Skip to content

Handling Policy Violations

By creating your first separation of duties policies in IdentityNow, you've taken some proactive steps to keeping your organization safe.

Next, you'll use those policies to track violations, and prevent some violations before they occur.

Detective Separation of Duties

Detective separation of duties allows you to detect policy violations that have occurred in your org.

Below, you can see several ways to discover policy violations in your data.

Prerequisites:

  • One or more separation of duties policies or general policies have been created in your org.

Download a Report of Violations to a Single Policy

  1. Sign in to IdentityNow and go to Search.

  2. Click the Policies icon in the vertical toolbar.

  3. Click the policy you want to view.

  4. Click the menu icon and click Get Report.

To receive the violations to this policy on a regular basis, click the Schedule icon. For more information about subscriptions, see Using Subscriptions.

Download a Report of All Policy Violations

  1. Sign in to IdentityNow and go to Search.

  2. Click the Policies icon in the vertical toolbar.

  3. Click the Get All Results icon.

Policy and Violation Limits

You can have a maximum of 500 total policies, of either type, in your org. In each access-based SoD policy, you can have a maximum of 50 entitlements in each access list.

Reports on policy violations are limited to a specific number of violations. Excessive policy violations could be indicative of a larger data problem, or a sign that your policy is incorrectly constructed. Consider correcting those issues before downloading reports of your policy violations.

Preventative Separation of Duties

Preventative SoD lets you find and prevent policy violations before they occur. SailPoint is always working on ways to keep your data safer, and we expect to expand this list in the future.

Notification During Access Requests

Requesters and reviewers will be notified when a request would put an identity in violation of an SoD policy.

This feature is only available for access-based SoD policies.

Requester

If a user requests access that would put the recipient in violation of an SoD policy, that request will display a warning icon in their Requests tab. They will see a button to review the policies they would be violating.

Recipient

If the recipient of the access is someone other than the requester, they will also see the request in their Requests tab with a warning icon.

Reviewer

The reviewer for an access request won't see the request until IdentityNow has processed it to check for potential SoD policy violations. If violations are detected, the request is displayed with a warning icon and a Review Policy button.

Reviewers can see additional information about the policy, including the names of the Policy Owner, the Violation Owner, and the access included in each access list.