Skip to main content
Version: Cloud

Segregation of Duties

The Segregation of Duties (SoD) module is used to define policies for toxic combinations of access rights assigned to the same person, detect any violations, and evaluate these to determine if the violating assignments should be allowed or blocked. With SoD, you can ensure that you cannot assign an identity to a combination of resources or business processes that violate the established rules of the organization, which is known as a toxic combination of resources/business processes.

example

For example, an identity that can create purchase orders should not also be the person to approve these purchase orders. The combination of creating a purchasing order and approving a purchasing order is then typically established as a toxic combination.

The SoD Module enables you to:

  • Define enforceable policies for granting access.
  • Detect policy violations based on defined rules and policies to ensure that critical access combinations (SoD) are not granted without risk evaluations and approvals.
  • Ensure that dispensations to violations are re-evaluated periodically.

The SoD module allows for a fine-grained definition of constraints, based on a mutually exclusive Business Process matrix or a mutually exclusive Resource matrix.

It is possible to evaluate constraints on resource or constraint level. Business processes allow you to associate multiple resources with a business process, allowing you to define SoD constraints for a particular job function. This saves you from adding constraint rules for every possible resource combination.

example

For example, a large enterprise may have several offices in which there are only a few employees. In such cases, there may not be enough employees to handle all the resources that a system may require. In the first example above, it could be necessary for the same person to be able to both create and approve purchase orders, because that person is the only person in the office to perform both tasks.

The module supports a mitigation workflow, powered by the Omada Identity business process engine, where a security officer and/or manager can evaluate all violations for an identity with the possibility of allowing selected violations.

With the SoD feature, you can document the need for some assignments to overlap, even when they cause violations of the organization’s established policies.

The SoD runs evaluations at the identity level. The system evaluates all violations for an identity in one process. You can allow any or all blocked assignments and set an expiry date for the evaluation. After the expiry date, you must evaluate the violation again.

SoD includes the following features:

  • The business process concept, with a hierarchy, to structure resources.
  • The ability to define SoD policies based on mutually exclusive business processes or mutually exclusive resources.
  • Filters that allow you to apply a constraint to only some identities via an Omada Identity Portal view.
  • The ability to scope selected attributes based on the specific needs of your organization.
  • The policy check simulation, where an identity can review if their requested access causes policy violation before the identity submits the request for approval.
  • A workflow that enables the manager to evaluate all violations for an identity and allow selected violations.
  • The security officer’s approvals of the manager’s evaluation.
  • Compensating controls for allowing a policy violation.
info

The Prioritization Policies feature available in Omada Identity also makes it possible to define resources as mutually exclusive. However, SoD provides a process that allows you to review the violations and allow them if needed, while Prioritization Policies provide strict enforcement of mutual exclusion rules and allows you to define which resource should be prioritized over another.

For more information, refer to the Prioritization Policies section of the documentation.