18.0 Separation of Duties Constraints

Separation of duties is an important aspect of an organization’s security controls because it helps prevent fraud and user error related to user access. In a separation of duties constraint, the conflicting roles must be at the same level in the roles hierarchy.

A Role Administrator can create or modify for roles in the organization.

A SoD constraint represents a rule that makes two roles mutually exclusive unless there is an exception allowed for that constraint. You can define whether exceptions to the constraint are always allowed or are only allowed through an approval flow. When a role assignment results in a potential separation of duties conflict, the initiator has the option to override the separation of duties constraint and provide a justification for making an exception to the constraint.

You can add or delete separation of duties constraints in:

Administration > Separation of Duties page.

To modify the default Separation of Duties settings, see Section 20.0, Configuring Identity Applications Default Settings.

To understand the Role and Resource assignment process, see: