Separation of duty policy violations and exemptions
A violation is a specific violation of a separation of duty policy, and an exemption is an approved separation of duty violation. Policy evaluation is a way to discover violations.
Policy violations
A violation is a specific violation of a separation of duty policy, which means that the roles for a user have a conflict that is based on a defined separation of duty rule. Violations are created when the following events occur:
- A user requests membership in a role that would violate one or more separation of duty policy rules.
- A user creates a separation of duty policy or rule.
- User records are fed into Security Identity Manager through an identity feed if they create a rule violation.
- Any other request to modify role membership if it creates a rule violation.
- When there are existing conflicts when a policy is introduced.
- A security administrator revokes an exemption.
When a policy is created or changed, the violations do not update automatically. You must either perform an evaluation on the policy or wait for a scheduled data synchronization.
Policy exemptions
An exemption is an approved separation of duty violation, which means that the conflict cannot be flagged as a violation in an audit, and additional updates to the user's role list do not require reapproval. Exemptions occur when a security administrator approves a request that violates a defined and active separation of duty policy. A security administrator can also convert existing violations into exemptions.
Exemptions are created for a specific policy rule, not for an entire policy. If a policy contains multiple rules and the user is approved for the violation of one rule, that user is not automatically allowed to violate the other rules in the policy.
Exemptions remain stored in the database when a policy is disabled. Therefore, if a policy is disabled and then re-enabled at a later date, the exemptions are remembered.
We can exempt a user from violating separation of duty policy rules manually or through an approval process.
When a rule violation event occurs and a policy and role change workflow activity have been defined, an approval activity is created for workflow participants (such as policy owners) to exempt the user from a specified separation of duty policy rule. Only a role membership change request for the user triggers an approval activity.
An approval activity is generated for each rule violation. If the approval is rejected, any modifications to the user that were made at the time of the role membership change are lost. If an exemption approval request is triggered as part of a person being created, that person is not created if the approval is rejected.
Policy evaluation
Policy evaluation is a way to discover violations, and can occur in any of these situations:
- Use the Evaluate button. This button causes the policy to be evaluated against all people who currently have roles in the policy.
- Perform a data synchronization. Rule violations are recorded for each policy, and the number of violations is displayed in the separation of duty policy table. We can then exempt any rule violations manually by clicking the link provided in the table and viewing or modifying any rule violations and exemptions.
- When we create any HR feed service, you can specify whether to evaluate the separation of duty policy. If you choose to evaluate the separation of duty policy, also enable workflow. If this option is enabled, an approval activity is generated for each separation of duty rule violation that is found in the incoming HR feed data. That approval process must be marked as approved to get the updates into Security Identity Manager. If the approval processes are rejected, the entire entry or change that was in that HR feed record is ignored and is not stored in Security Identity Manager.
Parent topic: Separation of duty policies