Identity Governance allows you to create, edit, import, download (export), and assign SoD approval policies to specified SoD polices. SoD approval policies provide approval criteria for the following:
Resolution or approval, by one or more people, of detected SoD violations
Required approval, by one or more people, of potential SoD violations for access requests
Prevention of approval for SoD violations that occur due to a toxic combination of permissions that should never be allowed
Identity Governance provides the following SoD approval policies, which you can either use as configured, or edit to customize for your organization:
This SoD approval policy is configured to prevent requesting any resources that violate the SoD policy conditions or approval of any existing or potential SoD violations. The approval policy can be used if an SoD violation is considered to have toxic combinations that should never be allowed. For more information, see Creating an SoD Approval Policy for Toxic SoD Violations
This SoD approval policy does not require approval for potential SoD violations, but allows any detected SoD violations to be mitigated by users with permission to manage SoD policies, such as SoD Owners, Global Administrators, Customer Administrators, or SoD Administrators.
This SoD approval policy requires SoD Owners to approve any potential SoD violation, and allows any detected SoD violations to be mitigated by users who can manage SoD policies, such as SoD Owners, Global Administrators, Customer Administrators, or SoD Administrators.
NOTE:Identity Governance does not require approval of a potential SoD violation if the violation already exists and if the violation is not toxic.
When you configure an SoD approval policy Identity Governance sends email notifications to alert or remind approvers of outstanding tasks, and provides support for escalation if the approvers do not complete tasks within a specified period.
You are not required to assign an SoD approval policy to SoD policies. However, if you do not assign an SoD approval policy to SoD policies, SoD owners are required to resolve or approve detected violations. For more information, see Assigning a Default SoD Approval Policy
Identity Governance allows you to create SoD approval policies, and also provides three SoD approval policies that cover general situations.
To create an SoD approval policy:
Log in as a Customer, Global, or Separation of Duties Administrator.
Select Policy > SoD, then click SoD Approval Policies.
Click SoD Approval Policies, then click the plus sign (+).
Provide a name and description for the SoD approval policy.
(Conditional) If you want to create an SoD approval policy that specifies an SoD violation as having toxic combinations and should never be allowed, specify the Toxic user condition and/or the Toxic account condition. For more information, see Creating an SoD Approval Policy for Toxic SoD Violations
Next to Approval Steps, click the plus sign (+).
Click Approval Step #1, Approvers; Supervisors, then provide the requested information for:
Approvers - Select one of the following to specify the approver:
Violator supervisor
SoD policy owner
Select users and groups
NOTE:If you specify multiple users or a group as the approver, only one potential approver of those specified is required to complete the approval step.
Notifications
Approval Escalation
NOTE:The escalation approver is added to the approval task only if the approval step is not complete by the specified escalation period.
(Conditional) If you need to require multiple approvers for potential SoD violations, see Section 19.5.3, Requiring Multiple Approvals for SoD Violations.
Click Save.
After saving the SoD approval policy, you can click the SoD Approval Policies tab to immediately assign the SoD approval policy to an SoD policy. If you want to assign the SoD approval policy at a later time, you can do so using the Separation of Duties Policies tab. For more information, see Assigning SoD Approval Policies.
You may edit the SoD approval policies, including those provided by Identity Governance, as needed.
To edit an SoD Approval policy:
Log in as a Customer, Global, or Separation of Duties Administrator.
Select Policy > SoD, then click SoD Approval Policies.
Click SoD Approval Policies.
Click the SoD approval policy you want to modify, then click Edit.
Make the desired changes to the SoD approval policy, then click Save.
Identity Governance normally raises potential SoD violations to the SoD Administrator or the SoD Owner specified in the SoD policy, but does not prevent them from temporarily approving the request and allowing the violation to occur for a specified period of time. In some cases, however, your organization may want to designate the combination of user and/or account conditions defined in an SoD policy as toxic to ensure that no request that violates the SoD policy may be granted under any circumstances. You may use or edit the provided Auto Deny SoD approval policy, or you may configure your own.
Identity Governance allows you to configure an SoD approval policy to make the SoD policy toxic for all users, all accounts, or to create expressions that would make the SoD policy toxic for specific sets of users or orphaned accounts. For example, you can use the Expression Builder to specify that an SoD policy is toxic if the violating user is in a specified department or works under a specified supervisor.
To configure an SoD approval policy for toxic SoD conditions:
Log in as a Customer, Global, or Separation of Duties Administrator.
Select Policy > SoD, then click SoD Approval Policies.
Click SoD Approval Policies, then click the plus sign (+).
Provide a name and description for the SoD approval policy.
Specify the Toxic user condition or the Toxic account condition as one of the following:
Always Toxic
Expression
NOTE:If you select Expression, use the Expression Builder to create expressions from one or more conditions and filters that define the toxic attributes for the violator or the account.
Click Save.
