PERFORMING SEGREGATION OF DUTIES (SOD) RISK ANALYSIS IN DYNAMICS 365 FINANCE AND OPERATIONS (D365FO)
CONTENT Introduction Solution Components of GRC Guardian for SOD Risk Analysis Configuring GRC Guardian for SOD Risk Analysis Detecting and Analyzing SOD Violations with GRC Guardian Summary and Insights |
This article series explains how to perform a Segregation of Duties (SOD) analysis using 3 different tools for Dynamics 365 Finance and Operations. The purpose is to provide various options. The entire series will consist of 3 parts, as follows:
Performing Segregation of Duties (SOD) Risk Analysis in Dynamics 365 Finance and Operations (D365FO)
Let's get started with PART 2.
Introduction
In PART 1 of this series, we introduced the concepts of segregation of duties (SOD) risk analysis and demonstrated how to perform it using Dynamics 365 Finance and Operations (D365FO) out-of-box features. In this article, we shift our focus to RSM’s proprietary Power App, GRC Guardian, a managed service that simplifies SOD risk analysis. As part of RSM’s intellectual property, GRC Guardian enables organizations to efficiently assess and address SOD risks after a brief analysis session to identify applicable rules. My role as a consultant on Dynamics 365 Finance and Operations implementations has provided valuable insights into utilizing this innovative tool for effective risk management.
RSM's GRC Guardian is a custom application designed to assess and evaluate security risks across platforms such as Dynamics 365, SAP, Oracle, and NetSuite. It provides actionable insights to identify potential vulnerabilities in application security roles and user access efficiently.
The Power App is built with a persona-based architecture to restrict access at the ERP client and project levels. Leveraging Microsoft Azure Active Directory for authentication and access control, the application ensures robust data privacy and protection, allowing only authorized RSM employees to access specific modules.
Solution Components of GRC Guardian for SOD risk analysis
In RSM's Power App, GRC Guardian, Segregation of Duties (SOD) revolves around security extraction (objects, privileges, duties, and roles), RSM's industry best-practice SOD ruleset, and technical mapping that links security objects to business activities—a fundamental concept within the app's framework. The SOD ruleset and technical mapping are customizable, with the results seamlessly integrated into GRC Guardian. Below are the key solution components of RSM's GRC Guardian tool:
Security Roles, duties, and privileges
Security roles are the top-level entities in D365FO's security model, grouping duties and privileges necessary for specific business tasks. Roles like "Accounts Payable Manager" or "Inventory Clerk" ensure users have access only to features relevant to their job functions.
Duties represent collections of related privileges tied to specific responsibilities, such as approving invoices, processing payments, or creating purchase orders.
Privileges, the most granular access definitions in the security hierarchy, control access to individual forms, menu items, or actions within the application. By combining privileges into duties, D365FO implements a layered approach to access control. This structure is critical for managing SOD conflicts, as risks often arise when users are assigned conflicting privileges.
Segregation of Duty Rules
SOD rules specify which combinations of business activities are considered incompatible and must not be assigned to the same user. For example:
Conflict Example: If a user is assigned both "Create or change vendor master records" and "Vendor invoice entry/registration" business activities, they could create fictitious vendors, alter vendor details (e.g., name or address), and initiate unauthorized payments to those vendors.
The list of these conflicts forms the Segregation of Duties (SOD) Framework, also known as the SOD ruleset.
Technical Mapping
Technical mapping is the process of teaching the Power App what "Create or change vendor master records" and "Vendor invoice entry/registration" are. This process, also known as Technical Security Modeling, is entirely customized and based on insights gathered during a brief interview.
Technical mapping encompasses forms, buttons, tables, and reports. It also incorporates components from the sensitive access framework, which will be discussed in another article. For example, the technical mapping of a form includes its display menu item, other menu items granting access to the same form, and critical buttons within the form.
This mapping must be completed for all business activities.
SOD Violations Detection and Analysis
The Power App includes an algorithm to detect SOD conflicts, helping administrators identify violations and ensure compliance with regulatory standards like SOX.
Conflict Resolution: D365FO provides workflows and configuration options to address conflicts, such as modifying security roles or distributing responsibilities among multiple users.
