19.2 Understanding the Separation of Duties Policy Options

An SoD policy defines which conditions make up the policy, what happens when the policy is violated, and how to resolve the violation. Use the following information to create the SoD policies that work best in your environment.

19.2.1 Providing Resolution Instructions for the Separation of Duties Policies

When you create an SoD policy, you can add resolution instructions in the Resolve field, and you can embed HTML links in those instructions to point to additional information or instructions for a user to follow when reviewing an SoD policy violation. Providing these instructions is optional. If you provide resolution instructions, users can see what to do to solve the violations without having to wait for further instructions.

Identity Governance displays the SoD violations with any instructions you have provided on the Policy > Violations tab. Users with the proper access can access and review these violations and resolve or approve the violations.

19.2.2 Deciding what Occurs for Separation of Duties Violations

When users review and manage an SoD case, they can resolve the violation or allow the violation to continue for a certain period of time. A user can specify compensating controls for an SoD policy. When allowing a violation to continue, if compensating controls have been defined for the policy, the user can select one or more of them to specify what controls should be in place in order to allow the violation to continue.

When users allow a violation to continue, the user can select one or more of the defined compensating controls to enforce during the continuation period of the violation. They can also specify the amount of time that the violation can continue, but the time must be less than or equal to the maximum control period defined in the policy. The maximum time is 32,768 days.

You add these compensating controls when you create the SoD policy in the Compensating Controls field.

19.2.3 Defining Separation of Duties Conditions, User Conditions, and Account Conditions

An SoD policy requires you to define one or more conditions that specify which combinations of permissions and roles users are not permitted to hold. Most of the time, a single condition suffices, but in some scenarios, you must define multiple conditions to cover more complicated combinations.

You can also configure expressions for user conditions and account conditions to specify that the SoD policy applies to specified users or unmapped accounts, such as users in specified locations, or accounts with a specified category. If you create an SoD policy with only SoD conditions, the policy applies to all users. In addition, you can define user conditions and account conditions to exclude specified users or unmapped accounts from an SoD policy.

Identity Governance tests a user’s permissions and roles against a condition to see if the user holds the combination of permissions and roles specified in the condition. The user violates the SoD policy only if the user’s permissions and roles violate every condition defined in the SoD policy.

Identity Governance also tests unmapped accounts against the SoD policies. Unmapped accounts, or accounts with no associated users, may have permissions assigned to them. As with user accounts, Identity Governance tests whether the account has the combination of permissions specified in the condition. If the account's permissions match the condition, the account violates that condition. The account violates the SoD policy only if the account’s permissions violate every condition in the SoD policy.

Many simple policies require only a single condition to specify permission and role combinations that are not permitted. More complex combinations require multiple conditions, but you will rarely need more than two conditions.

Conditions consist of two parts:

  • A list of one or more of the following:

    • The SoD Condition, which includes one or more of the following:

      • One or more Entities made up of permissions, business roles, and technical roles that Identity Governance tests against a user’s permissions, business roles, and technical roles, which can consist of all permissions, all roles, or a mixture of permissions and roles

      • One or more Permission Expressions that Identity Governance tests against a user’s permissions

      • One or more Business Role Expressions that Identity Governance tests against a user’s business role assignments

      • One or more Technical Role Expressions that Identity Governance tests against a user’s technical role assignments, or who hold all the permissions of the role

        NOTE:A deactivated technical role is excluded from the SoD policy detection. If the role becomes active later and matches the detection condition, then it is included in the detection process.

    • The User Condition includes one or more expressions that Identity Governance tests against a user’s identity information

    • The Account Condition includes one or more expressions that Identity Governance tests against unmapped account information

  • A condition type specifies how Identity Governance evaluates the user’s permissions and roles. There are three types of policy conditions:

    User has all of the following

    A user violates this condition if the user has all the specified user conditions, account permissions, and SoD conditions. This condition is the most commonly used type. You can use this single condition to specify most combinations of permissions and roles that a user is not permitted to hold.

    NOTE:When you create expressions with the “has all” condition type, the user must hold all the items matching the query. For example, if the expression specifies permissions with category “Finance,” a user would be in violation only if the user holds all permissions with the “Finance” category.

    User has one or more of the following

    A user violates this condition if the user has at least one of the specified user conditions, account permissions, and SoD conditions.

    User has more than one of the following

    A user violates this condition if the user has two or more of the specified user conditions, account permissions, and SoD conditions. A condition of this type must list at least two permissions and roles. If the condition lists exactly two permissions and roles, it is equivalent to a User has all of the following condition with two permissions and roles.

19.2.4 Examples of Conditions for Separation of Duties Policies

You can combine user conditions, account conditions, and SoD conditions to allow you to create more flexible and dynamic SoD policies, as illustrated in the following examples.

Using categories to create SoD policies that automatically update with changes to the categories: You can create a category and assign it to a set of permissions, business roles, or technical roles that would cause a user to be in violation of the SoD policy. If the category assignments change after you create the SoD policy, the SoD violations are automatically updated without having to add the new permission, technical role, or business role to the SoD policy condition items.

To create an SoD policy for this example:

  1. Log in as a Customer, Global, or Separation of Duties Administrator.

  2. Select Policy > SoD.

  3. Click the plus sign (+).

  4. Provide a name, description, and owner for the SoD policy.

  5. Under SoD Conditions, use the drop-down list to specify that “A user is in violation if” User has one or more of the following:, All of the following:, or More than one of the following:.

  6. Next to Add items, click the plus sign (+).

  7. Select Add Permission Expression.

  8. In the Expression Builder, use the drop-down lists to specify Categories and equal to, then type the category name.

  9. Define any additional conditions or filters.

  10. Click Save.

  11. Click Save to save the policy.

Combine conditions to exclude some users from defined account conditions or SoD conditions: You can combine conditions to create an SoD policy of which a user is in violation only if the user does not match one of the defined conditions. For example, you can combine conditions to specify that users who are not in the Finance Department would violate a SoD policy if they hold any permissions from the “Finance Application.”

To create an SoD policy for this example:

  1. Log in as a Customer, Global, or Separation of Duties Administrator.

  2. Select Policy > SoD.

  3. Click the plus sign (+).

  4. Provide a name, description, and owner for the SoD policy.

  5. Next to User Conditions, click the plus sign (+).

  6. In the Expression Builder, use the drop-down lists to specify Department and not equal to, then type Finance.

  7. Click Save.

  8. Under SoD Conditions, use the drop-down list to specify that “A user is in violation if” User has one or more of the following:, All of the following:, or More than one of the following:.

  9. Next to Add items, click the plus sign (+).

  10. Select Add Permission Expression.

  11. In the Expression Builder, use the drop-down lists to specify Application and equal to, then type Finance Application.

  12. Click Save.

  13. Click Save to save the policy.