Separation of duties
Use separation of duties (SOD) to define rules that allow (with or without additional oversight) or block specific entitlement combinations for apps with Governance Engine enabled.
Organizations often have processes or follow standards that require that certain combinations of entitlements not be allowed. Entitlements are permissions, privileges, or access levels that allow users to take specific actions within third-party apps. In many orgs, managing entitlements and ensuring that unwanted combinations don't occur is left to admins. Admins often use manual processes to check if any unwanted combinations have been assigned to users. This can result in some users being assigned combinations of entitlements that can lead to potential conflicts of interest.
For example, imagine the scenario where someone can both create and pay invoices. This could result in detrimental outcomes for an organization, where one person could create fake invoices and also approve their payment. SOD rules can help to prevent these situations from occurring.
With SOD rules, you can adopt a two-pronged approach to manage conflicting entitlement assignments – preventative and remediative. Use Access Requests and Access Certifications to control which combinations of entitlements users are allowed to possess.
-
Access Requests: Specify whether users are allowed (or allowed with custom settings) or blocked from requesting access that can cause an SOD rule conflict. Depending on how you configure the access requests setting, you can prevent users from accumulating entitlements that cause SOD rule conflicts. You can also run the Past Access Requests (Conditions) report to view access requests that have an SOD rule conflict using the Conflict name column.
-
Access Certifications: Run campaigns to review and remediate existing user access if they have an SOD rule conflict. You can configure the contextual information available to reviewers to display SOD conflicts details for review items from the Settings tab of the Access Certifications page.
For Access Requests, Okta evaluates separation of duties rules based on the requester's existing entitlement assignments when they submit the request. This means that separation of duties rule conflict warnings won't appear to requesters or prevent them from requesting access to conflicting entitlements if they create multiple requests in a short period or have multiple requests open simultaneously.
Before you grant access, check all open requests from the requester for any potentially conflicting entitlement requests against your separation of duties rules. Additionally, run access certification campaigns that review separation of duties conflicts regularly to revoke conflicting entitlement assignments.