18.5 Creating and Assigning Separation of Duties Approval Policies

Identity Governance allows you to create, edit, import, download (export), and assign SoD approval policies to specified SoD polices. SoD approval policies provide approval criteria for the following:

  • Resolution or approval, by one or more people, of detected SoD violations

  • Required approval, by one or more people, of potential SoD violations for access requests

  • Prevention of approval for SoD violations that occur due to a toxic combination of permissions that should never be allowed

Identity Governance provides the following SoD approval policies, which you can either use as configured, or edit to customize for your organization:

Auto Deny

This SoD approval policy is configured to prevent requesting any resources that violate the SoD policy conditions or approval of any existing or potential SoD violations. The approval policy can be used if an SoD violation is considered to have toxic combinations that should never be allowed. For more information, see Creating an SoD Approval Policy for Toxic SoD Violations

SoD Administrators

This SoD approval policy does not require approval for potential SoD violations, but allows any detected SoD violations to be mitigated by users with permission to manage SoD policies, such as SoD Owners, Global Administrators, Customer Administrators, or SoD Administrators.

SoD Owner Approval

This SoD approval policy requires SoD Owners to approve any potential SoD violation, and allows any detected SoD violations to be mitigated by users who can manage SoD policies, such as SoD Owners, Global Administrators, Customer Administrators, or SoD Administrators.

NOTE:Identity Governance does not require approval of a potential SoD violation if the violation already exists and if the violation is not toxic.

When you configure an SoD approval policy Identity Governance sends email notifications to alert or remind approvers of outstanding tasks, and provides support for escalation if the approvers do not complete tasks within a specified period.

You are not required to assign an SoD approval policy to SoD policies. However, if you do not assign an SoD approval policy to SoD policies, SoD owners are required to resolve or approve detected violations. For more information, see Assigning a Default SoD Approval Policy

18.5.1 Creating and Editing SoD Approval Policies

Identity Governance allows you to create SoD approval policies, and also provides three SoD approval policies that cover general situations.

To create an SoD approval policy:

  1. Log in as a Customer, Global, or Separation of Duties Administrator.

  2. Select Policy > SoD, then click SoD Approval Policies.

  3. Click SoD Approval Policies, then click the plus sign (+).

  4. Provide a name and description for the SoD approval policy.

  5. (Conditional) If you want to create an SoD approval policy that specifies an SoD violation as having toxic combinations and should never be allowed, specify the Toxic user condition and/or the Toxic account condition. For more information, see Creating an SoD Approval Policy for Toxic SoD Violations

  6. Next to Approval Steps, click the plus sign (+).

  7. Click Approval Step #1, Approvers; Supervisors, then provide the requested information for:

    • Approvers - Select one of the following to specify the approver:

      • Violator supervisor

      • SoD policy owner

      • Select users and groups

        NOTE:If you specify multiple users or a group as the approver, only one potential approver of those specified is required to complete the approval step.

    • Notifications

    • Approval Escalation

      NOTE:The escalation approver is added to the approval task only if the approval step is not complete by the specified escalation period.

  8. (Conditional) If you need to require multiple approvers for potential SoD violations, see Section 18.5.3, Requiring Multiple Approvals for SoD Violations

  9. Click Save.

After saving the SoD approval policy, you can click the SoD Approval Policies tab to immediately assign the SoD approval policy to an SoD policy. If you want to assign the SoD approval policy at a later time, you can do so using the Separation of Duties Policies tab. For more information, see Assigning SoD Approval Policies.

You may edit the SoD approval policies, including those provided by Identity Governance, as needed.

