Identity Governance allows you to define and activate separation of duties (SoD) policies so the system can look for actual and potential violations of the policies. SoD policies let you identify combinations of permissions and authorizations that no one person should be granted.
When you have active SoD policies, Identity Governance monitors your environment for violations and creates cases when it finds violations. SoD administrators and policy owners, as well as step approvers specified in SoD approval policies, can either approve the violation for a time period or remove enough access to resolve the violation. When you remove access, Identity Governance creates a changeset for fulfillment. For more information, see Section 14.6, Fulfilling Changesets.