Creating SoD Policies

You can author EmpowerID Separation of Duties (SoD) Policies to raise flags known as SoD Violations when unacceptable combinations of group or role assignments accrue to any one person. For example, you can raise a flag when a person is assigned to a Management Role that allows them to write RBAC policy while being in a Management Role that allows that same person to approve any violations occurring to those policies. With a SoD policy, you can rectify these situations by adding those roles to the policy. Then when the policy is compiled, it looks for any person having both of those roles.

To create a Separation of Duties Policy

  1. In the navigation sidebar, expand Compliance Management and click Audit Configuration.
  2. From the Audit Configuration page, click the Actions tab and click Create SoD Policy.



  3. In the SoD Policy Details form that appears, drop down the Policy Type and select one of the following options:
    • Group Membership Policy - Combine two collections or sets of Groups to define a violation for people who are members of groups in both collections at the same time. For example, you can deny any person who is a member of a contractor's group from being a member of a domain admin group at the same time.
    • Management Role Policy - Combine two collections or sets of Management Role assignments to define a violation for people who are members of Management Roles contained in both collections at the same time. For example, you can deny a person with a Management Role assignment that allows them to author security policies from being assigned to a Management Role that gives them audit privileges for those policies.
    • Query-Based Collections Policy - Combine two collections of objects or query-based sets to define a violation for people who are in both Query-Based Collections at the same time. 

      Query-Based Collections (also known as "Set Groups") are comprised of Sets, which are SQL, LDAP or code-based queries. These Sets are re-evaluated by the EmpowerID engine on a scheduled basis and can group collections of people or resources based upon queries written against the EmpowerID Identity Warehouse or other external systems in your environment.

    • Resource Role Policy - Combine two collections or sets of Access Levels to define a violation for people who have Access Levels in both collections at the same time. For example, you can deny a person from holding the Modify access level for shared folders in Switzerland and the Modify access level for shared folders in the United States at the same time.

  4. Enter information for the SoD policy in the Name, Display Name, and Description fields.
  5. Optionally, select a workflow to process the SoD violations from the Custom Workflow drop-down. This example selects the SOD Violation with Email Notification workflow that sends email notifications to everyone assigned the Reviewers access level for the policy.

    EmpowerID ships with one workflow configured for SoD violations, the SoD Violation with Email Notifications workflow mentioned above. You can expand this library, adding your own workflows for handling SoD violations as needed. If you do create your own workflows, you must tag them with the "SoD" tag to make them appear in the Custom Workflow drop-down.

  6. Select Enabled to enable the policy. The policy must be enabled before it can be run.

    The image below shows what the form looks like at this point. We want this policy to raise a flag if someone is given a Management Role that allows them to perform author policies while being an auditor. We also want an email to be sent to each person assigned the Reviewer access level for the policy.



  7. Below Schedule, select start and end dates for the Separation of Duties policy from the Start and End calendars. The default start date is the date you create the policy and the default end date is 10 years from the creation date.
  8. Below Schedule, select interval and iterations for running the policy. Iterations can be set to run indefinitely or to a specified count. When setting the interval, you have the following options:
    • Once - Runs the policy once at the specified time.
    • Minute - Runs the policy every "X" minutes according to the specified interval.
      For example, if you set the interval to "12" and have selected "Run Indefinitely," the policy runs once every 12 minutes between the specified start and end dates.
    • Weekly - Runs the policy every "X" weeks according to the specified interval.
      For example, if you set the interval to "12" and have selected "Run Indefinitely," the policy runs once every 12 weeks between the specified start and end dates.
    • Monthly - Runs the policy every "X" months according to the specified interval.
      For example, if you set the interval to "6" and have selected "Run Indefinitely," the policy runs once every 6 months between the specified start and end dates.
    • Hour - Runs the policy every "X" hours according to the specified interval.
      For example, if you set the interval to "12" and have selected "Run Indefinitely," the policy runs once every 12 hours between the specified start and end dates.
    • Daily - Runs the policy every "X" days according to the specified interval.
      For example, if you set the interval to "3" and have selected "Run Indefinitely," the policy runs once every 3 days between the specified start and end dates.

      The following image shows what the schedule looks like for a policy that has been configured to run once weekly every Monday at 7:00 am between the specified dates.



  9. Click Save to save your policy. After you save the policy, a new Separation of Duties Rule section appears below.


Once you have created a Separation of Duties (SoD) policy, you define it by adding rules based on an intersection of assignments or attributes that result in inappropriate access to resources. You must add two sets of expressions to implement the policy.

To add rules to the SoD Policy

  1. Scroll to the Separation of Duties Rule section. This section contains two grids for adding the sets of roles or groups whose cross-assignment to any one person causes a SoD violation to occur.

    The image below shows the Separation of Duties Rule section for a Management Role policy.



  2. In Set A of the Separation of Duties Rule section, in the Enter name to add field, type the name of the first role (or group, depending on the policy type) that defines the inappropriate assignment in the field and then click the tile for that object.



    The Added flag increments by one. Repeat for as many roles as you need to add for the first set.



  3. In Set B of the Separation of Duties Rule section, in the Enter name to add field, type the name of the second role that defines the inappropriate assignment and then click the tile for that object.



    The Added flag increments by one. Repeat for as many roles as you need to add for the second set. If you make a mistake, click the orange arrow to show the list from which you can delete items.



  4. Click Save. The added roles appear in their respective grids.



    You can add or remove roles from either set at any time by editing the policy.

After the SoD Policy is created, assign the Reviewer resource role to members of your audit team for both the SoD policy and the Person objects that could be violators of the policy so that they can perform an audit on any SoD Violations that occur. Each time a Separation of Duties policy runs and catches violations, auditors can find the SoD Violations tasks in the EmpowerID web application by expanding Compliance Management, then SoD Violations, where there is a To Do page and a Done page.


In this article