Skip to content

Managing Policies

When using SailPoint's Separation of Duties (SoD) service, you can implement Separation of Duties policies to limit each user's involvement in important processes and protect your organization from individuals gaining excess access.

You can have a maximum of 500 total policies, of either type, in your org. In each access-based SoD policy, you can have a maximum of 50 entitlements in each access list. You need at least one entitlement in each access list to prevent errors.

Creating a Separation of Duties Policy

The concept of separation of duties means that people shouldn't have conflicting sets of access - that all their access should be organized in a way that protects your company's assets and data.

For example, people who record monetary transactions shouldn't be able to issue payment for those transactions. Changes to major system configurations should be approved by someone other than the person requesting the change.

Using your internal security rules, you can create Separation of Duties (SoD) policies to enforce and track those rules.

To create an SoD policy, you'll create two lists of access. A violation will be triggered if an identity has access found in both lists.

Prerequisite:

  • Know your company's policies and have access to your internal documentation.

To create a separation of duties policy:

  1. Go to Admin > SoD Policies, then select Create New.

    Note

    The top navigation bar includes a shortcut to this page. Select the Add icon , then SoD Policy.

    • To edit an existing policy, select Actions > Edit on its row.
  2. On the Policy Details tab, enter of update the following information about your policy:

    • Details

      • Name - Name of the policy.
      • Description - Describe the policy.
      • External Reference (optional) - Add a url to link to external references about the policy, such as the framework requirement that it addresses or fulfills.
      • Tags (optional) - Tags to help identify this policy in filters or searches.
      • Enable policy - Toggle to enable or disable this policy from being applied in your tenant.
    • Ownership

      • Policy Owner - Select between individual or governance group, then use the dropdown to select who is responsible for this policy.
      • Co-Owners (optional) - You may select up to 10 individual(s) or governance group to co-own this policy.
      • Violation Owner - User responsible for addressing violations of this policy. May be an individual, manager, governance group, or none. If you select None, then the Policy Owner will be designated to address violations.
    • Violation Actions

      • Mitigating Controls (optional) - Select the mitigating controls that are available to be applied to this policy
      • Mitigation Advice (optional) - Enter advice for mitigating risks related to this policy.
      • Remediation Advice (optional) - Enter advice for remediating issues related to this policy.
    • Level

      • Select a risk classification for this policy. Options may include Critical, High, Medium, or Low.
  3. Select Next.

  4. On the Policy Rules tab, define rules for this policy by creating lists of entitlements that present an SoD conflict.

    Note

    Policies can have a maximum of 50 entitlements per side.

  5. Enter a name for List A. This is your first list of entitlements that the policy will compare against the entitlements in list B.

  6. Add entitlements to List A.

    • Select + Add Entitlements. You can use the search field to search for specific entitlements that are already on the list.
    • Scroll or search to locate entitlements and select the checkboxes to include them in List A.
    • Select Add.
    • The selected entitlements will appear in List A on the Define Rules page.
    • To remove an entitlement from the list, select the Delete icon .
  7. Enter a name for List B.

  8. Add entitlements to List B.

    • Select + Add Entitlements.
    • Scroll or search to locate entitlements and select the checkboxes to include them in List B.
    • Select Add.
    • The selected entitlements will appear in List B on the Define Rules page.
    • To remove an entitlement from the list, select the Delete icon .
  9. Select Next.

  10. On the Review tab, review all elements of your policy. Select one of the previous tabs if you want to make changes to that information.
  11. Select Finish.
  12. The new policy appears on the Separation of Duties Policies page. Enable it by selecting Actions > Enable Policy.

Managing SoD Policies

The Separation of Duties Policies page includes a list of all policies by name and includes description, status, scheduled run, level, violations, owner, co-owners, and actions. Find policies by scrolling. Select the Filter icon to filter by level (critical, high, medium, or low) and status (enabled or disabled).

The following options are available in the Actions column for each policy:

  • Enable or Disable Policy
  • Edit
  • Delete

Caution

Deleting a policy could impact current violations and compromise compliance requirements.

Select any policy to view its details, controls, and policy definition. Move between these pages using the left navigation.

SoD Policy Details

On a policy’s Details page, details that apply to the policy are at the top of the page and policy violations are in a table below, including identity, violation owner, level, conflicting items, status, and exception expiration date.

You can customize this view by selecting the column chooser icon and selecting the options you want to include.