To edit an SoD Approval policy:

  1. Log in as a Customer, Global, or Separation of Duties Administrator.

  2. Select Policy > SoD, then click SoD Approval Policies.

  3. Click SoD Approval Policies.

  4. Click the SoD approval policy you want to modify, then click Edit.

  5. Make the desired changes to the SoD approval policy, then click Save.

18.5.2 Creating an SoD Approval Policy for Toxic SoD Violations

Identity Governance normally raises potential SoD violations to the SoD Administrator or the SoD Owner specified in the SoD policy, but does not prevent them from temporarily approving the request and allowing the violation to occur for a specified period of time. In some cases, however, your organization may want to designate the combination of user and/or account conditions defined in an SoD policy as toxic to ensure that no request that violates the SoD policy may be granted under any circumstances. You may use or edit the provided Auto Deny SoD approval policy, or you may configure your own.

Identity Governance allows you to configure an SoD approval policy to make the SoD policy toxic for all users, all accounts, or to create expressions that would make the SoD policy toxic for specific sets or users or orphaned accounts. For example, you can use the Expression Builder to specify that an SoD policy is toxic if the violating user is in a specified department or works under a specified supervisor.

To configure an SoD approval policy for toxic SoD conditions:

  1. Log in as a Customer, Global, or Separation of Duties Administrator.

  2. Select Policy > SoD, then click SoD Approval Policies.

  3. Click SoD Approval Policies, then click the plus sign (+).

  4. Provide a name and description for the SoD approval policy.

  5. Specify the Toxic user condition or the Toxic account condition as one of the following:

    • Always Toxic

    • Expression

    NOTE:If you select Expression, use the Expression Builder to create expressions from one or more conditions and filters that define the toxic attributes for the violator or the account.

  6. Click Save.

After you save the SoD approval policy, you can click the SoD Policies tab to immediately assign the SoD approval policy to an SoD policy, or you can assign the SoD approval policy at a later time. For more information, see Assigning SoD Approval Policies.

18.5.3 Requiring Multiple Approvals for SoD Violations

Identity Governance allows a Customer, Global, or Separation of Duties Administrator to create and configure multi-step approval processes that require at least two people to approve an SoD violation. Configuring an SoD approval policy to use this four-eyes principle ensures that a violation is approved by multiple people. It also ensures that any user who approves the SoD violation at one step is excluded as an approver for subsequent steps, and it prevents users from approving their own SoD violations.

To configure multiple approvals for SoD violations:

  1. Log in as a Customer, Global, or Separation of Duties Administrator.

  2. Select Policy > SoD, then click SoD Approval Policies.

  3. Click SoD Approval Policies, then click the plus sign (+).

  4. Provide a name and description for the SoD approval policy.

  5. Specify the Toxic user condition or the Toxic account condition as:

    • None

    • Always Toxic

    • Expression

    NOTE:If you select Always Toxic for both the Toxic user condition and the Toxic account condition, you are creating an SoD approval policy for toxic conditions, and cannot assign approval steps.

    NOTE:If you select Expression, use the Expression Builder to create expressions from one or more conditions and filters that define the toxic attributes for the violator or the account.

  6. Next to Approval Steps, click the plus sign (+).

  7. Click Approval Step #1, Approvers; Supervisors, then provide the requested information for:

    • Approvers - Select one of the following to specify the approver:

      • Violator supervisor

      • SoD policy owner

      • Select users and groups

        NOTE:If you specify multiple users or a group as the approver, only one potential approver of those specified is required to complete the approval step.

    • Notifications

    • Approval Escalation

      NOTE:The escalation approver is added to the approval task only if the approval step is not complete by the specified escalation period.

  8. Repeat Steps 6 and 7 for each additional approver required for the SoD potential violation.

  9. Click Save.

After you save the SoD approval policy, you can click the SoD Policies tab to immediately assign the SoD approval policy to an SoD policy, or you can assign the SoD approval policy at a later time. For more information, see Assigning SoD Approval Policies.

18.5.4 Assigning SoD Approval Policies

Identity Governance allows you to assign an SoD approval policy to specified SoD polices that provide approval criteria for resolution or approval of existing violations, required approval of potential SoD violations for access requests, or to prevent approval for SoD violations that occur due to a toxic combination of permissions that should never be allowed. You can also set any SoD approval policy as the default approval policy for the SoD policies that are not assigned an SoD approval policy.

