16.0 Separation of Duties Constraints

Separation of duties is an important aspect of an organization’s security controls because it helps prevent fraud and user error related to user access. In a separation of duties constraint, the conflicting roles must be at the same level in the roles hierarchy.

A Role Administrator can create or modify for roles in the organization.

A SoD constraint represents a rule that makes two roles mutually exclusive unless there is an exception allowed for that constraint. You can define whether exceptions to the constraint are always allowed or are only allowed through an approval flow. When a role assignment results in a potential separation of duties conflict, the initiator has the option to override the separation of duties constraint and provide a justification for making an exception to the constraint.

You can add or delete separation of duties constraints in:

Administration > Separation of Duties page.

To modify the default Separation of Duties settings, see Section 18.0, Configuring Identity Applications Default Settings.

When a user requests a role that results in a potential SoD conflict, the initiator has the option to override the SoD constraint and provide a justification for making an exception. In some cases, a SoD conflict can cause a workflow to start. The workflow coordinates the approvals needed to allow the SoD exception to take effect.

Your workflow designer and system administrator are responsible for setting up the contents of the Roles and Resources in the Administration tab for you and the others in your organization. The flow of control for a roles-based workflow or SoD workflow, as well as the appearance of forms, can vary depending on how the workflow designer defined the workflow's approval definition in the Designer for Identity Manager. In addition, your job requirements and level of authority determine what you can see and do.

For more information, click on the Dashboard.