The
action on the tab of the Identity Manager user interface allows you to:Define a Separation of Duties (SoD) constraint (or rule).
Define how to process requests for exceptions to the constraint.
An SoD constraint represents a rule that makes two roles, of the same level, mutually exclusive. If a user is in one role, they cannot be in the second role, unless there is an exception allowed for that constraint. You can define whether exceptions to the constraint are always allowed or are only allowed through an approval flow.
Click
in the list of actions.The User Application displays a list of separation of duties constraints currently defined in the catalog.
Click the
button in the upper right corner of the display.Specify a filter string for the constraint name or description in the
dialog.Click
to apply your selection criteria.To remove the current filter, click
.Click on the Rows dropdown list and select the number of rows you want to be displayed on each page:
To scroll to another page in the constraint list, click on the Next, Previous, First or Last button at the bottom of the list.
To sort the constraint list:
Click the header for the column you want to sort on.
The pyramid-shaped sort indicator shows you which column is the new sort column. When the sort is ascending, the sort indicator is shown in its normal, upright position.
When the sort is descending, the sort indicator is upside down.
The initial sort column is determined by the administrator.
If you override the initial sort column, your sort column is added to the list of required columns. Required columns are indicated with an asterisk (*).
When you modify the sort order for the constraint list, your preference is saved in the Identity Vault along with your other user preferences.
Click the
button at the top of the display:The User Application displays the
dialog:Provide a name for the constraint in the
field, and type a description in the field.Select each of the conflicting roles in the two conflicting roles fields. The order of the roles selected is not important.
Define the approval details, as described under Defining the Approval Flow Settings.
Open the
section of the page.Specify the approval details, as described below:
Field |
Description |
---|---|
|
Select this box if the SoD constraint requires approval for exceptions. Deselect this box if the SoD constraint does not require approval for exceptions. |
|
Select if you want to use the default list of approvers defined in the SoD approval definition. If you select , the page displays the list of approvers specified in the approval definition. You cannot edit this list.Select if you want to specify a different list as part of the SoD constraint definition. If you select , you need to use the control to specify the users who will be responsible for approving SoD exceptions. |
|
Displays a read-only list of the approvers specified on the page. |
|
Allows you to specify a list of approvers as part of the constraint definition. Select if the approval task should be assigned to one or more users. Select if the approval task should be assigned to a group. Select Container if the approval task should be assigned to one or more containers. Select if the approval task should be assigned to a role.To locate a specific user, group, or role, use the Section 1.4.4, Common User Actions. button.To change the order of the approvers in the list, or to remove an approver, see |
Select a previously defined role and click
.Make your changes to the role settings and click
.Select a previously defined role and click
.Click
.