Microsoft

Capabilities, Limitations of Microsoft’s Native SoD Tool

Amy Mickle
November 29, 2023
4 min read

Segregation of duties (SoD) is a well-known term among auditors and anyone who has ever been audited. SoD is the understanding that no user should have access to two conflicting business functions that would allow a user to commit fraud or error (e.g., the ability to create a vendor record, then process a payment to that vendor). The idea can be intimidating and overwhelming to those who do not have the proper tools in place to successfully manage SoD risks. However, it is important for all businesses to be able to effectively evaluate, understand and control the potential risks in their environments.

To meet these client challenges, Microsoft Dynamics 365 Finance (D365) has incorporated a native SoD tool that can be leveraged to identify potential SoD risks that exist within the D365 environment. This functionality can be found through the following navigation path: system administration > security > segregation of duties. Setting up the tool can be relatively easy; some high-level steps are outlined below.

How to set up the SoD tool

  1. Define the SoD rules that determine what is considered an SoD risk (e.g., maintain vendor master and maintain vendor payments).
  2. SoD rules are defined at the duty level. Map two duties so that a user does not have have access to both.
  3. Enter the SoD rule severity, risk description and mitigation (if applicable).
  4. To evaluate SoD risks at the role level, click ‘validate duties and roles’ to check if existing security roles violate the defined SoD rules. To evaluate SoD risks at the user level, navigate to ‘verify compliance of user-role assignments.’

Any organization that does not have any other support tools may want to leverage this functionality to provide some initial insights. However, there are limitations to the tool that need to be considered to determine how much reliance can be placed on its insights to support organizational needs and security environments.

Limitations of the SoD tool

  1. Microsoft does not provide template SoD rules. It is up to the business and information security personnel to define the SoD rules.
  2. SoD rules are defined at the duty level. However, the lowest level of the security hierarchy is securable objects (role > duty > privilege > securable object). It is recommended to map SoD rules at the securable object level to obtain an accurate SoD evaluation.
    • Mapping SoD rules at the duty level does not provide the level of detail required to pinpoint the access that needs to be removed to resolve the SoD risk. At the duty level, it is likely that too much access will be removed as a result.
    • Duties can be modified and as a result if a duty changes, the ruleset also needs to change.
    • D365 will report a risk even if the duty does not have any underlying security assigned aka the duty is not providing any access in D365.
    • Mapping at the duty level will skip over scenarios where privileges are assigned directly to security roles.
    • There is an increased level of effort required to upkeep the SoD rules when a duty is created or deleted.
  3. Mitigating controls are a critical element of SoD. D365 does not provide a central repository to store mitigating control data effectively.
  4. Role SoD risks appear as banner notifications and user SoD risks appear in the action center, which does not allow for easy reporting.

In summary, the D365 SoD tool can be a good starting place, but organizations may need to incorporate other processes and capabilities to effectively manage SoD risks. Tools such as Fastpath provide extensive SoD reporting capabilities and can be customized to fit different business’ needs. Protiviti has partnered with Fastpath since 2012 and has executed over 100 assessments in Fastpath. Through this experience, Protiviti has developed a D365 leading practice SoD and sensitive access (SA) risk rulesets with over 250 SoD rules defined that can be customized to fit any business.

To help clients begin their journey towards a robust, compliance-oriented security with the aid of the Microsoft Dynamics 365 for Finance and Supply Chain Security role templates, Protiviti has developed Microsoft Dynamics 365 Finance and Supply Chain Security Role Templates. Learn more here.

To learn more about our Microsoft consulting solutions, contact us.

Read the results of our 2023 Global IT Executive Survey: The Innovation vs. Technical Debt Tug-of-War.

Amy Mickle

Manager
Business Application Solutions

View all posts

You may also like

Subscribe to Topics

Protiviti Technology Follow

Protiviti leverages emerging technologies to innovate, while helping organizations transform and succeed by focusing on business value.

ProtivitiTech
protivititech Protiviti Technology @protivititech ·
18 Apr

Learn more about what GRC Managed Service is and what it can do for SAP S/4HANA and SAP cloud solutions in the latest #SAP Blog post. https://ow.ly/OMaL50RfsHw #ProtivitiTech

Reply on Twitter 1781035159438954997 Retweet on Twitter 1781035159438954997 Like on Twitter 1781035159438954997 Twitter 1781035159438954997
protivititech Protiviti Technology @protivititech ·
17 Apr

Protiviti is a proud sponsor of ServiceNow Knowledge 2024—a three-day conference all about #AI. Stop by our booth (#2503) to visit with our team and learn how the #ServiceNow platform makes business transformation possible. https://ow.ly/qa6p50Rh9wf

Reply on Twitter 1780627914964308382 Retweet on Twitter 1780627914964308382 Like on Twitter 1780627914964308382 Twitter 1780627914964308382
protivititech Protiviti Technology @protivititech ·
16 Apr

What is #DesignThinking? Could it help your organization? Find out how Protiviti uses it to help clients build net new applications and modernize legacy systems. https://ow.ly/fMK550Rfsoi #ProtivitiTech

Reply on Twitter 1780204913663873376 Retweet on Twitter 1780204913663873376 Like on Twitter 1780204913663873376 Twitter 1780204913663873376
protivititech Protiviti Technology @protivititech ·
15 Apr

Join our May 2 webinar designed for privacy and security professionals seeking to navigate the intricate nuances of data governance within the ever-evolving global regulatory landscape. Register today! https://ow.ly/hzrG50R4fTX #ProtivitiTech #DataPrivacy

Reply on Twitter 1779872392535212145 Retweet on Twitter 1779872392535212145 2 Like on Twitter 1779872392535212145 1 Twitter 1779872392535212145
protivititech Protiviti Technology @protivititech ·
12 Apr

The latest Technology Insights Blog post offers insight into the unique risks associated with Large Language Models (LLMs) and how to establish strategies to mitigate them. https://ow.ly/q3w550RfbXm #ProtivitiTech #TechnologyInsights

Reply on Twitter 1778890996282982442 Retweet on Twitter 1778890996282982442 Like on Twitter 1778890996282982442 Twitter 1778890996282982442
Load More