17 July 2026

The ‘duty-name’ trap in F&SCM’s segregation of duties rules

In Microsoft Dynamics 365 Finance & Supply Chain Management, setting up Segregation of Duties feels like real security work. You go to System administration > Security > Segregation of duties > Segregation of duties rules, pick a First duty, pick a Second duty, and declare them incompatible. The system logs violations. Administrators must approve or reject conflicting assignments. It looks, and largely functions, like a proper control. 

For many organizations, that rules page is the whole SoD program. If a role passes it, SoD is “handled.” 

This is what we call the duty-name trap, and falling for it can leave real conflicts sitting in your environment while every rule shows green. 

What the SoD rules engine actually checks 

Dynamics 365 F&SCM's security model has four layers. Roles are assigned to users. Roles contain duties. Duties contain privileges. Privileges contain permissions to individual objects - menu items, fields, tables. The SoD rules page operates entirely at the second layer from the top: it compares the names of two duties assigned to the same role or user. 

It does not look at which privileges those duties actually contain today. It does not look at whether a user has equivalent access through a different route entirely. It checks whether the duty labels match, full stop. 

Three ways this gets exploited without anyone noticing 

1. Privileges assigned directly to a role. 

Microsoft's own documentation on role-based security is explicit: “Although you can assign privileges directly to roles, assign only duties to roles.” The system permits it anyway. If a privilege is attached to a role directly, rather than nested inside a duty, there is no duty name for the SoD rule to evaluate. The access exists. The rule has nothing to compare it against. 

2. A duty emptied of its privileges. 

A duty is just a named container. Nothing stops an administrator from stripping every privilege out of a duty while leaving its name - and the SoD rule referencing it - untouched. The rule keeps firing against a duty that, in practice, grants nothing, while a genuine conflict elsewhere in the role goes unchecked. 

3. Access assigned through a security group. 

Users provisioned through Microsoft Entra ID groups rather than direct role assignment inherit access the SoD rules engine was never designed to evaluate against. This gap doesn't close with the more advanced User Security Governance feature either - Microsoft's own Security Governance FAQ states outright that group-based access is not covered. 

Why this isn't “the tool doesn't work” 

None of this is a bug. The rules engine does exactly what it was built to do: compare duty labels attached to a role. The trap is assuming that a green light on that page means the underlying access is clean. It checks the packaging, not the contents. 

Closing the gap 

Microsoft does provide a deeper mechanism: Privilege separation validation, found under the process hierarchy security tasks, which analyzes overlapping privileges directly rather than duty names. It is a separate, less visible tool that most organizations never configure. 

Authorization Monitoring closes this gap by analyzing Security Objects directly - roles, duties, privileges and the users assigned to them - rather than relying on duty labels alone, and by evaluating the access paths standard SoD rules were never built to see. 

If your SoD rules page is green, do you actually know what that is - and isn't - telling you? Request a demo to see what Authorization Monitoring finds underneath.