After you publish data, you can create separation of duties (SoD) policies that Identity Governance uses to alert you of possible violations. Active SoD policy definitions allow Identity Governance to list violations and create cases for you to review and approve, or to send to fulfillment for correction. Users with the Customer, Global, or Separation of Duties Administrator authorization can create and modify SoD policies.
NOTE:Until you publish data, no permissions are available to include as SoD Conditions for an SoD policy.
Once you create SoD policies, by default, Identity Governance enables authorized users to analyze SoD violations when they create technical and business or request access to applications, permissions, or technical roles. Additionally, for technical roles, you can also configure violation options.
To create an SoD policy:
Log in as a Customer, Global, or Separation of Duties Administrator
Select Policy > SoD.
Click the plus sign (+).
(Optional) Select Active to have Identity Governance discover violations of the policy and create SoD violations and cases.
Provide the requested information. For more information about defining SoD conditions, see Defining Separation of Duties Conditions, User Conditions, and Account Conditions. For more information about the policy option fields, see Understanding the Separation of Duties Policy Options.
NOTE:Policy names must be unique, but they are not case sensitive. Therefore, Identity Governance considers “SoD1” and “SOD1” to be equivalent.
(Optional) Specify a potential SoD violation approval policy for the current policy by overriding global policy.
(Optional) On the Violation Conditions tab, define User Conditions and Account Conditions, then define one or more SoD Conditions.
On the Violation Conditions tab, define the one or more required SoD Conditions. For more information about defining these conditions, see Defining Separation of Duties Conditions, User Conditions, and Account Conditions and Section 19.2.4, Examples of Conditions for Separation of Duties Policies.
(Optional) Specify one or more compensating controls and a maximum control period. Identity Governance displays these compensating controls in SoD cases as a selection for approving a violation to continue for a certain time period.
(Optional) Click Estimate Violations to see an estimate of the number of violations of this policy.
Click Save.
If, after you create and activate a policy, some of the permissions or authorizations listed in the policy's conditions are deleted, the policy is marked as invalid, and all the currently open SoD cases for the policy are put on hold. If the policy is not active, deleting its permissions or authorizations has no effect, since no detection is being done for the policy. You can avoid this situation by using categories in SoD policies. For more information, see Section 19.2.4, Examples of Conditions for Separation of Duties Policies.
You can select any SoD policy and click Edit to modify the policy and its conditions.
Note that a deactivated technical role is excluded from the SoD policy detection. If the role becomes active later and matches the detection condition, then it is included in the detection process. If a technical role is referenced by an SoD policy, then Identity Governance will not allow you to delete or deactivate the technical role, unless the technical role is removed by the administrator from the list of all policies that references this technical role and prevents deactivation.