When segregation of duties categories are defined within the system, you specify which segregation of duties categories are mutually exclusive. Segregation of duties compatibility constraints are stored in the system as pairs in a segregation of duties category matrix.

If two categories are compatible, a single user is permitted to have access to application resources that exist in both of these categories without violating a defined segregation of duties policy. Conversely, if two categories are incompatible, a single user is permitted to have access to a function in either category, but not both.

To ensure that segregation of duties provides adequate internal control within your organization, a user cannot have access privileges to any functions that belong to mutually exclusive categories.

See Maintaining the Segregation of Duties Matrix.

Segregation of duties permits policy exceptions to be defined to accommodate special circumstances—for example, when a business unit lacks sufficient personnel to adequately implement segregation of duties. Policy exceptions are defined on a user-by-user basis. That is, individual users can be given access to resources that are not compatible under your segregation of duties policy.

See Maintaining Segregation of Duties Policy Exceptions.