Use the Actions dropdown at the top right to:

  • Edit
  • Enable or Disable Policy
  • Run Policy
  • Schedule
  • Create Certification
  • Export
  • Delete

Creating and Editing Policy-Specific SoD Controls

You can create and edit controls to help you manage separation of duties policies.

  1. From the Separation of Duties Policies page, select a policy name.
  2. On the left navigation, select Controls.
  3. If you are creating a new control, select Add Control. To edit an existing control, find and select the control’s name in the table.
  4. Select Create New or find an existing control.
  5. Enter or update the control name and description.
  6. Select the type of owner, individual or governance group, then use the Owning Identity dropdown to select which individual or governance group.
  7. (Optional) Select individuals and/or governance groups as co-owners for this control.
  8. (Optional) Select the checkbox to require comments for this control.
  9. Select the number of days that should elapse before this control expires.
  10. Select Create and Add or Save.

SoD Policy Definition

The Policy Definition page shows explicitly how the policy is defined. For example, it may state that identities that have any List A entitlements cannot also have any entitlement included on List B. All of the entitlements are listed for each.

Running a Policy

You may choose to run a policy ad hoc or schedule your policies to run on a set cadence.

Run Now

To run a policy ad hoc:

  1. Go to Admin > SoD Policies.
  2. Locate and select the policy you want to schedule.
  3. Select Actions > Run Policy.
  4. Select Run Policy to confirm that you want to run the policy at the next available time.
  5. The policy runs and violations are listed on the Policy Violations page.

Schedule Policy

To schedule a policy to run in the future:

  1. Go to Admin > SoD Policies.
  2. Locate and select the policy you want to schedule.
  3. Select Actions > Schedule.
  4. Enter scheduling information for running the policy, including frequency, end date, times that the policy should run, time zone (optional), and subscribers to notifications.
  5. Use the toggle to set whether or not the system should send an email when there are no violations.
  6. Select Save.
  7. The policy will run at the scheduled time(s). Violations will be listed on the Policy Violations page and notifications will be sent to subscribers.

Remove Scheduled Policy Run

You can cancel running a policy that is scheduled.

  1. Go to Admin > SoD Policies.
  2. Locate and select the policy whose schedule you want to change.
  3. On the policy’s Details page, hover over Scheduled Run and select the Edit icon .
  4. Select Delete Schedule.
  5. Select Remove Policy Run to confirm that you want to remove the schedule that runs this policy.
  6. The policy will not run at the previously scheduled time(s).

Creating and Editing SoD Controls

You can create and edit controls to help you manage separation of duties policies.

  1. Go to Admin > SoD Policies.
  2. On the left navigation, select Controls.
  3. If you are creating a new control, select Create New. To edit an existing control, select the control’s name in the table.
  4. Enter or update the control name and description.
  5. Select the type of owner, individual or governance group, then use the Owning Identity dropdown to select which individual or governance group.
  6. (Optional) Select individuals and/or governance groups as co-owners for this control.
  7. (Optional) Select the checkbox to require comments for this control.
  8. Select the number of days that should elapse before this control expires.
  9. Select Create or Save.

Viewing SoD Violations

You can view a list of SoD policy violations. Note that there are multiple risk levels for violations and controls: critical, high, medium, and low.

  1. Go to Admin > SoD Policies.
  2. On the left navigation, select Policy Violations.
  3. You can filter the list of violations by policy name, identity, violation owner, or level. Quick filters are also available for All, Open, and Mitigated violations.
  4. Select a specific violation to view its details, such as identity email, policy violated, policy description, status, expiration, policy level, and a list of specific conflicts. If the violation has been mitigated, details about that mitigation are also included.

Mitigating SoD Violations

Mitigate SoD policy violations from the Policy Violations page.

  1. Go to Admin > SoD Policies.
  2. On the left navigation, select Policy Violations.
  3. You can filter the list of violations by policy name, identity, violation owner, or level. Quick filters are also available for All, Open, and Mitigated violations.
  4. Select a specific violation to view its details, such as identity email, policy violated, policy description, status, expiration, policy level, and a list of specific conflicts. If the violation has been mitigated, details about that mitigation are also included.
  5. Select Mitigate.
  6. Select a mitigating control to address the policy conflict.
  7. Add comments about the mitigation.
  8. Select Apply.

SoD Violation Event Triggers

SoD event triggers are available for elements of the SoD violation lifecycle, when an SoD violation is created, mitigated, reopened and closed. Refer to Using Event Triggers.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.