Segregation of Duties Compatibility Matrix

When segregation of duties categories are defined within the system, you specify which segregation of duties categories are mutually exclusive. Segregation of duties compatibility constraints are stored in the system as pairs in a segregation of duties category matrix.

If two categories are compatible, a single user is permitted to have access to application resources that exist in both of these categories without violating a defined segregation of duties policy. Conversely, if two categories are incompatible, a single user is permitted to have access to a function in either category, but not both.

To ensure that segregation of duties provides adequate internal control within your organization, a user cannot have access privileges to any functions that belong to mutually exclusive categories.

See Maintaining the Segregation of Duties Matrix.

The system verifies the integrity of your defined segregation of duties policy by ensuring that the following two rules are not violated:

• Rule 1 verifies that the assignments specified do not violate role permissions compliance; that is, all the resources to which a role grants access must be associated with compatible segregation of duties categories.

• Rule 2 verifies that the assignments specified do not violate role membership compliance; that is, all roles to which a user belongs must be associated with compatible segregation of duties categories.

Each system user is logically associated with a set of segregation of duties categories, indirectly, through the user’s role assignment.

The SOD Block All Rule Violations field in SOD Configuration (36.3.27.14) controls whether the system should block any changes to role-based security that would allow users to access conflicting resources. If this field is cleared, administrators are not blocked from providing users with access to functions with conflicting segregation of duties categories. However, a violation is raised and written to the segregation of duties logs.

See Segregation of Duties Rule Checking for detailed information.

Segregation of duties permits policy exceptions to be defined to accommodate special circumstances—for example, when a business unit lacks sufficient personnel to adequately implement segregation of duties. Policy exceptions are defined on a user-by-user basis. That is, individual users can be given access to resources that are not compatible under your segregation of duties policy.