Mitigation / Remediation Tools: Workflows and ITACs
SOD enforcement in D365FO relies on workflows and additional parameters such as 3-way matching and posting profiles. These tools help organizations establish a secure environment that supports operational efficiency while ensuring compliance with internal and external regulations.
ITACs complement SOD enforcement by reinforcing security principles in Dynamics 365 Finance and Operations (D365FO). The risk analysis generated by GRC Guardian is reviewed, and mitigating or remediating ITACs are implemented to address identified risks.
Configuring GRC Guardian for SOD risk analysis
Security Role Access Extractions
GRC Guardian needs D365FO security roles to be extracted properly as illustrated below:
Go to System administrator >> Security >> Security configuration
Select the desired role and click Permissions.
The extracted user access data will appear as shown below.
This process must be repeated for all roles, and the resulting files should be consolidated. Once completed, all user access information will be available.
Security User Role Assignment Extractions
Next extraction is "user & security role assignments". Go to Data management workspace and create an export project that has Security user role association entity.
Run the project and extract the data.
Extracted document looks like as below:
As a result, all security role permissions, along with user and role assignments, are now prepared and available.
Segregation of Duties Framework
GRC Guardian enables the creation of a custom Segregation of Duties (SOD) framework, designed efficiently during a brief meeting. These rules define which combinations of business activities are incompatible and should not be assigned to the same user.
The identified conflicts collectively form the Segregation of Duties (SOD) framework, also referred to as the SOD ruleset.
Once exported, the Excel file can be customized further by adding new rules, modifying rule definitions, or adjusting risk ratings. The goal is to create a fully tailored SOD rule list.
Technical Mapping
Once the custom SOD rule list is finalized, the next step is to educate GRC Guardian. This involves what "Create or change vendor master records" and "Vendor invoice entry/Registration" are. This is called Technical Security Modeling. This process, known as Technical Security Modeling, is entirely customized and typically based on insights gathered during a brief interview.
GRC Guardian automatically generates a technical mapping based on selected business processes. The content of technical mapping is independent of the risk ratings.
The generated technical mapping can be modified and re-imported into GRC Guardian to include customized security objects, ensuring the mapping aligns with specific business requirements.
Detecting and Analyzing SOD Violations with GRC Guardian
GRC Guardian includes an algorithm for detecting SOD conflicts. Administrators can utilize this feature to identify violations and support compliance with regulatory standards such as SOX.
Conflict Resolution: D365FO provides workflows and configuration options to address identified conflicts, including modifying security roles and distributing responsibilities across multiple users.
GRC Guardian offers two types of analysis: SOD risk analysis and Sensitive Access (SA) analysis.
When the risk analysis is run, three types of documents are generated:
▶️ Raw risk analysis data in excel format
▶️ A summary that can be modified in power point format
▶️ A dashboard in POWER BI format
Each document gives insights about
- Overall Executive Summary: This section provides a high-level overview of the SOD and SA analysis performed. It includes the total number of roles, total number of users, and total number of SOD rules used in the analysis. The remainder of the page highlights the findings, such as roles and users with violations.
- Internal role SOD risks: This page provides an overview of SOD analysis within roles. In other words, inherited role violations are displayed here.
- User SOD Risks: This page provides an overview of SOD analysis from the user perspective. It includes the number of users with SOD violations, details of violated SOD rules, impacted business processes, the number of SOD violations per user, and the distribution of users by role.
- Role & User SA Analysis Overview: This page provides an overview of SA analysis, including SA conflicts. Additionally, it details violations by business processes, risk rankings, the number of roles with SA violations, the number of SA violations by role, the number of users with SA violations, the number of SA violations by user, the number of roles by user, and the number of users by role.
Summary and insights
RSM’s GRC Guardian Power App simplifies Segregation of Duties (SOD) risk analysis in Dynamics 365 Finance and Operations (D365FO). As a managed service, it is highly affordable, eliminating the need for additional licensing. Its customizable SOD frameworks, advanced technical mapping, and automated risk detection ensure compliance with standards like SOX. The tool can be configured efficiently after just a few short meetings—one to define SOD rules and another to validate the technical mapping. With actionable insights and streamlined implementation, GRC Guardian is a valuable solution for managing application security and mitigating risks. Stay tuned for the next article, where we explore SOD risk analysis using Fastpath.
No comments:
Post a Comment