20.1 Separation of Duties Violation Versus Separation of Duties Case

The terms “SoD violation” and “SoD case” are sometimes used interchangeably. Both refer to a specific user or account violating a specific SoD policy. However, Identity Governance can detect an actual SoD violation multiple times, because of the variety of events that trigger an SoD violation detection. For example, publishing identities and accounts, creating, changing, or deleting roles all trigger an SoD violation detection. Identity Governance creates a new SoD violation record for each of those detections and also notifies the SoD Policy Owner of these violations. All represent the same SoD violation, with different detection times. In addition, the following situations affect SoD approvals and detections:

  • If an SoD policy is deactivated and later reactivated, or if conditions defined in the SoD policy change, Identity Governance starts the approval process again.

  • Publications and changes to business role memberships that occur after Identity Governance detects an SoD violation could change the violation, so Identity Governance runs the detection process again for all active SoD policies, or for SoD policies that reference the business role.

  • Publications and changes to business role memberships could add contributing items to an SoD violation. In this case, Identity Governance does not restart the SoD approval process. If the approval process has not completed all the steps of a multiple-step approval process, the process remains at the current step. Step approvers always see the items currently causing the SoD violation and be able to approve or resolve the violation. The contributing items, however, could change from step to step, depending on whether the change was due to a user gaining permissions from a publication, or a change to a user's business role membership.

  • If publications and changes to business role membership result in an SoD violation no longer existing, Identity Governance terminates the SoD approval process, closes the SoD case, and records the reason for closing the SoD case.

An SoD case is the entity that tracks all of the information about an SoD violation, including all of the times the violation was detected. It also keeps track of the actions which users have taken with respect to the violation (approve, resolve). An SoD case is closed when Identity Governance no longer detects the violation. In a sense, an SoD case is the history of an SoD violation from the time it is first detected to the time it is no longer detected.