datasynth-core 2.4.0

Core domain models, traits, and distributions for synthetic enterprise data generation
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325

//! Segregation of Duties (SoD) definitions and conflict detection.
//!
//! Implements SoD conflict types and rules commonly used in
//! SOX compliance and internal audit frameworks.

use chrono::{DateTime, Utc};
use serde::{Deserialize, Serialize};

use super::internal_control::RiskLevel;
use super::user::UserPersona;

/// Types of Segregation of Duties conflicts.
#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, Serialize, Deserialize)]
#[serde(rename_all = "snake_case")]
pub enum SodConflictType {
    /// Same person prepared and approved a transaction
    PreparerApprover,
    /// Same person requested and approved their own request
    RequesterApprover,
    /// Same person performed reconciliation and posted entries
    ReconcilerPoster,
    /// Same person maintains vendor master data and processes payments
    MasterDataMaintainer,
    /// Same person created and released a payment
    PaymentReleaser,
    /// Same person posted to sensitive accounts without independent review
    JournalEntryPoster,
    /// Same person has access to multiple conflicting functions
    SystemAccessConflict,
}

impl std::fmt::Display for SodConflictType {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        match self {
            Self::PreparerApprover => write!(f, "Preparer/Approver"),
            Self::RequesterApprover => write!(f, "Requester/Approver"),
            Self::ReconcilerPoster => write!(f, "Reconciler/Poster"),
            Self::MasterDataMaintainer => write!(f, "Master Data Maintainer"),
            Self::PaymentReleaser => write!(f, "Payment Releaser"),
            Self::JournalEntryPoster => write!(f, "Journal Entry Poster"),
            Self::SystemAccessConflict => write!(f, "System Access Conflict"),
        }
    }
}

/// Definition of a SoD conflict pair.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct SodConflictPair {
    /// Type of conflict
    pub conflict_type: SodConflictType,
    /// First role in the conflict
    pub role_a: UserPersona,
    /// Second role in the conflict (can be same as role_a)
    pub role_b: UserPersona,
    /// Description of the conflict
    pub description: String,
    /// Severity of this conflict type
    pub severity: RiskLevel,
}

impl SodConflictPair {
    /// Create a new SoD conflict pair.
    pub fn new(
        conflict_type: SodConflictType,
        role_a: UserPersona,
        role_b: UserPersona,
        description: impl Into<String>,
        severity: RiskLevel,
    ) -> Self {
        Self {
            conflict_type,
            role_a,
            role_b,
            description: description.into(),
            severity,
        }
    }

    /// Get standard SoD conflict pairs.
    pub fn standard_conflicts() -> Vec<Self> {
        vec![
            Self::new(
                SodConflictType::PreparerApprover,
                UserPersona::JuniorAccountant,
                UserPersona::SeniorAccountant,
                "Same person prepared and approved journal entry",
                RiskLevel::High,
            ),
            Self::new(
                SodConflictType::PreparerApprover,
                UserPersona::SeniorAccountant,
                UserPersona::Controller,
                "Same person prepared and approved high-value transaction",
                RiskLevel::High,
            ),
            Self::new(
                SodConflictType::RequesterApprover,
                UserPersona::JuniorAccountant,
                UserPersona::Manager,
                "Same person requested and approved their own expense/requisition",
                RiskLevel::Critical,
            ),
            Self::new(
                SodConflictType::PaymentReleaser,
                UserPersona::SeniorAccountant,
                UserPersona::SeniorAccountant,
                "Same person created and released payment",
                RiskLevel::Critical,
            ),
            Self::new(
                SodConflictType::MasterDataMaintainer,
                UserPersona::SeniorAccountant,
                UserPersona::JuniorAccountant,
                "Same person maintains vendor master and processes payments",
                RiskLevel::High,
            ),
            Self::new(
                SodConflictType::ReconcilerPoster,
                UserPersona::JuniorAccountant,
                UserPersona::JuniorAccountant,
                "Same person performed account reconciliation and posted adjustments",
                RiskLevel::Medium,
            ),
            Self::new(
                SodConflictType::JournalEntryPoster,
                UserPersona::JuniorAccountant,
                UserPersona::JuniorAccountant,
                "Posted to sensitive GL accounts without independent review",
                RiskLevel::High,
            ),
        ]
    }
}

