Create separation of duty policies

An administrator can create a separation of duty policy to use for auditing purposes. For example, we might create a separation of duty policy to report users that belong to multiple roles that are mutually exclusive.

To create a valid policy rule, we must have two or more roles defined in the system for the business unit we select.

To create a separation of duty policy.

  1. From the navigation tree, select Manage Policies > Manage Separation of Duty Policies. The Manage Separation of Duty Policies page is displayed.

  2. On the Manage Separation of Duty Policies page, in the Separation of Duty Policies table, click Create. The Create a Separation of Duty Policy page is displayed.

  3. On the Create a Separation of Duty Policy page:

    1. Enter a name for the policy.
    2. Provide a description for the policy.

    3. Select the business unit to which this policy applies. Click Search to search for a business unit. The Business Unit page is displayed.

  4. On the Business Unit page:

    1. Enter your search criteria, and then click Search.

    2. In the Business Units Found table, select a business unit and click OK. The Create a Separation of Duty Policy page is displayed.

  5. On the Create a Separation of Duty Policy page, in the Policy Rules table, click Create. The Create Policy Rule page is displayed.

  6. On the Create Policy Rule page:

    1. In the Description of separation field, type a description for the policy rule. For example, we might describe a rule that we add to a policy as People in the IT department may not be given accounting responsibilities.

    2. Enter each role name to add to the role separation list and click Add. If you enter the exact name of an existing role in the Role name field and click Add, the role is immediately added to the list. If you type a value in the Role name field that does not exactly match a role or matches more than one role, a search panel opens. Select the appropriate roles. We can search only for the roles for which we have permission.

    3. In the Allowed number of roles list, select the number of roles to which a user can belong. For each policy rule that we create, two or more roles must be listed. The number of roles to which a user can belong depends on how many roles you allow in the policy rule. The number of roles that you allow can be, at a maximum, one fewer than the total number of roles in the list.

    4. Click OK. The Create a Separation of Duty Policy is displayed.

  7. On the Create a Separation of Duty Policy page:

    1. Create more policy rules as necessary.

    2. Click the twisty icon next to Policy Owners. The Role Policy Owners table and the User Policy Owners table are displayed.

    3. In the Role Policy Owners table, click Add to search for and select roles to have ownership of the policy.

    4. In the User Policy Owners table, click Add to search for and select users to have ownership of the policy.

    5. In the Policy state field, select whether to enable or disable the policy. An enabled policy creates exemption approvals and warns users before they submit a role membership change that breaks a separation of duty rule. A disabled policy can still track violations, but it does not generate approvals or warn users. Violations from disabled policies are not displayed in audit reports. Using a disabled policy is a good way for a security administrator to track violations that occur before a policy is active in the system.

    6. Click Submit to save the policy.

A Success page is displayed, indicating that you successfully submitted a request for a new separation of duty policy.

We can view the request, continue working with policies, or click Close.

Parent topic: Separation of duty policies