Separation of duties
Use separation of duties (SOD) to define rules that allow (with or without additional oversight) or block specific entitlement combinations for apps with Governance Engine enabled.
Organizations often have processes or follow standards that require that certain combinations of entitlements not be allowed. Entitlements are permissions, privileges, or access levels that allow users to take specific actions within third-party apps. In many orgs, managing entitlements and ensuring that unwanted combinations don't occur is left to admins. Admins often use manual processes to check if any unwanted combinations have been assigned to users. This can result in some users being assigned combinations of entitlements that can lead to potential conflicts of interest.
For example, imagine the scenario where someone can both create and pay invoices. This could result in detrimental outcomes for an organization, where one person could create fake invoices and also approve their payment. SOD rules can help to prevent these situations from occurring.
With SOD rules, you can adopt a two-pronged approach to manage conflicting entitlement assignments – preventative and remediative. Use Access Requests and Access Certifications to control which combinations of entitlements users are allowed to possess.
-
Access Requests: Specify whether users are allowed (or allowed with custom settings) or blocked from requesting access that can cause an SOD rule conflict. Depending on how you configure the access requests setting, you can prevent users from accumulating entitlements that cause SOD rule conflicts. You can also run the Past Access Requests (Conditions) report to view access requests that have an SOD rule conflict using the Conflict name column.
-
Access Certifications: Run campaigns to review and remediate existing user access if they have an SOD rule conflict. You can configure the contextual information available to reviewers to display SOD conflicts details for review items from the Settings tab of the Access Certifications page.