You are not required to assign an SoD approval policy to SoD policies. If you do not assign an SoD approval policy, and if you do not set a default SoD approval policy, SoD owners will be required to resolve or approve detected violations.

To assign an SoD approval policy from the Separation of Duties Policies tab:

  1. Log in as a Customer, Global, or Separation of Duties Administrator

  2. Select Policy > SoD.

  3. On the Separation of Duties Policies tab, select one or more SoD policies.

  4. Select Action > Assign approval policy.

  5. Search for, and select, an SoD approval policy to assign to the specified SoD policies.

  6. Click Assign.

Identity Governance also allows you to assign an SoD approval policy from the Separation of Duties Approval Policies tab. This functionality allows you to assign the SoD approval policy to an SoD policy immediately after you save the approval policy.

To assign an SoD approval policy from the Separation of Duties Approval Policies tab:

  1. After you save an SoD approval policy, click the SoD Policies tab.

  2. Click the plus sign (+).

  3. Search for, and select, the SoD policies to which you want to assign this SoD approval policy.

  4. Click Add.

18.5.5 Assigning a Default SoD Approval Policy

Global, Customer, and SoD Administrators can set any SoD approval policy as the default approval policy to govern the SoD policies that are not assigned an SoD approval policy. The selected default SoD approval policy will be used for both SoD violation resolution or approval, as well as potential SoD violations.

You are not required to assign an SoD approval policy to SoD policies. If you do not assign a default approval policy field, Identity Governance requires SoD owners to resolve or approve detected violations. However, requested items that may result in a violation will not require SoD owner approval before fulfillment.

To assign a default SoD approval policy:

  1. Log in as a Customer, Global, or Separation of Duties Administrator.

  2. Select Policy > SoD, then click SoD Approval Policies.

  3. Click Default SoD Approval Policy.

  4. Search for, and select, the SoD approval policy you want to assign as the default policy.

  5. Click Add.

The default SoD approval policy does not appear in the SoD Approval Policy column on the Separation of Duties Policies page. To determine which SoD approval policy is the default, select the SoD Approval Policies tab, then click Default SoD Approval Policy. You can also run an Insight Query to view all your SoD policies and the SoD approval policies assigned to them. If you do not set a default SoD approval policy, then no potential SoD violation approval is required, and SoD Owners, Global Administrators, and Customer Administrators may resolve or approve SoD violations.

18.5.6 Downloading and Importing SoD Approval Policies

Identity Governance allows you to download a list of all SoD approval policy descriptions as a CSV file, download SoD approval policy definitions as JSON files, and import the SoD approval policy definitions.

To download SoD approval policies as CSV or JSON files:

  1. Log in as a Customer, Global, or Separation of Duties Administrator.

  2. Select Policy > SoD, then click SoD Approval Policies.

  3. (Conditional) If you want to download all SoD approval policy descriptions, click Actions > Download all as CSV.

  4. (Conditional) If you want to download one or more SoD approval policy definitions as JSON files, select one or more SoD approval policies, then click Actions > Download Definitions.

  5. Type a description for your downloaded files, then click Download.

  6. On the Identity Governance title bar, click the Download icon, select the download to save, then click Download.

You can view or manage downloaded files using the downloads icon on your browser, or through the Downloads directory of your computer.

When you import SoD approval policies, Identity Governance indicates whether those policies are new or updates to existing policies, and the imported policy creates a conflict.

To import SoD approval policies:

  1. Log in as a Customer, Global, or Separation of Duties Administrator.

  2. Select Policy > SoD, then click SoD Approval Policies.

  3. Click Import SoD Approval Policies.

  4. In the File Upload window, navigate to, and select, the JSON file you want to import.

  5. Click Open.

  6. From the Import SoD Approval Policies screen, select one or more policies you want to import.

  7. Click Import.

Importing SoD approval policies generates a report that contains details of the imported policies, including name conflicts. You can click Generate Report if you want view the report without importing the policies.