17.4 Managing Separation of Duties Constraints

The Manage Separation of Duties action on the Roles tab of the Identity Manager user interface allows you to:

An SoD constraint represents a rule that makes two roles, of the same level, mutually exclusive. If a user is in one role, they cannot be in the second role, unless there is an exception allowed for that constraint. You can define whether exceptions to the constraint are always allowed or are only allowed through an approval flow.

Page Access The Manage Separation of Duties page can be accessed by the Role Administrator or Security Officer. The Security Officer requires Browse rights to the SoDDef container in the Identity Vault, but does not require browse rights to roles.

17.4.1 Creating New Separation of Duties Constraints

  1. Click Manage Separation of Duties in the list of Role Management actions.

  2. Click New.

  3. Navigate to the New Separation of Duty Constraint Details. For information on completing the fields, see Table 17-5.

  4. Navigate to the Approval Details section. For information on completing the fields, see Table 17-6.

  5. Click Save to make your changes permanent.

17.4.2 Modifying Existing SoD Constraints

  1. Click Manage Separation of Duties in the Role Management group of actions.

  2. To view or modify an existing SoD constraint, use the Use the Object Selector or the Show History tool to select the constraint. For details on using the Object Selector and Show History tools, see Using the Object Selector Button for Searching.

  3. Select the SoD you want from the list. The lookup page closes and displays the Separation of Duties Constraints Details and Approval Details for the selected SoD.

  4. For information on filling in the fields, see Table 17-5, Separation of Duty Constraint Details and Table 17-6, Approval Details.

  5. Click Save to make your changes permanent.

17.4.3 SoD Constraint Property Reference

Table 17-5 Separation of Duty Constraint Details

Field

Description

SoD Constraint Name

The name of the constraint. It is displayed in reports and when the user requests a constraint exception.You cannot include the following characters in the SoD Constraint Name when you create a constraint:

< > , ; \ " +  # = / | & *

You can localize it in any of the supported languages by clicking .

This name can also be supplied in the SoD Editor in Designer for Identity Manager.

SoD Constraint Description

The description of the constraint.

You can localize it in any of the supported languages by clicking .

This name can be supplied in the SoD Editor in Designer for Identity Manager.

Conflicting Role

The name of the role for which you want to define a constraint. A role defines a set of privileges related to one or more target systems or applications.

This field is read-only during a modify operation.

Conflicting Role

The name of the role in conflict. Click Browse to locate an existing role from the available roles.

This field is read-only during a modify operation.

NOTE:It is important to specify the two roles in conflict. The order that you specify the roles in conflict does not matter.

Table 17-6 Approval Details

Field

Description

Approval Required

Select Yes if you want to launch a workflow when a user requests an exception to the SoD constraint.

NOTE:If the is SoD Exception results from an implicit assignment, such as through group or container membership, choosing Yes does not result in approval workflow starting. The SoD exception is always granted, and it is logged as such.

Select No if the user can request an exception to the SoD constraint and no approval is required. In this case, the exception is always approved.

SoD Approval Definition

Displays the read-only name of the provisioning request definition that executes when a user requests an SoD constraint exception. The value is derived from the Roles Configuration object. It is only executed when the Approval Required is Yes.

Approval Type

A read-only field that displays the processing type for the provisioning request definition displayed above. This value is derived from the Roles Configuration object.

Use Default Approvers

Select Yes if the approvers are specified in the Role Subsystem.

Select User if the SoD approval task should be assigned to one or more users.Select Group if the SoD approval task should be assigned to a group. Select Role if the SoD approval task should be assigned to a role.

To locate a specific user, group, or role, use the Object Selector or History buttons as described in Section 1.4.4, Common User Actions.

To change the order of the approvers in the list or to delete an approver, use the buttons as described in Section 1.4.4, Common User Actions.