A direct segregation of duties violation occurs when you attempt to use Role Permissions Maintain (36.3.6.5) to assign a role to functions that have incompatible segregation of duties categories. Direct violations also occur if you attempt to use Role Membership Maintain (36.3.6.6) to assign multiple roles to a user that have incompatible segregation of duties categories.

Users are always blocked from performing actions in Role Permissions Maintain (36.3.6.5) that cause Rule 1 violations and are always blocked from performing actions in Role Membership Maintain (36.3.6.6) that cause Rule 2 violations, regardless of the setting in the SOD Block All Rule Violations field in SOD Configuration (36.3.27.14).

Indirect violations occur if you perform actions that violate segregation of duties rules using screens other than Role Permissions Maintain (36.3.6.5) and Role Membership Maintain. However, role membership (Rule 2) violations caused by updates in Role Permissions Maintain (36.3.6.5) are also examples of indirect violations.

Indirect Segregation of Duties Violation shows how the system handles an indirect violation when the SOD Block All Violations field is selected in SOD Configuration (36.3.27.14). In this example, the segregation of duties category code POMaint applies to the creation of purchase orders (POs) in Purchase Order Maintenance, and the segregation of duties category code POReceive applies to the recording of PO receipts in Purchase Order Receipts. For segregation of duties to be properly implemented, the PO maintenance and PO receipt functions must be performed by two different users. The POMaint and POReceive categories are defined as mutually exclusive in SOD Matrix Maintain (36.3.27.3).

The user who maintains POs has to take personal leave unexpectedly and the PO receipt clerk has to perform both duties for a number of days. A segregation of duties policy exception is defined for this, and the PO maintenance role is assigned to the PO receipts clerk. The assignment of both roles violates segregation of duties rules, but because of the policy exception, no violations are raised.

A user attempts to delete the segregation of duties policy exception, but is blocked from doing so. Deleting the exception causes indirect segregation of duties violations.