Segregation of Duties (SoD)

Segregation-of-Duties policies prevent toxic combinations of access — for example, the same person being able to both create a vendor and approve payments to it.

Admin console: /admin/sod

Concepts

• SoD policy — a named rule pairing two sets of access (a left item and a right item) that must not be held simultaneously.
• Enforcement mode:
  • DETECT — flag the violation and record it, but allow the grant.
  • PREVENT — block the grant outright at request time.
• Conflict — a concrete instance where an identity holds (or is requesting) both sides of a policy.

How it works

When access is requested or granted, the SoD engine evaluates every active policy against the identity's effective access. A PREVENT policy that would be violated raises an SoDViolation, which the API surfaces as HTTP 409 Conflict with the conflicting-policy detail — so the calling surface shows a clean block instead of a generic error.

DETECT policies record the conflict for the next access review without stopping the grant.

Typical setup

1. Go to /admin/sod → New SoD policy.
2. Define the left and right access items (roles, entitlements, or access packages).
3. Choose DETECT or PREVENT.
4. Save. The policy is evaluated immediately on subsequent requests and during certifications.

Related

• Access Reviews — SoD conflicts surface during certification.
• Approval Chains — combine SoD with human approval for sensitive grants.