Segregation of Duties Analysis

The Segregation of Duties analysis is a tool to analyze how well the security is setup separating the duties between people. The analysis shows any inappropriate user access and identifies which users that have access to specific functions in the system.

The Segregation of Duties Analysis form shows all functional areas and which users that have access to different areas and it indicates if there is any conflicts with the users security setup so that the segregation of duties is not respected. Click on View Segregation of Duties in folder Solution Manager/Administration/Security Administration to open this form.

The analysis can be viewed in two different view modes; Matrix and Data Grid. The both show the same information but in different ways.

Matrix

The matrix shows, for each user, the Functional Areas that he/she have access to. This means that the user is granted access to a security object that is connected to the Functional Area. This is shown in the matrix as a green check mark. If the security setup for a user violates the segregation of duties i.e. the user has access to functional areas which are defined as conflicting areas this is marked with crosses. A red cross is shown if the conflict has severity Not Allowed and a yellow cross is shown if severity is Warning.

 

To view the details about a conflict click on the cross to open a detail form. This shows which functional areas that this specific functional area has conflicts to and which permission sets and security objects granted to the user that causes this conflict.

Data Grid

The data grid shows the same information as the Matrix view but you can use the data grid functionality like for example group by a specific functional area or a user or filter to see only the conflicts etc.

Resolve a Conflict

A conflict is just information that the security setup violates the segregation of duties rules. It will not for example have any impact on the access rights for the user. There are several ways to handle a situation when a conflict is reported. In the matrix view click on the conflict marker and in the data grid view select the conflicting record to see the details.

  1. Is the rule valid? The rule might have to be evaluated and see if it really applies to our company.
    In the basic data List Functional Area Conflicts you can define the conflicting areas and set the severity.
  2. Is the area to large? Does it cover too many functions? You might need to separate it into smaller areas. In the detail form Functional Area it is possible to edit the definition of a Functional Area.
  3. Is the user granted to much? Revoke permissions for the user so that he/she only has access to one of the duties. If the permission sets granted to the user seems correct you need to check how the permission sets are defined. A Permission Set may need to be split into several smaller permission sets in order to setup the security so it does not violate the segregation of duties.