20.5 Approving or Resolving an SoD Violation

When you approve an SoD violation, Identity Governance records that a designated user recognized the violation and gave approval to allow the violation to continue for a specified time period. A comment is required when approving a violation. You must also specify the time period (expressed in number of days) that the violation is allowed to continue. If the SoD policy includes defined compensating controls, you can select one or more controls. Doing so allows you to state which controls you want to be enforced while the violation is allowed to continue.

If a potential SoD violation requires multiple approvers (as designated by an SoD approval policy configured to use the “four-eyes” principle), the violation is not approved until all specified approvers complete their respective approval steps. After an approver provides their approval, they may not participate in subsequent approval steps. However, they may resolve the violation, which completes the approval process. An approval step must be completed before Identity Governance notifies the approver(s) specified in the following approval step of their approval task. If an approver does not complete their SoD approval step by the expiration interval defined in the SoD approval policy, Identity Governance adds the escalation approver defined in the approval step to the list of available approvers for that step.

NOTE:If an approval step specifies either a group, or more than one user as an approver, only one potential approver of those listed is required to complete the approval step.

To approve an SoD violation:

  1. Select Policy > Violations.

  2. Select the user name with an SoD violation you want to approve.

  3. Click Approve.

  4. Provide the required information.

  5. Click Approve.

Resolving an SoD violation allows you to specify which permissions or roles you want removed from the user. From the Separation of Duties Violations page, you can select the name of a user who is in violation of an SoD policy to view details about the violation, including the policy name and the permissions, roles, or expressions that violate the policy. Clicking Resolve allows you to view the details of the permissions and roles causing the violation, and allows you to remove the permissions or roles from the user. In addition, if a policy expression is causing the violation, you can click the expression to view its permissions and roles and remove them from the user. When you resolve an SoD violation by removing permissions and roles from the user, Identity Governance generates a request to remove the permission or role, which appears in Fulfillment. You can visit the fulfillment pages to perform the fulfillment actions. For more information, see Section 13.6, Fulfilling Changesets.

NOTE:If the SoD policy violation requires multiple approvers, any of the step approvers may resolve the violation as their step action. Resolving the SoD policy violation completes the approval process, and any subsequent approval steps are no longer required.

IMPORTANT:If a violation is either in progress or not yet resolved, and the SoD policy is assigned to an SoD approval policy that designates the combination of user and/or account conditions defined in the SoD policy as toxic, the current "in-progress" violation will not change, and the approval process can continue. When the control period specified during this approval expires, the violation will be up for approval again, but with the toxic condition described by the changed SoD approval policy. In that case, you will not be allowed to resolve the violation. The only option available for toxic violations is to remove one or more of the violating permissions.

To resolve an SoD Violation:

  1. Select Policy > Violations.

  2. Select the user name with an SoD violation you want to resolve.

  3. Click Resolve to display the permissions and roles, and the expressions containing permissions and roles, that caused the violation.

  4. Remove one or more permissions or roles from the user that would resolve the SoD violation.

    NOTE:To automatically remove technical role assignments (included permissions) when removing a detected technical role to resolve a SoD violation, configure SoD Violations for detected and assigned roles using the Violation Options tab or if calculating SoDs for only detected roles, make sure Remove role assignments is enabled.

  5. Provide a comment that describes for the fulfiller the actions needed to resolve the SoD violation.

  6. Click Resolve.

IMPORTANT:Closing an SoD case is not the same as the resolve action. It does not occur automatically because a resolve action has been performed. The resolve action simply initiates fulfillment tasks and notifies appropriate users of the need to perform removal actions and what specific removals are being requested. It does not actually remove permissions or roles. It might be that nobody ends up performing the fulfillment tasks, or rejects them and nothing changes, in which case the SoD violation does not go away and the SoD case remains open.

Resolved SoD violations appear as fulfillment requests that you can view by selecting Fulfillment > Requests.