When using SailPoint's Separation of Duties service, you can implement these types of policies:
NOTE: If you had SoD policies in your org before October 6, 2020, those policies were migrated automatically to General Policies. To use future SoD functionality with these policies, migrate them to access-based policies. See Migrating Policies for more information.
You can use the information in this document to create these policies.
The concept of separation of duties means that people shouldn't have conflicting sets of access - that all their access should be organized in a way that protects your company's assets and data.
For example, people who record monetary transactions shouldn't be able to issue payment for those transactions. Changes to major system configurations should be approved by someone other than the person requesting the change.
Using your internal security rules, you can create Separation of Duties (SoD) policies within IdentityNow to enforce and track those rules.
To create an SoD policy, you'll create two lists of access. A violation will be triggered if an identity has access found in both lists.
Prerequisites:
Complete the following steps:
1. Sign in to IdentityNow and go to Search.
2. In the vertical toolbar on the left, click Policies.
3. Click Create New Policy.
4. Click Create Access Lists under Separation of Duties Policy. Access found in one list conflicts with access found in the other list. An identity in your system will trigger a violation if they have access found in both of these lists.
|
|
5. Enter a name for each access list. Click Next. The Search page is displayed.
|
|
6. Use Search to find entitlements that you want to add to each list. For more information about Search, see Structuring a Search.
7. Select the entitlements that you want to add to one of your lists.
8. Click the + Add button with the name of the appropriate list to add the selected entitlements to that list. You can also click the + icon beside an individual entitlement and choose which list to add it to. NOTES:
When you're finished adding entitlements to your lists, click Next. |
|
The Configuration page is displayed.
9. In the Policy Information section, enter the following:
10. In the Separation of Duties Policy Owners section, enter the following:
If you choose to use a governance group or individual as an owner for this policy, enter the name of that entity in the field. When you click this field, the first six items of your selected type are displayed. To see more, begin typing.
11. In the Addressing Violations section, enter the following:
Click Next. |
10. Review your policy.
11. Click Save Policy.
A success message is displayed.
After you've created a policy, you can edit the policy, or take action by downloading reports, enabling the policy, or disabling it.
General policies are intended to keep your identity data organized.
For example, you can create a policy to verify that all employees in your org have a department code, to ensure your corporate policies are implemented. Alternatively, identify employees that don't have managers, to prevent problems with certifications.
To create a general policy, you'll start with a search query to find all identities that meet criteria that violate your organization's internal policies.
Prerequisites:
Complete the following steps:
1. Sign in to IdentityNow and go to Search. You can also get to this page by selecting the Layers icon in the vertical toolbar, clicking Create New Policy, and clicking Create Search Query under General Policy.
2. Enter a search query. This query should return identities whose data is in violation with your internal policies. For example, you could search for identities in an error status, or who don't have a manager or a department code.
3. Click General Policy.
|
|
4. Click Next.
5. Enter the following information on the Configuration page:
Click Next.
|
|
6. Enter the following information on the Information page:
Click Next.
7. Review your policy and click Create. A success message is displayed. After you've created a policy, you can edit the policy, or take action by downloading reports, enabling the policy, or disabling it. |
Basic information about all policies can be edited. You can also edit the access lists in access-based SoD policies.
Prerequisite: One or more SoD or general policies has been created in your organization.
Complete the following steps:
1. Sign in to IdentityNow and go to Search. 2. Click the Policies icon in the vertical toolbar. 3. Click the policy you want to edit.4. Click the Options menu and click Edit.
5. Make changes to the data about your policy on the Configuration tab.
If you need to make changes to an SoD policy's access lists, go to the Conflicting Access tab.
|
After you've created a policy, you can view it in the Policies list and take action on it.
Prerequisite: One or more SoD or general policies has been created in your organization
Complete the following steps:
1. Sign in to IdentityNow and go to Search.
2. Click the Policies icon in the vertical toolbar.
You can take the following actions:
You can have a maximum of 500 total policies, of either type, in your org. In each access-based SoD policy, you can have a maximum of 50 entitlements in each access list.
Reports on policy violations are limited to a specific number of violations. Excessive policy violations could be indicative of a larger data problem, or a sign that your policy is incorrectly constructed. Consider correcting those issues before downloading reports of your policy violations.
Your site has the following limitations on violations:
If you had separation of duties policies before Oct. 6, 2020, these policies were automatically migrated to general policies when access-based SoD policies were introduced.
This is because those legacy policies and general policies are constructed the same way, with search queries.
To use future functionality related to SoD, such as preventative SoD, you’ll need to migrate these policies to access-based SoD policies.