Get started with separation of duties
Separation of duties (SOD) allows you to define rules that allow or block specific entitlement combinations for apps to avoid potential conflicts of interest.
Setup and configuration tasks
As a super admin or a user with the permissions to manage SOD risk rules and to view apps, follow this sequence of tasks to configure apps and use SOD rules with them:
|
Admin task |
Description |
|---|---|
| Enable Governance Engine | Create an app and enable Governance Engine to manage and govern app entitlements in Okta or allow users to request entitlement bundles using Access Requests. |
| Create entitlements | Create and configure entitlements that your downstream apps can consume. |
| Create separation of duties rules | Create SOD rules for apps that have Governance Engine enabled. |
| Access request conditions | Configure settings that apply to all access requests associated with the resource, such as conflicts among SOD rules. |
| Create resource campaigns | Create and run a resource campaign to review users who have SOD conflicts. See Understand separation of duties conflicts and Understand remediation. |
User experience
Learn about the tasks that users perform.
|
User task |
Description |
|---|---|
| Create requests | Understand how your requesters can request access to an app directly from their dashboard after SOD rules are configured for an app. |
| Manage requests | Understand how request assignees can manage access requests for apps that use SOD rules. |
| Manage tasks | Understand how request approvers can approve or deny requests. |
| Review campaigns | Understand how reviewers can review the items assigned to them. |
Limits
Keep the following limits in mind when using SOD rules.
| Limit | Maximum |
|---|---|
| Number of entitlements in a list, where each SOD rule consists of two lists, separated by an AND operator | 50 |
| Number of SOD rules per app | 100 |
| Number of SOD rules per org | 500 |
Related topics
Create separation of duties rules