Skip to main content

Resolving security rule violations

When requesting resources, your request might violate a Separation of Duties (SoD) rule, which is a security rule designed to ensure that users do not have too much access to certain restricted entitlements. An error is displayed when a request violates an SoD rule.

You must resolve the violation by:

  • Requesting an exception to the rule,

    or

  • Removing entitlements from the request

If an exception is approved, the SoD rule will be ignored, and the requested entitlements will be assigned to you.

If an outstanding request conflicts with a new request, you will not be able to submit the request. The outstanding request needs to be completed, canceled or denied before an exception to the SoD rule can be requested.

If a user already had the conflicting entitlements before the SoD rule was created, the violations can be resolved via a user’s Profile information and entitlements page. The standard built-in request is Default resolution for segregation of duties rules, which navigates to an SoD wizard page where all pre-existing SoD violations are listed.

default-sod-wizard-link

The link may be available from other users’ profile pages depending on access controls for the built-in PDR _RESOLVE_SOD_VIOLATIONS_.

When a request causes new SoD violations, the SoD wizard page will present before submitting the request. All unresolved SoD violations including existing ones are listed on that page.

Group membership change causing rule violation

The following procedure describes how to request an exception to a rule where a request for group memberships would cause the recipient to be in violation.

If exceptions are allowed, Bravura Security Fabric adds a wizard page to Resolve violations.

sod-wizard

  1. Click the request exception icon 3613.png to submit a request to allow the user to keep the conflicting entitlements.

    sod-wizard-exception

  2. Type a reason for the exception and modify the expiry date if necessary, then click Apply.

    Alternatively, click the revoke icon 3616.png to remove one of the conflicting entitlements.

    sod-wizard-revoke

  3. Click Submit.

    Relevant authorizers are notified to review the request if necessary. See Tracking and Updating Requests to learn how to track your request.

    When you remove a resource from a user’s profile, it is permanently deleted.

Indirect group membership change causing rule violation

Some target systems support the concept of a nested group. A nested group is a group that is a member of another group. For example, in Active Directory you can add a group as a member of another group. The nested group then inherits the rights of the parent group.

Bravura Security Fabric also calls these groups parent groups and child groups. If an account is a member of a child group, they have what is called indirect membership to the parent group.

When requesting resources that have nested groups, your request might violate a SoD rule applied to a nested resource.

The main procedure on how to request an exception for a rule remains the same for indirect groups, except that Indirect membership details are displayed on the Bravura Security Fabric wizard page.

sod-wizard-indirect-membership
In this section: