Performing Segregation of Duties (SOD) Risk Analysis in Dynamics 365 Finance and Operations (D365FO) - PART 1: Using D365FO

PERFORMING SEGREGATION OF DUTIES (SOD) RISK ANALYSIS IN DYNAMICS 365 FINANCE AND OPERATIONS (D365FO)

CONTENT Introduction Solution Components for SOD in Dynamics 365 Finance and Operations (D365FO) Solution Configuration in Dynamics 365 Finance and Operations (D365FO) SOD Violations Detection and Analysis Summary

This article series explains how to perform a Segregation of Duties (SOD) analysis using 3 different tools for Dynamics 365 Finance and Operations. The purpose is to provide various options. The entire series will consist of 3 parts, as follows:

Performing Segregation of Duties (SOD) Risk Analysis in Dynamics 365 Finance and Operations (D365FO)

PART 1: Using D365FO

PART 2: Using RSM's Guardian Power App (to be published at 12/6)

PART 3: Using Fastpath (to be published at 12/20)

Let's get started with PART 1.

Introduction

In today’s business landscape, ensuring compliance and safeguarding financial systems against fraud and errors are critical objectives for organizations. One of the key practices to achieve this is implementing Segregation of Duties (SOD)—a control measure that prevents a single individual from managing multiple critical tasks within a business process.

Dynamics 365 Finance and Operations (D365FO) provides a tool to help organizations analyze and manage SOD risks effectively. By leveraging its built-in security framework, role-based access controls, and analytical capabilities, businesses can identify potential conflicts and enforce appropriate control measures to maintain compliance.

This article marks the first in a three-part series exploring how to perform SOD risk analysis using different tools. Here, we focus on how Dynamics 365 Finance and Operations can streamline the process, ensuring your financial system remains secure and compliant with industry standards like SOX and COSO.

Solution Components for SOD in Dynamics 365 Finance and Operations (D365FO)

In Dynamics 365 Finance and Operations (D365FO), Segregation of Duties (SOD) revolves around managing duties—a fundamental concept within the security framework. Duties represent a collection of related privileges that define what a user can do within the system, ensuring their access aligns with their responsibilities. Here are the key solution components that support SOD in D365FO:

Security Roles, duties and privileges

Security roles are the top-level entities in D365FO's security model. They are designed to group duties and privileges required to perform specific business tasks. Roles such as "Accounts Payable Manager" or "Inventory Clerk" ensure users can only access features relevant to their job functions.

• Roles are assigned to users, directly linking them to duties and privileges.
• SOD is managed by ensuring that roles do not encompass conflicting duties.

Duties are granular groups of related privileges that correspond to specific responsibilities, such as approving invoices, processing payments, or creating purchase orders. They are key to managing SOD conflicts, as risks often arise when users are assigned duties that conflict with each other.

• Duties allow fine-grained control of system functionality.
• The system's built-in SOD rules help detect when conflicting duties are assigned to the same user or role.

Privileges are the lowest level of access definitions in the security hierarchy. They control access to individual forms, menu items, or actions within the application. By combining privileges into duties, D365FO creates a layered approach to access control.

Segregation of Duties Rules

D365FO includes a framework for defining and enforcing SOD rules. These rules specify which combinations of duties are considered incompatible and must not be assigned to the same user. For example:

Conflict Example: A user assigned to both "Maintain Vendor Invoices" and "Approve Vendor Invoices" duties creates a risk of unauthorized transactions.

The list of these conflicts forms Segregation of Duties (SOD) Framework. It's also known as SOD ruleset.

SOD Violations Detection and Analysis

The system offers tools for detecting and resolving SOD conflicts. Administrators can run diagnostics to identify violations to support compliance with regulatory standards such as SOX.

Conflict Resolution: D365FO provides workflows and configuration options to address identified conflicts, such as reassigning duties or splitting responsibilities across multiple users.

Mitigation / Remediation Tools: Workflows and ITACs

SOD enforcement is closely tied to workflows in D365FO. Approvals and reviews are built into workflows, ensuring that no single individual has control over critical processes.

By leveraging these components, D365FO allows organizations to establish a secure environment that supports operational efficiency while maintaining compliance with internal and external regulations. The next section will delve into the process of configuring these components for effective SOD risk analysis.

ITACs are not separate concepts but complementary mechanisms that enforce Segregation of Duties (SOD) and other security principles in Dynamics 365 Finance and Operations (D365FO). While workflows focus on approvals, ITACs enforce transactional integrity. 

Solution Configuration in Dynamics 365 Finance and Operations (D365FO)

Security Roles and their user assignments

Security roles are designed to group related duties and privileges. 

System administration >> Security >> Security configuration

Users are assigned to specific security roles.

System administration >> Users >> Users

This screen shows user and their security role assignments.

The SOD framework incorporates security role access and user assignments into the risk analysis algorithm.

Segregation of Duties Framework

For demo purpose, our rule is that A user CANNOT perform both "Maintain Vendor Invoices" and "Approve Vendor Invoices" duties at the same time.

Let's create that Segregation of Duties (SOD) rule in the system.

Go to System Administration >> Security >> Segregation of duties >> Segregation of duties rules

Click + New.

Select the first duty.

Select the second duty.

Select the risk rating.

Populate the risk definition: 'Registering unapproved invoices.' The Security Mitigation column contains ITAC(s) that mitigate/remediate the identified risk. This column can remain empty for now. The first SOD rule is ready.

SOD Violations Detection and Analysis

Identifying Internal Role Risks

D365FO offers a tool for detecting and resolving SOD conflicts. You as an admin can run diagnostics to identify violations and generate reports to support compliance with regulatory standards such as SOX.

Go to Security administration >> Security >> Segregation of duties >>  Segregation of duties rules

Open the form and click 'Validate duties and roles' to run the analysis.

An error message appears:

Role "Accounts payable manager" is in violation of segregation of duties rule "New Segregation of duties rule": The role contains duties "Maintain vendor invoices" and "Approve vendor invoices".

SOD risk analysis tool identifies that and notifies you. Please note this is an internal role risk.

User Risk Analysis: Scenario 1

Let's assign "Accounts payable manager" to a user.

System administration >> Users >> Users.

The system throws an error as shown below:

Cannot create a record in Security user role (SecurityUserRole). The corresponding AOS validation failed.

Note that a series of actions are taken:

• The system identifies the conflict and does not allow this role assignment until the message is addressed.
• System asks whether you want to solve this conflict now or not.

Click 'Yes', system takes you to 'Segregation of duties unresolved conflicts form' and asks you to decide:

• Denny assignment: Role assignment is rejected.
• Allow assignment: Role assignment is done. This is an exceptional situation and user needs that role assignment in order not to disrupt business processes.

Click 'Denny assignment'.

Role assignment is rejected and conflict line is moved onto 'Segregation of duties conflicts' as shown below.

User Risk Analysis: Scenario 2

Let's assign "Accounts payable manager" to a user and accept the conflict.

System administration >> Users >> Users

System throws an error as shown below.

Note that a series of actions are taken:

• The system identifies the conflict and does not allow this role assignment until the message is addressed.
• System asks whether you want to solve this conflict now or not.

Click 'Yes', system takes you to 'Segregation of duties unresolved conflicts form' and asks you to decide:

• Denny assignment: Role assignment is rejected.
• Allow assignment: Role assignment is done. This is an exceptional situation and user needs that role assignment in order not to disrupt business processes.

Click 'Allow assignment'.

Enter the reason for overring the SOD rule.

Note that the role is now assigned.

Note that this violation is recorded on the Segregation of duties conflicts screen as below.

ITAC documentation

The last step is to do ITAC Documentation for mitigation/remediation purpose.

ITACs are not separate concepts but complementary mechanisms that enforce Segregation of Duties (SOD) and other security principles in Dynamics 365 Finance and Operations (D365FO).

SOD enforcement is closely tied to workflows in D365FO. Approvals and reviews are built into workflows, ensuring that no single individual has control over critical processes. The next step is the process of assigning ITACs to SOD risks.

Go to the risk.

Define the risk and enter mitigating control information as below.

User Risk Analysis: Scenario 3

Let's now assign 2 different roles violating the SOD rule together.

An error message appears:

Cannot create a record in Security user role (SecurityUserRole). The corresponding AOS validation failed.

Please note that system notifies you that the role assignment cannot pass the validation.

System only assigns one of the conflicting roles.

Attention: Please note that system does the risk analysis only after completing SOD ruleset setup.

Summary

Dynamics 365 Finance and Operations (D365FO) provides robust tools to manage Segregation of Duties (SOD) by leveraging its security framework, including roles, duties, privileges, and SOD rules. These components allow organizations to identify and resolve access conflicts, enforce regulatory compliance, and document mitigations through workflows and ITAC integration. By configuring SOD rules and analyzing conflicts, businesses can ensure that critical tasks are segregated effectively, safeguarding operations and minimizing the risk of fraud or errors.

Creating a Power Apps by Using Fin & Ops Apps (Dynamics 365) connector

CREATING A POWER APPS BY USING FIN & OPS APPS (DYNAMICS 365) CONNECTOR

CONTENT Introduction Why Power App? Power App creation Summary

INTRODUCTION

Microsoft Power Apps provides a powerful platform for building low-code, custom applications that integrate with Dynamics 365 Finance and Operations (F&O). By leveraging the Dynamics 365 Finance and Operations connector, organizations can create tailored solutions that provide users with direct access to critical ERP data—without requiring them to navigate the complexities of the ERP system.

This article focuses on using the Finance and Operations connector to create a Power App designed to interact with your Dynamics 365 environment. Whether you’re building an app to display purchase order details, manage inventory, or analyze financial data, the connector acts as a bridge between your Power App and the robust functionality of F&O.

This article guides you through the key steps of creating a Power App, including:

• Setting up the connector to fetch data from Dynamics 365 F&O.
• Designing a user-friendly interface tailored to your business needs.
• Configuring the app to enable secure and efficient data retrieval.

By the end of this article, you'll have the foundation needed to build a Power App that enhances accessibility, streamlines processes, and reduces reliance on ERP access for occasional users—all while maintaining compliance and security.

In this article, we will build a canvas app from scratch. This app will fetch and display open purchase order lines for a selected item using data from D365FO. The goal is to demonstrate how to use the Fin & Ops Apps connector effectively for data inquiries, streamlining workflows, and enhancing decision-making.

WHY POWER APP

Power Apps is a user-friendly platform for extending the capabilities of Dynamics 365 Finance and Operations. Here’s why it’s the ideal choice for building applications:

1. Accessibility Without ERP Complexity

Power Apps offers a simplified interface for users who only need to perform specific tasks, such as querying open purchase orders, without requiring them to navigate the complexities of the ERP system. This makes it an excellent tool for non-technical users or those who only need occasional data access.

2. Cost-Efficiency in Licensing

With flexible licensing options, Power Apps eliminates the need to assign expensive Dynamics 365 F&O licenses to every user. Occasional users, such as auditors, suppliers, or project managers, can access the data they need through a lightweight Power App, significantly reducing costs.

3. Empowering Specialized Roles

Power Apps can be tailored to the needs of specific roles, such as:

• Procurement specialists negotiating with suppliers.
• Warehouse staff managing incoming shipments.
• Project managers tracking pending orders for critical items.
• This ensures that each role gets a purpose-built tool for their exact requirements.

4. Enhanced Mobility and Flexibility

Designed with mobile users in mind, Power Apps allows employees to access ERP data on-the-go, whether on a smartphone, tablet, or desktop. This flexibility is invaluable for roles like field technicians or buyers in supplier meetings.

5. Security and Governance

Power Apps integrates seamlessly with the Dynamics 365 ecosystem, leveraging built-in security features such as role-based access control and audit trails. This ensures that sensitive data remains protected, even when accessed outside the ERP system.

6. Rapid Development and Customization

With its low-code environment, Power Apps enables rapid development and deployment of custom solutions. Apps can be easily modified as business needs evolve, providing long-term adaptability without extensive development costs.

By combining these benefits, Power Apps empowers organizations to extend their Dynamics 365 capabilities, improve accessibility, and optimize costs—all while maintaining robust security and governance.

POWER APP CREATION

With these advantages in mind, let’s explore how to create a Power App that connects to Dynamics 365 Finance and Operations to provide a user-friendly interface for inquiring about open purchase order lines.

