When you create an SoD policy, you must define what conditions make up the policy, what happens when the policy is violated, and how to solve the violation. Use the following information to create the SoD policies that work best in your environment.
When you create the SoD policy, you can add resolution instructions in the Resolve field. You can embed HTML links in these instructions to point to additional information or instructions for a user to follow when reviewing a SoD policy violation. Providing these instructions is optional. If you provide resolution instructions, users can see what to do to solve the violations without having to wait for further instructions.
Identity Governance displays the SoD violations with any instructions you have provided on the Policy > Violations tab. Users with the proper access can access and review these violations and resolve or approve the violations.
The global potential SoD violation approval policy determines if approval is required for potential SoD violations and, if required, whether self approval is allowed. Only users with Global Administrator or Access Request Administrator authorization can set the global potential SoD violation approval policy. However, SoD Administrators and policy owners can specify potential SoD violation approval polices for each SoD policy and override the global policy by selecting Override global potential SoD violation approval settings.
NOTE:The override only applies to potential violations that are detected for that SoD policy. For more information, see Understanding Potential SoD Violations and Setting Global Potential SoD Violation Approval Policy.
When users review and manage an SoD case, they can resolve the violation or allow the violation to continue for a certain period of time. A user can specify compensating controls for an SoD policy. When allowing a violation to continue, if compensating controls have been defined for the policy, the user can select one or more of them to specify what controls should be in place in order to allow the violation to continue.
When users allow a violation to continue, the user can select one or more of the defined compensating controls to enforce during the continuation period of the violation. They can also specify the amount of time that the violation can continue, but the time must be less than or equal to the maximum control period defined in the policy. The maximum time is 32768 days.
You add these compensating controls when you create the SoD policy in the Compensating Controls field.
An SoD policy specifies what combinations of permissions and roles are illegal for a user to hold by defining one or more conditions. Each condition specifies some combination of permissions and roles that are illegal. Most of the time, a single condition suffices, but there are scenarios where you must define multiple conditions to cover more complicated combinations.
Identity Governance tests a user’s permissions and roles against a condition to see if the user has the combination of permissions and roles specified in the condition. If the user’s permissions and roles match the condition, the user violates that condition. If a user’s permissions and roles violate every condition in the SoD policy, the user is in violation of the policy.
Identity Governance also tests unmapped accounts against the SoD policies. Unmapped accounts or accounts with no associated users may have permissions assigned to them. Identity Governance uses the same procedure for unmapped accounts as it does for users. It tests if the account has the combination of permissions specified in the condition. If the account's permissions match the condition, the account violates that condition. If an account's permissions violate every condition in the SoD policy, the account is in violation of the policy.
Many simple policies require only a single condition to specify illegal permission and role combinations. More complex combinations require multiple conditions, but it is probably very rare that you need more than two conditions.
A condition consists of two parts:
A list of one or more permissions and roles that Identity Governance tests against a user’s permissions and roles. The list can consist of all permissions, all roles, or a mixture of permissions and roles.
A condition typespecifies how Identity Governance evaluates the user’s permissions and roles. There are three types of policy conditions:
A user violates this condition if the user has all of the listed permissions and roles. This is the most commonly used type of condition. You can specify most illegal combinations of permissions and roles using a single condition.
A user violates this condition if the user has any of the specified permissions and roles. The condition must always be used in conjunction with one or more of the other conditions. Identity Governance does not allow an SoD policy with a single condition of this type.
NOTE:Identity Governance does not allow a SoD policy that would make it illegal for a user or account to possess a single permission or role all by itself. For example, a policy with a single User has all of the following condition that lists a single permission or role, or a policy that has a single User has one or more of the following condition.
To enforce this restriction, Identity Governance tests each permission or role specified in a policy's conditions. For each listed permission and role, it simulates a dummy user that possesses exactly that one permission or role and determines if the dummy user would violate all of the conditions of the policy. If it does, the policy is invalid and Identity Governance does not allow the SoD policy to be saved in that state.
A user violates this condition if the user has two or more of the specified permissions and roles. A condition of this type must list at least two permissions and roles. If the condition lists exactly two permissions and roles, it is equivalent to a User has all of the following condition with two permissions and roles.