ACI operations for the separation of duty policy protection category

We can configure role owners to have access control capabilities over separation of duty policies though access control items (ACIs). The ACIs allow role owners to do tasks such as editing or tracking violations. ACIs must apply to the business unit in which the policy is defined. Creators of separation of duty ACIs can define ACI filter rules to scope the policies to which an ACI applies.

Add

Protects separation of duty policy creation. The add operation fails if this ACI is not met.

Exemption Administration

Protects separation of duty policy violation and exemption management through the Violations and Exemptions Summary page. The ability to exempt a violation or revoke an exemption is governed by this operation. The Approve and Revoke buttons are not displayed if this ACI is not met. The operations of exempt and revoke also apply to the public API.

Modify

Protects separation of duty policy modifications. The modify operation fails if this ACI is not met. When change is denied and search is allowed, the user has a read-only view of the policy.

Reconcile

Protects separation of duty policy reconciliation. Separation of duty policy reconciliation is the operation that analyzes the policy separations and creates violations or cleans up violations or exemptions. Clicking the Evaluate button causes a "not authorized" message to be displayed if this ACI is not met.

Remove

Protects separation of duty policy deletions. Clicking the Delete button causes a "not authorized" message to be displayed if this ACI is not met.

Search

Protects separation of duty policy searches. With the search operation granted, the user can see details about violations and exemptions. If a user is authorized for search but not modify, the user can open the policy in a read-only mode and view violations and exemptions. However, the user cannot act on those violations and exemptions or change the policy.

Parent topic: Separation of duty policies