We will build a canvas app from scratch. This app will fetch and display open purchase order lines for a selected item using data from D365FO.

Let's get started.

Access Power Apps Studio by going to https://make.powerapps.com/

Click + Create and select Blank app.

Select Blank Canvas app and click Create.

Enter application's name, in our example, it's D365FO Open purchase order lines.

Select Phone for vertical design and click Create.

You will see blank app page. Click Skip.

Let's start creating app components.

Let's add a header first.

Click + (plus) and select Text label.

Type the app title, D365FO Open purchase order lines.

Next is the most important part. The body of the app!

Click Vertical gallery.

System automatically adds it and asks for a data resource.

Type "Fin" in order to find Fin & Ops Apps (Dynamics 365) connector and select it.

System automatically asks you to select related D365FO environment.

Select the environment that will be used as database.

Now we need to select the tables to be used in this Power Apps. 

Select the table(s) PurchaseOrderLinesV2.

PurchaseOrderLinesV2 table is added as a resource of the gallery. 

Resize the frame.

Click on Tree view icon.

Select the first component of vertical gallery, title3. Note that 'Template ID' field is displayed here.

Let's change it to 'Purchase order'.

Let's do the same and change 'Sub-BOM' to 'Item number'.

We need one more field for displaying legal entity code.

Let's add an additional field.

Duplicate one of the existing fields by doing copy/paste.

We can get rid of the arrow icon.

Next element is a dropdown list that contains item numbers for filtering.

Click + (plus) >> Input >> Dropdown

Note that system adds the element automatically.

Let's now change the dropdown content to item numbers (Released products).

Note that Released products doesn't show up as an option. That means that we need to add Released products table to our app.

Click Add data and search for Fin Ops connector.

Add the table ReleasedProductsV2 and connect it.

Now we can select ReleasedProductsV2 as datasource of the dropdown list.

Note that dropdowns content is now ReleasedProductsV2.

There is still something that needs to be done since nothing is displayed in the dropdown.

Click the dropdown box and switch to display tab on the right panel.

Change the value to 'Item number'.

Now we can see the item number in the dropdown.

Next is the most important part. We want gallery to show only open order lines of the selected item in the dropdown.

Select the gallery and clear the formula bar.

Enter the filter as below:

Filter(PurchaseOrderLinesV2,'Item number'=Dropdown1.Selected.'Item number' && 'Line status'= "1")

What is this filter saying?

The language in this Power Platform example is Power Fx, a low-code, declarative language used within Microsoft Power Apps to define behavior, logic, and data manipulation. It is heavily inspired by Excel formulas and is used in canvas apps for creating expressions and filtering data.

Here's a breakdown of the code:

• Filter: A function in Power Fx that narrows down a table of data based on one or more conditions.
• PurchaseOrderLinesV2: Table containing purchase order lines.
• 'Item number': Table column.
• Dropdown1.Selected.'Item number': Refers to the value of the "Item number" field selected in a dropdown control named Dropdown1.
• 'Line status' = "1": Filters rows where the Line status column equals the string "1". One means open order.

This formula filters the PurchaseOrderLinesV2 data source to return only rows where:

1. The Item number matches the value selected in Dropdown1.
2. The Line status is "1".

Time to test the app!

Click Play button.

Select an item and see the open purchase order lines of the item.

Verifying Results

Cross-check the data with the Open Purchase Order Lines button in D365FO to ensure accuracy.

Find the item in the released products and click Open purchase order lines button.

The results match the Power Apps results! Excellent!

End the test by clicking the cross button.

Sharing the App

Save it and share it by clicking Share button.

Enter the user's email.

Note that this user can use the app only.

Click on Share.

User gets a notification that includes Power Apps link. 

User clicks on the link and starts using the app!

SUMMARY

This Power App provides a user-friendly interface for querying and displaying open purchase order lines from Dynamics 365 Finance and Operations, making it ideal for procurement, warehouse, and finance teams who need quick access to specific data without navigating the complexities of the ERP system. By integrating the Finance and Operations Apps connector, the app enables secure data retrieval, and cost-efficient access for occasional users.