Skip to content

Handling Policy Violations

By creating your first separation of duties policies in IdentityNow, you've taken some proactive steps to keeping your organization safe.

Next, you'll use those policies to track violations, and prevent some violations before they occur.

Detective Separation of Duties

Detective separation of duties allows you to detect policy violations that have occurred in your org.

Below, you can see several ways to discover policy violations in your data.

Prerequisite:

  • One or more separation of duties policies or general policies have been created in your org.

Download a Report of Violations to a Single Policy

  1. Sign in to IdentityNow and go to Search.

  2. Click the Policies icon in the vertical toolbar.

  3. Click the policy you want to view.

  4. Click the menu icon and click Get Report.

You can create one subscription to each SoD policy. See the section below for details.

Subscribe to an SoD Policy

To receive regular reports on violations to a policy you've created, configure a policy subscription. You can subscribe to a disabled policy but subscription emails are only sent for enabled policies.

This email is sent to any users that have been added as subscribers. Subscribers can:

  • View the email generated by the subscription
  • View the policy in IdentityNow, if they have access to the admin interface

Org administrators can unsubscribe a user using the POST /scheduled-searches/{id}/unsubscribe API.

Best Practices for Other Subscribers

  • Let all subscribers know about the subscription in advance, including the frequency with which they'll receive emails.
  • Because some subscribers might not be regular IdentityNow users, it's important to make the Name and Description values for each subscription clear.

To subscribe to an SoD policy:

  1. In Search, click the Layers icon to view your SoD policies. Click the policy you want to subscribe to.

  2. Click the envelope icon to begin creating your subscription.

  3. Select a time zone for this policy subscription and click Next.

  4. Choose a schedule for your subscription. The following options are available:

    • Daily - Select the times of day subscribers should to receive a violation report each day. The times you select will show up on the right next to the drop-down. Click the x next to the time to remove it from the list. Daily is the default option.
    • Weekly - Select the days of the week and times you'd like to receive a violation report. The days and times you select will show up on the right next to the drop-down. Click the x next to a selection to remove it from the list.
    • Monthly - Select the numerical days of the month and times you'd like to receive an email about the subscription using the checkboxes. The days and times you select will show up on the right next to the drop-down. Click the x next to the day or time to remove it from the list.

    You can only use one schedule option at a time. For example, if you start with a weekly schedule but move to monthly, your weekly subscription will end.

    Select Next.

  5. On the Information page, define the details that are used to create the email subscription including Name, Description, and Subscribers who'll receive the email subscription.

    Note:

    Typically, users need to be subscribed to an SoD policy if they will need to manage policy enforcement. An SoD policy's Violation Owner is always added to subscriptions to the policy and can't be removed.

    You can also choose to send the report even when there are no violations.

    Click Next.

  6. On the Summary page, review your subscription. The first four lines are about the policy, and the next four are about the subscription.

Click Subscribe.

All subscribers can receive violation reports at the cadence you selected as long as the policy is enabled.

You can make review and make changes to the email users receive. See SoD Policy Subscription Notification Email Template for details.

Download a Report of All Policy Violations

  1. Sign in to IdentityNow and go to Search.

  2. Click the Policies icon in the vertical toolbar.

  3. Click the Get All Results icon.

Policy and Violation Limits

You can have a maximum of 500 total policies, of either type, in your org. In each access-based SoD policy, you can have a maximum of 50 entitlements in each access list.

Reports on policy violations are limited to a specific number of violations. Excessive policy violations could be indicative of a larger data problem or a sign that your policy is incorrectly constructed. Consider correcting those issues before downloading reports of your policy violations.

Preventative Separation of Duties

Preventative SoD lets you find and prevent policy violations before they occur. SailPoint is always working on ways to keep your data safer, and we expect to expand this list in the future.

Notification During Access Requests

Requesters and reviewers will be notified when a request would put an identity in violation of an SoD policy.

This feature is only available for access-based SoD policies.

Requester

If a user requests access that would put the recipient in violation of an SoD policy, that request will display a warning icon in their Requests tab. They will see a button to review the policies they would be violating.

Recipient

If the recipient of the access is someone other than the requester, they will also see the request in their Requests tab with a warning icon.

Reviewer

The reviewer for an access request won't see the request until IdentityNow has processed it to check for potential SoD policy violations. If violations are detected, the request is displayed with a warning icon and a Review Policy button.

Reviewers can see additional information about the policy, including the names of the Policy Owner, the Violation Owner, and the access included in each access list.