limited to setting up rules using the AX 2012 security duties.
    View this on Erpprojecttips >

    Check it out and leave a comment there if you like.  The downside to the Microsoft functionality is that it is limited to comparing Duties which in some cases can be too broad and won't catch all conflicts.  It would be better if it could work at the privilege level...

    I'll be at Summit if you want to chat.  And also teaching a class on AX2012 security as a part of pre-academy courses.


    ------------------------------
    GG Rowe, PMP
    IT Applications and Project Manager
    Planar Systems Inc.
    Hillsboro OR
    ------------------------------



  • 5.  RE: AX2012 R3 - Segregation of Duties

    TOP CONTRIBUTOR
    Posted Aug 21, 2018 02:32 PM
    Hi Andrea-

    I attended a breakout at Focus2018 presented by Alex Meyer on security in AX/D365. It was very interesting. While there, I was lucky enough to receive his book Security and Audit Field Manual. It breaks down security principles and design, access control, security setup, as well as other controls and mitigation.I highly recommend you check out this book. It is a short, easy read and lays the information out in an easy to understand way. Here is a link to the book on Amazon so that you can look at it:

    Security and Audit Field Manual: Microsoft Dynamics 365 for Finance and Operations Enterprise Edition
    Amazon remove preview
    Security and Audit Field Manual: Microsoft Dynamics 365 for Finance and Operations Enterprise Edition
    For many companies, Microsoft Dynamics 365 for Finance and Operations, Enterprise edition (D365) is the core of their financial management system, and protecting against fraud, misstatements, and errors is a critical component of running Dynamics 365. Sometimes though, it's hard to know wh...
    View this on Amazon >

    Hope this helps!



    ------------------------------
    Robin Finnell
    Continuous Improvement Coordinator
    Operations Lead - D365FO/MES Implementation
    Tillamook County Creamery Association
    Tillamook
    ------------------------------



If you've found this thread useful, dive deeper into User Group community content by role