11.4 About the Separation of Duties Editor

The Separation of Duties (SoD) editor allows you to:

  • Define a separation of duties constraint (or rule).

  • Define how to process requests for exceptions to the constraint.

Each SoD constraint represents a rule that makes two roles mutually exclusive. If a user is in one role, he or she cannot be in the second role, unless there is an exception allowed for that constraint. You can define whether exceptions to the constraint are always allowed or are only allowed through an approval flow.

11.4.1 Using the Separation of Duties Editor

To create a new separation of duties constraint:

  1. Open the Separation of Duties Wizard in one of these ways:

    • From the Provisioning view, open Role Catalog, right-click Separation of Duties, then select New.

    • Select File > New > Provisioning > Separation of Duties.

    The SoD Wizard displays:

  2. Fill in the fields as follows:

    * Indicates the field is required.

    Field

    Description

    Identity Manager Project and Provisioning Application*

    The name of the Identity Manager project and the provisioning application where you want to create the SoD.

    NOTE:These two fields display only when you launch the wizard from the File menu.

    Identifier (CN)*

    The unique identifier for the SoD.

    Display Name*

    The text used when the SoD name displays in the User Application. You can translate this text into any of the languages supported by the User Application. For more information, see Localizing Provisioning Objects.

    Description

    The text displayed as the SoD Description in the User Application. You can translate this text into any of the languages supported by the User Application. For more information, see Localizing Provisioning Objects

  3. Click Finish.

    Designer creates the SoD constraint and launches the SoD editor.

  4. Fill in the fields as described in Table 11-8, Roles Configuration Properties.

  5. Save and deploy the constraint definition.

11.4.2 Separation of Duties Constraints Properties

Table 11-7 describes the fields on the SoD property page.

Using the Separation of Duties Properties

Table 11-7 Separation of Duties Properties

Section

Field

Description

Separation of Duties Constraints

Identifier (CN)

Read-only. Unique ID for the SoD.

Display Label

The text displayed as the SoD Constraint Name in the User Application. You can translate this text into any of the languages supported by the User Application. For more information, see Localizing Provisioning Objects.

Description

The text displayed as the SoD Constraint Description field in the User Application. You can translate this text into any of the languages supported by the User Application. For more information, see Localizing Provisioning Objects.

Roles

Conflicting Role

The name of the role for which you want to define a constraint.

Click Browse to locate a specific role from the available roles. See Using the Role Search Dialog Box.

A role defines a set of privileges related to one or more target systems or applications.

Conflicting Role

The name of the role in conflict. Click Browse to locate an existing role from the available roles. This search excludes the role already selected.

Sod Approval Definition

Approval Required

Select Yes if you want to launch a workflow when a user requests an exception to the SoD constraint.

Select No if the user can request an exception to the SoD constraint and no approval is required. In this case, the exception is never denied.

SoD Approval Definition

Displays the read-only name of the provisioning request definition that executes when a user requests an SoD constraint exception. The value is derived from the Roles Configuration object. It is only executed when the Approval Type is SoD allowed with workflow.

Approval Type

A read-only field that displays the processing type for the provisioning request definition displayed above. This value is derived from the Roles Configuration object.

Use Default Approvers

Select Yes to use the default approvers defined in the Roles Configuration object. Does not enable the Approvers selection list in this property page.

IMPORTANT:When you choose this option, you must define the approvers in the role configuration editor. If you do not specify approvers, you are able to deploy the SoD, but users encounter a runtime error because there are no approvers defined.

Select No to enable the Approvers selection list in this property page.

If you change the selection from Yes to No and then perform a Compare, the objects are considered equal. After you specify Approvers, the comparison is no longer equal.

Approvers or

Default Approvers

Approvers

An approver can be a user, group, or role. To add approvers:

  1. Click +.

    If you are connected to the Identity Vault, the Browse Identity Vault dialog box automatically displays.

  2. Navigate the Identity Vault to locate your approvers.

    To locate roles, navigate to the User Application driver’s AppConfig.RoleConfig.RoleDefs container.

  3. Select the approver, then click OK.

If Designer is not able to connect to the Identity Vault, you can add the approver manually by clicking in the row and typing the approver’s distinguished name, for example, admin.novell. Only deployed roles can be specified.

Using the Role Search Dialog Box

The Role Search dialog box displays when you click Browse in the Roles section of the SoD editor. The dialog box helps you locate the existing roles for which you can create SoD constraints.

  1. In the dialog box, specify the CN, Display Name, Description, Role Category, and Role Level on which you want to search.

    For CN, Display Name, and Description, you can enter a wildcard (such as S*, *S) or regular expressions (such as [A-Z][a-z]*).

    You can enter a value for all of the fields or none of the fields. If you do not supply a value in a particular field, the search returns all of the possible values for that field. If you enter a value in one or more of the fields, the values are ANDed together to create the search filter. The search occurs on the roles defined locally. Roles matching the search criteria are displayed in the Matching Roles selection list.

  2. Select a role from the Roles selection list, then click OK to return to the SoD property page.

  3. Click OK.

    Clicking OK closes the Search for Role dialog box and populates the role in the SoD properties page. When no roles are available for the specified search criteria, the OK button is disabled.