An administrator
can create a separation of duty policy
to use for auditing purposes. For example, you might create a separation
of duty policy to report users that belong to multiple roles that
are mutually exclusive.
Before you begin
Depending on how your system administrator customized your system, you might not
have access to this task. To obtain access to this task or to have someone complete it for you,
contact your system administrator.
To
create a valid policy rule, you must have two or more roles defined
in the system for the business unit you select.
About this task
To create a separation of duty policy, complete these
steps:
Procedure
- From the navigation tree, select .
The Manage Separation of
Duty Policies page is displayed.
-
On the Manage Separation of Duty Policies page,
in the Separation of Duty Policies table, click Create.
The Create a Separation
of Duty Policy page
is displayed.
- On the Create
a Separation of Duty Policy page,
complete these steps:
- Type a name for
the policy.
- Provide a description for
the policy.
- Select the business unit
to which this policy applies.
Click Search to search for a business unit.
The Business Unit page is displayed.
- On the Business Unit page, complete
these steps:
- Type your search criteria,
and then click Search.
-
In the Business Units Found table,
select a business unit and click OK.
The Create a Separation of Duty Policy page
is displayed.
- On
the Create a Separation of Duty Policy page,
in the Policy Rules table, click Create.
The Create Policy Rule page is displayed.
- On the Create Policy Rule page,
complete
these steps:
- In the Description
of separation field,
type a description for the policy rule. For example, you might describe
a rule that you add to a policy as People in the IT department
may not be given accounting responsibilities.
- Type each role name that you want to add to
the role
separation list and click Add.
If
you type the exact name of an existing role in the
Role
name field and click
Add, the role
is immediately added to the list. If you type a value in the
Role
name field that does not exactly match a role or matches
more than one role, a search panel opens. Select the appropriate roles.
Note: You
can search only for the roles for which you have permission.
- In the Allowed number of
roles list,
select the number of roles to which a user can belong.
For
each policy rule that you create, two or more roles must be listed.
The number of roles to which a user can belong depends on how many
roles you allow in the policy rule. The number of roles that you allow
can be, at a maximum, one fewer than the total number of roles in
the list.
- Click OK.
The Create
a Separation of Duty Policy is displayed.
- On the Create a Separation
of Duty Policy page,
complete these steps:
- Create more policy
rules as necessary.
- Click the
icon
next to Policy Owners. The Role Policy Owners table and
the User Policy Owners table are displayed.
- In the Role Policy Owners table,
click Add to search for and select roles to
have ownership of the policy.
- In the User Policy Owners table,
click Add to search for and select users to
have ownership of the policy.
- In the Policy state field, select
whether to enable or disable the policy.
An enabled
policy creates exemption approvals and warns users before they
submit a role membership change that breaks a separation of duty rule.
A disabled policy can still track violations, but it
does not generate approvals or warn users. Violations from disabled
policies are not displayed in audit reports. Using a disabled policy
is a good way for a security administrator to track violations that
occur before a policy is active in the system.
-
Click Submit to save the policy.
Results
A Success page is displayed, indicating
that you successfully submitted a request for a new separation of
duty policy.
What to do next
You can view your request, continue
working with policies,
or click Close.