/// Record of a specific SoD violation on a transaction.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct SodViolation {
    /// Type of conflict that occurred
    pub conflict_type: SodConflictType,
    /// User ID who caused the violation
    pub actor_id: String,
    /// Description of the conflicting action
    pub conflicting_action: String,
    /// When the violation occurred
    #[serde(with = "crate::serde_timestamp::utc")]
    pub timestamp: DateTime<Utc>,
    /// Severity of this specific violation
    pub severity: RiskLevel,
}

impl SodViolation {
    /// Create a new SoD violation record.
    pub fn new(
        conflict_type: SodConflictType,
        actor_id: impl Into<String>,
        conflicting_action: impl Into<String>,
        severity: RiskLevel,
    ) -> Self {
        Self {
            conflict_type,
            actor_id: actor_id.into(),
            conflicting_action: conflicting_action.into(),
            timestamp: Utc::now(),
            severity,
        }
    }

    /// Create a violation with a specific timestamp.
    pub fn with_timestamp(
        conflict_type: SodConflictType,
        actor_id: impl Into<String>,
        conflicting_action: impl Into<String>,
        severity: RiskLevel,
        timestamp: DateTime<Utc>,
    ) -> Self {
        Self {
            conflict_type,
            actor_id: actor_id.into(),
            conflicting_action: conflicting_action.into(),
            timestamp,
            severity,
        }
    }
}

/// SoD rule that defines what constitutes a conflict.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct SodRule {
    /// Rule identifier
    pub rule_id: String,
    /// Rule name
    pub name: String,
    /// Conflict type this rule detects
    pub conflict_type: SodConflictType,
    /// Description of the rule
    pub description: String,
    /// Whether this rule is active
    pub is_active: bool,
    /// Risk level if this rule is violated
    pub risk_level: RiskLevel,
}

impl SodRule {
    /// Create a new SoD rule.
    pub fn new(
        rule_id: impl Into<String>,
        name: impl Into<String>,
        conflict_type: SodConflictType,
    ) -> Self {
        Self {
            rule_id: rule_id.into(),
            name: name.into(),
            conflict_type,
            description: String::new(),
            is_active: true,
            risk_level: RiskLevel::High,
        }
    }

    /// Builder method to set description.
    pub fn with_description(mut self, description: impl Into<String>) -> Self {
        self.description = description.into();
        self
    }

    /// Builder method to set risk level.
    pub fn with_risk_level(mut self, level: RiskLevel) -> Self {
        self.risk_level = level;
        self
    }

    /// Get standard SoD rules.
    pub fn standard_rules() -> Vec<Self> {
        vec![
            Self::new(
                "SOD001",
                "Preparer-Approver Conflict",
                SodConflictType::PreparerApprover,
            )
            .with_description("User cannot approve their own journal entries")
            .with_risk_level(RiskLevel::High),
            Self::new(
                "SOD002",
                "Payment Dual Control",
                SodConflictType::PaymentReleaser,
            )
            .with_description("User cannot both create and release the same payment")
            .with_risk_level(RiskLevel::Critical),
            Self::new(
                "SOD003",
                "Vendor Master-Payment Conflict",
                SodConflictType::MasterDataMaintainer,
            )
            .with_description("User cannot maintain vendor master data and process payments")
            .with_risk_level(RiskLevel::High),
            Self::new(
                "SOD004",
                "Requester-Approver Conflict",
                SodConflictType::RequesterApprover,
            )
            .with_description("User cannot approve their own requisitions or expenses")
            .with_risk_level(RiskLevel::Critical),
            Self::new(
                "SOD005",
                "Reconciler-Poster Conflict",
                SodConflictType::ReconcilerPoster,
            )
            .with_description("User cannot both reconcile accounts and post adjusting entries")
            .with_risk_level(RiskLevel::Medium),
        ]
    }
}

#[cfg(test)]
#[allow(clippy::unwrap_used)]
mod tests {
    use super::*;

    #[test]
    fn test_sod_conflict_display() {
        assert_eq!(
            SodConflictType::PreparerApprover.to_string(),
            "Preparer/Approver"
        );
        assert_eq!(
            SodConflictType::PaymentReleaser.to_string(),
            "Payment Releaser"
        );
    }

    #[test]
    fn test_standard_conflicts() {
        let conflicts = SodConflictPair::standard_conflicts();
        assert!(!conflicts.is_empty());

        // Should have critical severity conflicts
        let critical: Vec<_> = conflicts
            .iter()
            .filter(|c| c.severity == RiskLevel::Critical)
            .collect();
        assert!(!critical.is_empty());
    }

    #[test]
    fn test_sod_violation_creation() {
        let violation = SodViolation::new(
            SodConflictType::PreparerApprover,
            "USER001",
            "Approved own journal entry",
            RiskLevel::High,
        );

        assert_eq!(violation.actor_id, "USER001");
        assert_eq!(violation.conflict_type, SodConflictType::PreparerApprover);
    }

    #[test]
    fn test_standard_rules() {
        let rules = SodRule::standard_rules();
        assert!(!rules.is_empty());

        // All standard rules should be active
        assert!(rules.iter().all(|r| r.is_active));
    }
}