19.1 Understanding Separation of Duties

When a single person in your organization has access to too many systems, you could have problems proving that your systems are safe from fraud when it is time for audits.

The SoD Administrator should be a business owner who understands the appropriate access levels for individuals in your organization. By creating policies to keep a single person from having too much responsibility, the SoD Administrator enables Identity Governance to identify users with access to company assets that should be reviewed. SoD policies put access control rules over your business systems to give you the ability to show auditors the automated protection that Identity Governance provides.

Active SoD policies in Identity Governance provide the ability to check for violations and warn of violations when executing actions, such as performing reviews, defining roles, requesting access, approving access, or examining manual fulfillment requests.

SoD policies enable you to identify SoD violations in your current data. The SoD Administrator or policy owners review the requests to determine whether to resolve or approve the violation. If, based on the global potential SoD violation approval policy or a specific SoD policy, potential violations do not require approvals, Identity Governance sends the requests directly to fulfillment.

Identity Governance allows you to assign an SoD approval policy to specified SoD polices. SoD approval policies provide approval criteria for resolution or approval of existing violations, required approval of potential SoD violations for access requests, or to prevent approval for SoD violations that occur due to a toxic combination of permissions that should never be allowed. You can also set a default SoD approval policy to control if potential SoD violations require approval before the set of access requests are fulfilled. To determine which SoD approval policy is set as the default, select Policy > SoD, click the SoD Approval Policy tab, then click Default SoD Approval Policy. You can also run an Insight Query to view all your SoD policies and the SoD approval policies assigned to them. For more information, see Creating and Assigning Separation of Duties Approval Policies.

If no SoD approval policy is specified, potential SoD violations do not require approval, and Global, SoD, and Customer Administrators -- along with SoD owners and approvers -- may resolve or approve detected violations. For any actual violations of the policies, Identity Governance creates cases and lists them on the Policy > Violations page. The SoD Administrator or policy owners review the cases to determine whether to resolve or approve the violation.

The SoD cases are similar to the standard review process. Instead of a review definition running on a regular schedule, SoD policies run as long as they are active and continuously create cases for violations. SoD violations are also shown in review item expanded view. For more information about reviews, see Section 25.1, Understanding the Process Flow. For more information about SoD violations, SoD cases, and potential SoD violations, see Section 20.0, Managing Separation of Duties Violations.