18.1 Browsing the SoD Catalog

The SoD Catalog action on the Roles and Resources tab of the Identity Manager user interface allows you to:

  • Define a Separation of Duties (SoD) constraint (or rule).

  • Define how to process requests for exceptions to the constraint.

An SoD constraint represents a rule that makes two roles, of the same level, mutually exclusive. If a user is in one role, they cannot be in the second role, unless there is an exception allowed for that constraint. You can define whether exceptions to the constraint are always allowed or are only allowed through an approval flow.

18.1.1 Viewing Separation of Duties Constraints

  1. Click SoD Catalog in the list of Roles and Resources actions.

    The User Application displays a list of separation of duties constraints currently defined in the catalog.

Filtering the Separation of Duties List

  1. Click the Display Filter button in the upper right corner of the Separation of Duties Constraints display.

  2. Specify a filter string for the constraint name or description in the Filter dialog.

  3. Click Filter to apply your selection criteria.

  4. To remove the current filter, click Reset.

Setting the Maximum Number of Rows on a Page

  1. Click on the Rows dropdown list and select the number of rows you want to be displayed on each page:

Scrolling within the Separation of Duties List

  1. To scroll to another page in the constraint list, click on the Next, Previous, First or Last button at the bottom of the list.

Sorting the Separation of Duties List

To sort the constraint list:

  1. Click the header for the column you want to sort on.

    The pyramid-shaped sort indicator shows you which column is the new sort column. When the sort is ascending, the sort indicator is shown in its normal, upright position.

    When the sort is descending, the sort indicator is upside down.

    The initial sort column is determined by the administrator.

If you override the initial sort column, your sort column is added to the list of required columns. Required columns are indicated with an asterisk (*).

When you modify the sort order for the constraint list, your preference is saved in the Identity Vault along with your other user preferences.

18.1.2 Creating New Separation of Duties Constraints

  1. Click the New button at the top of the Separation of Duties Constraints display:

    The User Application displays the New Separate of Duties Constraint dialog:

  2. Provide a name for the constraint in the SoD Constraint Name field, and type a description in the SoD Constraint Description field.

  3. Select each of the conflicting roles in the two conflicting roles fields. The order of the roles selected is not important.

  4. Define the approval details, as described under Defining the Approval Flow Settings.

Defining the Approval Flow Settings

  1. Open the Approval section of the page.

  2. Specify the approval details, as described below:

    Field

    Description

    Required

    Select this box if the SoD constraint requires approval for exceptions.

    Deselect this box if the SoD constraint does not require approval for exceptions.

    Use Default Approvers

    Select Yes if you want to use the default list of approvers defined in the SoD approval definition. If you select Yes, the page displays the list of approvers specified in the approval definition. You cannot edit this list.

    Select No if you want to specify a different list as part of the SoD constraint definition. If you select No, you need to use the Approvers control to specify the users who will be responsible for approving SoD exceptions.

    Default Approvers

    Displays a read-only list of the approvers specified on the Configure Roles and Resources Settings page.

    Approvers

    Allows you to specify a list of approvers as part of the constraint definition.

    Select User if the approval task should be assigned to one or more users. Select Group if the approval task should be assigned to a group. Select Container if the approval task should be assigned to one or more containers. Select Role if the approval task should be assigned to a role.

    To locate a specific user, group, or role, use the Object Selector button.To change the order of the approvers in the list, or to remove an approver, see Section 1.4.4, Common User Actions.

18.1.3 Editing an Existing Separation of Duties Constraint

  1. Select a previously defined role and click Edit.

  2. Make your changes to the role settings and click Save.

18.1.4 Deleting Separation of Duties Constraints

  1. Select a previously defined role and click Delete.

18.1.5 Refreshing the Separation of Duties Constraint List

  1. Click Refresh.