- 17 Oct 2023
- 3 Minutes to read
- Print
- DarkLight
- PDF
SoD Policy
- Updated on 17 Oct 2023
- 3 Minutes to read
- Print
- DarkLight
- PDF
This is a landing page of SoD policy. From here, you can create a policy, add the owner and reviewer, set up the rules and run the SoD campaign.
Take a look at the various columns of SoD policy and understand their significance:
Sr. No. | Name | Description |
1. | SoD policy name | It is a policy name created. |
2. | Description | It provides the details of a policy. |
3. | Type | Whether the policy is created for a role, application or entitlement. |
4. | Policy status | It tells us the status of a policy such as draft, active or in review or deactivated mode. |
5. | Primary SoD | Displays the SoD policy owner's name. |
6. | Total violations | Shows the count of all the violations existing in the system identified either through an offline campaign or by an automatically invoked campaign by the system. |
7. | Action | Shows if a policy is active or not. |
SoD policy can be created for role, entitlement and application.
Create a SoD policy
- Click +Add to create a new policy.
- On this window, add the policy name, select to whom the policy applies and provide a description.
- Click Add. The policy is added successfully.
- Once the policy is created, you must add an owner and a reviewer for the policy.
- Search the policy just created.
- Select the policy to add/modify further details.
General tab
This tab has the basic information of SoD policy.
- Policy Name: You can edit the policy name.
- SoD policy is for: This is an uneditable field.
- Description: Edit the policy rule set.
- Send notification before Enter the number of days before which the SoD owner and reviewers must receive a notification to review the violation of SoD policy.
- Click Save.
SoD Owner
Details of SoD owner and reviewer can be added/edited from here.
Add an Owner
- Click SoD owner.
- Click Add Owner to assign an owner to the policy.
- Select a condition to match the results.
- In the value field, enter the username and search.
- Select an owner from the results.
- Enter the number of Step Duration in days. If the step duration exceeds, the policy will be delegated to the reviewer selected in the next step.
- Search with the username and select from the results.
- Click Add.Note:In case, the current SoD owner is terminated or deleted from the system, an administrator must change the SoD owner.
Change Owner
The owner of the policy can be changed but not deleted.
- Select the existing owner and click Change Owner.
- Repeat the same from Step 3 as Add an Owner.
- Click Change.
Add Reviewer
- Click Add Reviewer to set up the reviewer.
- In this window, enter the following details:
- Reviewer Type: Select as Role/User from the drop-down.
- Select a condition to match the results.
- In the value field, enter the role name/username and search.
- Select the appropriate role/user from the results.
- Enter the number of Step Duration in days. If the step duration exceeds, the policy will be delegated to the reviewer selected in the next step.
- Search with the username and select from the results.
- Click Add.
Delete Reviewer
- Select an existing reviewer name and click Delete Reviewer.
- Click Delete to confirm the deletion of the SoD reviewer.
- SoD reviewer is successfully deleted.
Rules
A "rule set" in SOD (Segregation of Duties) refers to a collection of specific rules or policies that define the conditions under which access to certain resources (roles/applications/ entitlements) or systems is controlled. These rules are designed to ensure that users don't have access to combinations of permissions that could potentially lead to misuse or security breaches.
The rule set can be added for:
- Roles
- Applications
- Entitlements
Multiple targets of role/application/entitlement can be added to the rule set without any count limitation.
Add rule set for Application
- Click Rules.
- Click Add Rule.
- Specify the Rule name.
- Search the application name to add in Application Set 1 and Application Set 2.
- Click Add and you can view the added policy.
- Click View Details to see the application set details.
Add rule set for Roles
- Click Rules > Add Rules.
- Specify the Rule Name.
- Search for the role name to add to Role Set 1 and Role Set 2.
- Click Add and you can view the added rules.
- Click View Details to see the role set details.
Add rule set for Entitlements
- Click Rules > Add Rules.
- Specify the Rule Name.
- Search the entitlement name to add to Entitlement Set 1 and Entitlement Set 2.
- Click Add and you can view the added rules.
- Click View Details to see the role set details.
SoD Campaign
There are two types of SoD campaign:
- Online or real-time campaign: When you request access to a role/application/entitlement that is already a part of SoD policy, a warning prompt will inform you of the SoD violation.
- Offline campaign: The action will be taken manually by the owner or reviewer in the offline campaign.
Let's look at the various function of the SoD Campaign:
- Click SoD Campaign.
- Click Run SoD Campaign to initiate and evaluate the violations in the policy.
- Click Run to confirm.
- Click Run a Preview to evaluate the rules.
- Click Proceed.
- Click View Preview Result.
- It shows the total number of violations, rule name and other details.
- Click View Details.
- It shows the details of the SoD owner, pending, completed and the total number of violations.