# Segregation of duties **Segregation of Duties** (SoD) is a security and compliance control that prevents any single user from holding a combination of access rights that could enable fraud, error, or abuse of privilege. In OpenIAM, SoD policies define which entitlements (roles, groups, resources, or organizations) are considered conflicting, detect users who violate those policies, and provide tooling to remediate or formally exempt violations. The SoD feature is typically used for: * Preventing a user from holding **both** "Create Payment" and "Approve Payment" roles **simultaneously**. * Flagging users who belong to **conflicting business units**. * Ensuring compliance with **SOX**, **SOC 2**, **ISO 27001**, or **internal audit** requirements. *** ## Core concepts ### SoD policy A **SoD Policy** is the top-level object defining a conflict with the following key attributes:

Field	Type	Description
`name`	String	Human-readable policy name
`description`	String (max 1024 characters)	Explanation of the conflict
`active`	Boolean	Whether the policy is enforced
`severity`	`SOFT` / `HARD`	Impact level of a violation (see Severity levels)
`policyThreshold`	Integer	Minimum number of violated segments before a policy-level violation is triggered
`exceptionsAllowed`	Boolean	Whether exemptions may be granted for this policy
`managerCanHandleSpv`	Boolean	Whether the user's manager may handle violations
`managerGroupId`	String	ID of the group responsible for managing violations
`riskId` / `riskName`	String	Risk classification category
`segments`	`Set<SodPolicySegment>`	One or more conflict segments (see policy segments)
`mitigatingControls`	`Set<SodMitigatingControl>`	Controls that mitigate the policy risk (see mitigating controls)

### Policy segments A **segment** defines the specific set of conflicting entitlements within a policy. A policy can have multiple segments. The `policyThreshold` controls how many segments must be violated before the policy is considered violated overall, whereas `threshold` controls the minimum number of entitlements from that segment a user must hold to contribute to a violation. Each segment contains:

Field	Description
`name` / `description`	Segment identification
`active`	Whether this segment is actively evaluated
`threshold`	Minimum conflicting entitlements within the segment to trigger violation
`managerGroupId`	Segment-level manager group (overrides policy-level if set)
`roles`	Roles that are in conflict within this segment
`groups`	Groups that are in conflict within this segment
`resources`	Resources that are in conflict within this segment
`organizations`	Organizations that are in conflict within this segment

**For example**: A segment named "Payment Controls" might contain both the "Payment Creator" role and the "Payment Approver" role. Any user holding both would trigger a violation of this segment. ### Typical two-segment policy ``` Policy: "Create + Approve PO" Threshold: 2 segments │ ├── Segment A: "Create PO" Threshold: 1 entitlement │ ├── Role: PO_CREATOR │ └── Resource: create-purchase-order │ └── Segment B: "Approve PO" Threshold: 1 entitlement ├── Role: PO_APPROVER └── Resource: approve-purchase-order A user holding PO_CREATOR AND PO_APPROVER breaches both segments → violation. A user holding only PO_CREATOR does not violate (only 1 of 2 segments breached). ``` ### Mitigating controls A **mitigating control** is a compensating measure that reduces the risk of an SoD violation without removing the conflicting access. Mitigating controls are documented in the system for audit purposes and linked to policies.

Field	Description
`name` / `description`	Control identification
`active`	Whether the control is active
`ownerType` / `ownerId`	User or group that owns the control
`managerType` / `managerId`	User or group that manages the control
`reviewFrequency`	`MONTHLY`, `QUARTERLY`, `SEMI_ANNUALLY`, or `ANNUALLY`
`effectiveDate` / `expirationDate`	Validity period of the control

## Data model summary ``` SodPolicy (SOD_POLICY) ├── segments: SodPolicySegment (SOD_POLICY_SEGMENT) [1..N] │ ├── roles → SOD_SEGMENT_ROLE → RoleEntity │ ├── groups → SOD_SEGMENT_GRP → GroupEntity │ ├── resources → SOD_SEGMENT_RES → ResourceEntity │ └── organizations → SOD_SEGMENT_ORG → OrganizationEntity └── mitigatingControls → SOD_POLICY_MC → SodMitigatingControl (SOD_MITIGATING_CONTROL) SodExemption └── references: user, sodPolicy, entitlementType, entitlementId ``` Boolean flags (`active`, `exceptionsAllowed`, `managerCanHandleSpv`) are stored as `Y`/`N` in the database via `YesNoConverter`. ## Caching architecture All SoD policies are cached in **Redis** (`SodPolicyCacheList`) for fast access during entitlement evaluations. The cache is refreshed automatically whenever a policy is created or updated. Cache refresh is propagated via **RabbitMQ** (`SodPolicyMQListener`) to all service nodes. ## Enumerations reference

Enum	Values
`SodSeverity`	`SOFT`, `HARD`
`SodViolationMode`	`DIRECT`, `INDIRECT`
`SodMitigatingControlAssigneeType`	`USER`, `GROUP`
`SodMitigatingControlReviewFrequency`	`ANNUALLY`, `SEMI_ANNUALLY`, `QUARTERLY`, `MONTHLY`
`UserEntitlementType`	`ROLE`, `GROUP`, `RESOURCE`, `ORGANIZATION`

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs-beta.openiam.com/segregation-of-duties.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.