20.7 Understanding Potential SoD Violations

A potential SoD violation refers to a scenario where an access request might violate previously defined SoD policies when fulfilled. Identity Governance automatically detects potential SoD violations if Customer, Global, or SoD administrators have previously defined SoD policies. It also enables Customer, Global, or Business Role administrators to enable potential SoD violation detections for business role auto-grant requests.

When Customer, Global, or SoD Administrator create SoD approval policies and assign them to SoD policies, they can also specify whether potential SoD violations require approval before the set of access requests are fulfilled. They can also set an approval policy as the default SoD approval policy that will apply to any SoD policy with no SoD approval policy assigned.

If no SoD approval policy is assigned, and no default SoD approval policy is set, potential SoD violations do not require approval, and Customer, Global, or Separation of Duties Administrators — along with Separation of Duties owners and approvers — may resolve or approve detected violations.