Option Pack › Segregation Of Duties (SOD) › Create an SOD Rule

Create an SOD Rule

To use the SOD feature in the Option Pack, define SOD rules.

To create an SOD rule

1. Under Option Pack, Segregation of Duties, Manage Segregation of Duties, click Define New Sod.
2. Enter the title and description.
3. Select one of the following actions:
   • Accept

     Writes the SOD event to the SOD audit tables, and continues to possible workflow approvals

   • Reject

     Denies the SOD conflict and writes the event to SOD audit tables, and continues processing the task

   • Workflow

     Sends the SOD event to a designated approver. If approved, it continues on to regular approval processes. If rejected, no further workflow processes are triggered.

   • RejectAll

     Denies the SOD conflict and writes the event to SOD audit tables, and stops the task

     The difference between RejectAll and Reject is as follows: SOD works at the attribute level, meaning that it identifies a potential violation between two different attributes. However, an access entitlement request may include four different Active Directory groups and three RACF roles. It may be that only one RACF role generates a violation. If Reject is selected, only the RACF role generating the violation is rejected and the other four Active Directory groups and two RACF roles continue on to the normal approval process. If RejectAll is selected then all the requests, including all four Active Directory groups and the three RACF roles, are rejected and the task is stopped.

4. Add at least two SOD items by defining conflicting entitlement values.

   An SOD item is defined by its endpoint (such as Active Directory or HR_endpoint), the entitlement name, and value.

5. Click Save.