After you save the SoD approval policy, you can click the SoD Policies tab to immediately assign the SoD approval policy to an SoD policy, or you can assign the SoD approval policy at a later time. For more information, see Assigning SoD Approval Policies.
Identity Governance allows a Customer, Global, or Separation of Duties Administrator to create and configure multi-step approval processes that require at least two people to approve an SoD violation. Configuring an SoD approval policy to use this four-eyes principle ensures that a violation is approved by multiple people. It also ensures that any user who approves the SoD violation at one step is excluded as an approver for subsequent steps, and it prevents users from approving their own SoD violations.
To configure multiple approvals for SoD violations:
Log in as a Customer, Global, or Separation of Duties Administrator.
Select Policy > SoD, then click SoD Approval Policies.
Click SoD Approval Policies, then click the plus sign (+).
Provide a name and description for the SoD approval policy.
Specify the Toxic user condition or the Toxic account condition as:
None
Always Toxic
Expression
NOTE:If you select Always Toxic for both the Toxic user condition and the Toxic account condition, you are creating an SoD approval policy for toxic conditions, and cannot assign approval steps.
NOTE:If you select Expression, use the Expression Builder to create expressions from one or more conditions and filters that define the toxic attributes for the violator or the account.
Next to Approval Steps, click the plus sign (+).
Click Approval Step #1, Approvers; Supervisors, then provide the requested information for:
Approvers - Select one of the following to specify the approver:
Violator supervisor
SoD policy owner
Select users and groups
NOTE:If you specify multiple users or a group as the approver, only one potential approver of those specified is required to complete the approval step.
Notifications
Approval Escalation
NOTE:The escalation approver is added to the approval task only if the approval step is not complete by the specified escalation period.
Repeat Steps 6 and 7 for each additional approver required for the SoD potential violation.
Click Save.
After you save the SoD approval policy, you can click the SoD Policies tab to immediately assign the SoD approval policy to an SoD policy, or you can assign the SoD approval policy at a later time. For more information, see Assigning SoD Approval Policies.
Identity Governance allows you to assign an SoD approval policy to specified SoD polices that provide approval criteria for resolution or approval of existing violations, required approval of potential SoD violations for access requests, or to prevent approval for SoD violations that occur due to a toxic combination of permissions that should never be allowed. You can also set any SoD approval policy as the default approval policy for the SoD policies that are not assigned an SoD approval policy.
You are not required to assign an SoD approval policy to SoD policies. If you do not assign an SoD approval policy, and if you do not set a default SoD approval policy, SoD owners will be required to resolve or approve detected violations.
To assign an SoD approval policy from the Separation of Duties Policies tab:
Log in as a Customer, Global, or Separation of Duties Administrator
Select Policy > SoD.
On the Separation of Duties Policies tab, select one or more SoD policies.
Select Action > Assign approval policy.
Search for, and select, an SoD approval policy to assign to the specified SoD policies.
Click Assign.
Identity Governance also allows you to assign an SoD approval policy from the Separation of Duties Approval Policies tab. This functionality allows you to assign the SoD approval policy to an SoD policy immediately after you save the approval policy.
To assign an SoD approval policy from the Separation of Duties Approval Policies tab:
After you save an SoD approval policy, click the SoD Policies tab.
Click the plus sign (+).
Search for, and select, the SoD policies to which you want to assign this SoD approval policy.
Click Add.
Global, Customer, and SoD Administrators can set any SoD approval policy as the default approval policy to govern the SoD policies that are not assigned an SoD approval policy. The selected default SoD approval policy will be used for both SoD violation resolution or approval, as well as potential SoD violations.
You are not required to assign an SoD approval policy to SoD policies. If you do not assign a default approval policy field, Identity Governance requires SoD owners to resolve or approve detected violations. However, requested items that may result in a violation will not require SoD owner approval before fulfillment.
To assign a default SoD approval policy:
Log in as a Customer, Global, or Separation of Duties Administrator.
Select Policy > SoD, then click SoD Approval Policies.
Click Default SoD Approval Policy.
Search for, and select, the SoD approval policy you want to assign as the default policy.
Click Add.
The default SoD approval policy does not appear in the SoD Approval Policy column on the Separation of Duties Policies page. To determine which SoD approval policy is the default, select the SoD Approval Policies tab, then click Default SoD Approval Policy. You can also run an Insight Query to view all your SoD policies and the SoD approval policies assigned to them. If you do not set a default SoD approval policy, then no potential SoD violation approval is required, and SoD Owners, Global Administrators, and Customer Administrators may resolve or approve SoD violations.
Identity Governance allows you to download a list of all SoD approval policy descriptions as a CSV file, download SoD approval policy definitions as JSON files, and import the SoD approval policy definitions.
You can view or manage downloaded files using the downloads icon on your browser, or through the Downloads directory of your computer. For more information about exporting and importing procedures and recommended order of import, see Section 32.0, Exporting and Importing.