Versions Compared

Old Version 1

changes.mady.by.user Universal Importer for Confluence

Saved on

compared with

New Version 2

changes.mady.by.user Kim Landis

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...


Div
classbreadcrumbs

Home / Identity Governance / Separation of Duties / Current: Creating Separation of Duties Policies





Anchorcreating-separation-of-duties-policiescreating-separation-of-duties-policies

Creating Separation of Duties Policies

You can author EmpowerID Separation of Duties (SoD) Policies

are policies that you can author

to raise flags known as SoD Violations when unacceptable combinations of group or role assignments accrue to any one person

, such as being

. For example, you can raise a flag when a person is assigned to a Management Role that allows

the person

them to write RBAC policy while being in a Management Role that allows that same person to approve any violations occurring to those policies. With a SoD policy, you can rectify these situations by adding those roles to the policy. Then when the policy is compiled, it looks for any person having both of those roles.

anchor

to-create-a-separation-of-duties-policy


to-create-a-separation-of-duties-policy

To create a Separation of Duties Policy

From


  1. In the Navigation Sidebar,
navigate to the Audit Configuration page by expanding
  1. expand For Recertification Managers and
clicking
  1. click Audit Configuration.
  2. From the Audit Configuration page, click the Actions tab and
then
  1. click Create SoD Policy.
Image Removed


  1. Image Added

  2. In the SoD Policy Details form that appears,
do the following: Select the appropriate policy type from the Policy Type drop-down. When selecting policy types, you have
  1. drop down the Policy Type and select one of the following options:
    • Group Membership Policy - This policy type allows you to combine two collections or sets of Groups to define a Separation of Duties violation for people
being
    • who are members of groups contained in both collections at the same time. An example of this
could be
    • is a SoD policy that denies any person who is a member of a contractor's group from being a member of a domain admin group at the same time.
    • Management Role Policy - This policy type allows you to combine two collections or sets of Management Role Assignments to define a Separation of Duties violation for people
being
    • who are members of Management Roles contained in both collections at the same time. An example of this could be a SoD policy that denies a person with a Management Role assignment that allows them to author security policies from being assigned to a Management Role that gives them audit privileges for those policies.
    • Query-Based Collections Policy - This policy type allows you to combine two collections of objects or query-based sets to define a Separation of Duties violation for people
being
    • who are in both Query-Based Collections at the same time. Query-Based Collections (also known as "Set Groups") are comprised of Sets, which are SQL, LDAP or code-based queries. These Sets are re-evaluated by the EmpowerID engine on a scheduled basis and can group collections of people or resources based upon queries written against the EmpowerID Identity Warehouse or other external systems in your environment.
    • Resource Role Policy - This policy type allows you to combine two collections or sets of Access Levels to define a Separation of Duties violation for people
having
    • who have Access Levels in both collections at the same time. An example of this could be a SoD policy that denies an individual person from holding the Modify Access Level for shared folders in Switzerland and the Modify Access Level for shared folders in the United States at the same time.
Type the appropriate
  1. Enter information for the SoD policy in the Name, Display Name and Description fields.

  2. Optionally, select a workflow to process the SoD violations from the Custom Workflow drop-down.

In our example, we have selected

  1. This example selects the SOD Violation with Email Notification workflow

. This workflow

  1. that sends

out

  1. email notifications to everyone assigned the Reviewers Access Level for the policy.

    Info

    EmpowerID ships with one workflow configured for SoD violations, the

SOD

  1. SoD Violation with Email Notifications workflow mentioned above. You can expand this library, adding your own workflows for handling SoD violations as needed. If you do create your own workflows, you must tag them with the "SoD" tag

before they will

  1. to make them appear in the Custom Workflow drop-down.

Tick


  2. Select Enabled to enable the policy. The policy must be enabled before it can be run.

    The below image shows what the form looks like at this point for a SoD policy we are creating in our environment. We want this policy to raise a flag if someone is given a Management Role that allows them to perform author policies while being an auditor. We also want an email to be sent to each person assigned the Reviewer Access Level for the policy.

    Image Added
Image Removed Underneath

  2. Below Schedule, select
the desired
  1. start and end dates for the Separation of Duties policy from the Start and End calendars. The default start date is the date you create the policy and the default end date is 10 years from the creation date.
Underneath
  2. Below Schedule, select
the desired
  1. interval and iterations for running the policy. Iterations can be set to run indefinitely or to a specified count. When setting the interval, you have the following options:
    • Once - Runs the policy once at the specified time.
    • Minute - Runs the policy every "X" minutes according to the specified interval.
      For example, if you set the interval to "12" and have selected "Run Indefinitely," the policy
will run
    • runs once every 12 minutes during the specified start and end dates.
    • Weekly - Runs the policy every "X" weeks according to the specified interval.
      For example, if you set the interval to "12" and have selected "Run Indefinitely," the policy
will run
    • runs once every 12 weeks during the specified start and end dates.
    • Monthly - Runs the policy every "X" months according to the specified interval.
      For example, if you set the interval to "6" and have selected "Run Indefinitely," the policy
will run
    • runs once every 6 months during the specified start and end dates.
    • Hour - Runs the policy every "X" hours according to the specified interval.
      For example, if you set the interval to "12" and have selected "Run Indefinitely," the policy
will run
    • runs once every 12 hours during the specified start and end dates.
    • Daily - Runs the policy every "X" days according to the specified interval.
      For example, if you set the interval to "3" and have selected "Run Indefinitely," the policy
will run
    • runs once every 3 days during the specified start and end dates.

      The following image shows what the schedule looks like for a policy that has been configured to run once weekly every Monday at 7:00 am during the specified dates.

      Image Added
Image Removed

  2. Click Save to save your policy.
Related Topics AnchorconceptsconceptsConcepts:



Info
iconfalse
titleRelated Content


Rw ui expands macro


Rw ui expand macro
titleConcepts

Understanding Separation of Duties Policies

...


Rw ui expand macro
titleAdministrative Procedures

...

Adding Rules to Separation of Duties Policies

Compiling Separation of Duties Policies

Reviewing Separation of Duties Violations