When you create an SoD policy, you must define which conditions make up the policy, what happens when the policy is violated, and how to resolve the violation. Use the following information to create the SoD policies that work best in your environment.
When you create an SoD policy, you can add resolution instructions in the Resolve field, and you can embed HTML links in those instructions to point to additional information or instructions for a user to follow when reviewing an SoD policy violation. Providing these instructions is optional. If you provide resolution instructions, users can see what to do to solve the violations without having to wait for further instructions.
Identity Governance displays the SoD violations with any instructions you have provided on the Policy > Violations tab. Users with the proper access can access and review these violations and resolve or approve the violations.
The global potential SoD violation approval policy determines if approval is required for potential SoD violations and, if required, whether self approval is allowed. Only users with Customer, Global, or Access Request Administrator authorization can set the global potential SoD violation approval policy. However, SoD Administrators and policy owners can select Override global potential SoD violation approval settings to specify potential SoD violation approval policies for each SoD policy and override the global policy.
NOTE:The override only applies to potential violations that are detected for that SoD policy. For more information, see Section 19.7, Understanding Potential SoD Violations and Section 21.2.4, Setting Global Potential SoD Violation Approval Policy.
When users review and manage an SoD case, they can resolve the violation or allow the violation to continue for a certain period of time. A user can specify compensating controls for an SoD policy. When allowing a violation to continue, if compensating controls have been defined for the policy, the user can select one or more of them to specify what controls should be in place in order to allow the violation to continue.
When users allow a violation to continue, the user can select one or more of the defined compensating controls to enforce during the continuation period of the violation. They can also specify the amount of time that the violation can continue, but the time must be less than or equal to the maximum control period defined in the policy. The maximum time is 32,768 days.
You add these compensating controls when you create the SoD policy in the Compensating Controls field.
An SoD policy allows you to define one or more conditions that specify which combinations of permissions and roles users are not permitted to hold. Most of the time, a single condition suffices, but in some scenarios, you must define multiple conditions to cover more complicated combinations.
Identity Governance tests a user’s permissions and roles against a condition to see if the user holds the combination of permissions and roles specified in the condition. If the user’s permissions and roles match the condition, the user violates that condition. The user violates the SoD policy only if the user’s permissions and roles violate every condition in the SoD policy.
Identity Governance also tests unmapped accounts against the SoD policies. Unmapped accounts, or accounts with no associated users, may have permissions assigned to them. As with user accounts, Identity Governance tests if the account has the combination of permissions specified in the condition. If the account's permissions match the condition, the account violates that condition. The account violates the SoD policy only if the account’s permissions violate every condition in the SoD policy.
Many simple policies require only a single condition to specify permission and role combinations that are not permitted. More complex combinations require multiple conditions, but you will rarely need more than two conditions.
A condition consists of two parts:
A list of one or more permissions and roles that Identity Governance tests against a user’s permissions and roles. The list can consist of all permissions, all roles, or a mixture of permissions and roles.
A condition type specifies how Identity Governance evaluates the user’s permissions and roles. There are three types of policy conditions:
A user violates this condition if the user has all of the listed permissions, business roles, and technical roles specified in the condition. This condition is the most commonly used type. You can use this single condition to specify most combinations of permissions and roles that a user is not permitted to hold.
A user violates this condition if the user has any of the specified permissions, business roles, and technical roles. The condition must always be used in conjunction with one or more of the other conditions. Identity Governance does not allow an SoD policy with a single condition of this type.
NOTE:Identity Governance does not allow an SoD policy that specifies a single permission or role a user is not permitted to hold. For example, a policy with a single User has all of the following condition that lists a single permission or role, or a policy with a single User has one or more of the following condition is not permitted.
A user violates this condition if the user has two or more of the specified permissions and roles. A condition of this type must list at least two permissions and roles. If the condition lists exactly two permissions and roles, it is equivalent to a User has all of the following condition with two permissions and roles.