The
action on the tab of the Identity Manager user interface allows you to:Define a Separation of Duties (SoD) constraint (or rule).
Define how to process requests for exceptions to the constraint.
An SoD constraint represents a rule that makes two roles, of the same level, mutually exclusive. If a user is in one role, they cannot be in the second role, unless there is an exception allowed for that constraint. You can define whether exceptions to the constraint are always allowed or are only allowed through an approval flow.
Page Access The Manage Separation of Duties page can be accessed by the Role Administrator or Security Officer. The Security Officer requires Browse rights to the SoDDef container in the Identity Vault, but does not require browse rights to roles.
Click
in the list of actions.Click
.Navigate to the Table 17-5.
. For information on completing the fields, seeNavigate to the Table 17-6.
section. For information on completing the fields, seeClick
to make your changes permanent.Click
in the group of actions.To view or modify an existing SoD constraint, use the Use the Using the Object Selector Button for Searching.
or the tool to select the constraint. For details on using the and tools, seeSelect the SoD you want from the list. The lookup page closes and displays the
and for the selected SoD.For information on filling in the fields, see Table 17-5, Separation of Duty Constraint Details and Table 17-6, Approval Details.
Click
to make your changes permanent.Table 17-5 Separation of Duty Constraint Details
NOTE:It is important to specify the two roles in conflict. The order that you specify the roles in conflict does not matter.
Table 17-6 Approval Details
Field |
Description |
---|---|
|
Select Yes if you want to launch a workflow when a user requests an exception to the SoD constraint. NOTE:If the is SoD Exception results from an implicit assignment, such as through group or container membership, choosing Yes does not result in approval workflow starting. The SoD exception is always granted, and it is logged as such. Select if the user can request an exception to the SoD constraint and no approval is required. In this case, the exception is always approved. |
|
Displays the read-only name of the provisioning request definition that executes when a user requests an SoD constraint exception. The value is derived from the Roles Configuration object. It is only executed when the is . |
|
A read-only field that displays the processing type for the provisioning request definition displayed above. This value is derived from the Roles Configuration object. |
|
Select if the approvers are specified in the Role Subsystem.Select if the SoD approval task should be assigned to one or more users.Select if the SoD approval task should be assigned to a group. Select if the SoD approval task should be assigned to a role.To locate a specific user, group, or role, use the Object Selector or History buttons as described in Section 1.4.4, Common User Actions. To change the order of the approvers in the list or to delete an approver, use the buttons as described in Section 1.4.4, Common User Actions. |