After you have published data, you can create separation of duties (SoD) policies that Identity Governance uses to alert you of possible violations. When you have active SoD policy definitions, Identity Governance lists violations and creates cases for you to review and approve or send to fulfillment for correction. Users with the Separation of Duties Administrator or Global Administrator authorization can create and modify SoD policies.
Under Policy, select SoD.
Select + to create a separation of duties policy.
(Optional) Select Active to have Identity Governance discover violations of the policy and create SoD violations and cases.
Provide the required information. For more information about defining SoD conditions, see Defining Separation of Duties Conditions.
NOTE:Policy names must be unique. When Identity Governance checks for uniqueness, it does not consider case. Therefore, Identity Governance considers SoD1 and SOD1 to be equivalent.
(Optional) Specify a potential SoD violation approval policy for the current policy by overriding global policy. For more information, see Overriding Global Potential SoD Violation Approval Policy.
(Optional) Specify one or more compensating controls and a maximum control period. Identity Governance displays these compensating controls in SoD cases as a selection for approving a violation to continue for a certain time period. For more information, see Section 17.3.3, Deciding what Occurs when the Separation of Duties Policy is Violated.
(Optional) Click Estimate Violations to see an estimate of the number of violations of this policy. You must add SoD conditions to make this button active.
Save your settings.
After you create and activate a policy, some of the permissions or authorizations listed in the policy's conditions might be deleted. When this happens, the policy is marked as invalid, and all of the policy's currently open SoD cases are put on hold. If the policy is not active, deleting its permissions or authorizations has no effect, since no detection is being done for the policy.