After you publish data, you can create separation of duties (SoD) policies that Identity Governance uses to alert you of possible violations. Active SoD policy definitions allow Identity Governance to list violations and create cases for you to review and approve, or to send to fulfillment for correction. Users with the Customer, Global, or Separation of Duties Administrator authorization can create and modify SoD policies.
NOTE:Until you publish data, no permissions are available to include as SoD Conditions for an SoD policy.
By default, Identity Governance calculates SoD violations using detected and assigned technical roles. If you have no assigned technical roles, use the Violation Options tab on the SoD Policies to calculate SoD violations using only detected technical roles.
To create an SoD policy:
Log in as a Customer, Global, or Separation of Duties Administrator
Under Policy, select SoD.
Select + to create a separation of duties policy.
(Optional) Select Active to have Identity Governance discover violations of the policy and create SoD violations and cases.
Provide the required information. For more information about defining SoD conditions, see Section 18.2.4, Defining Separation of Duties Conditions.
NOTE:Policy names must be unique, but they are not case sensitive. Therefore, Identity Governance considers “SoD1” and “SOD1” to be equivalent.
(Optional) Specify a potential SoD violation approval policy for the current policy by overriding global policy.
(Optional) Specify one or more compensating controls and a maximum control period. Identity Governance displays these compensating controls in SoD cases as a selection for approving a violation to continue for a certain time period.
(Optional) Click Estimate Violations to see an estimate of the number of violations of this policy. You must add SoD conditions to make this button active.
Save your settings.
After you create and activate a policy, some of the permissions or authorizations listed in the policy's conditions might be deleted. When this happens, the policy is marked as invalid, and all of the policy's currently open SoD cases are put on hold. If the policy is not active, deleting its permissions or authorizations has no effect, since no detection is being done for the policy.