How to implement a custom SOD

Identity Security Cloud (ISC) ISC Discussion and Questions
1

Hello community,

I have to implement a custom Segregation Of Duties in ISC but I think it requires many workflows and rules in ISC. Following is our custom logic for the SOD:

SoD Conflict Criteria:

  • Conflict Levels: We have defined three levels of conflict: low, medium, and high.
  • Data Elements: To determine conflicts, we will consider the following entitlements: Authorization, Visibility Level.
  • Entitlement numerosity: on the same account, we can have multiple pairs of Authorization and Visibility Level.
  • Conflict Calculation: To determine and evaluate conflict we have to compare pairs of Authorization and Visibility Level.
    For example: a user has the following entitlements

(Authorization TransactionApprover, Visibility 10)
(Authorization LogManager, Visibility 15)
(Authorization Reviewer, Visibility 7)
(Authorization PriceReviewer, Visibility 20)

The user then requests the Authorization PriceManager with Visibility 30.
A SOD matrix identifies the following:

(TransactionApprover, 10) in conflict with (PriceManager, 30) as a Medium level conflict
(LogManager, 15) in conflict with (PriceManager, 30) as a High level conflict
(Reviewer, 7) no conflict with (PriceManager, 30).
(PriceReviewer, 20) in conflict with (PriceManager, 30) as a Low level conflict.

Conflict Resolution:

  • Low Conflict: A single approval from a static approver group is required.
  • Medium Conflict: Requires approval from a static group followed by approval from a dynamic group (e.g., all identities with Role X or attribute Y).
  • High Conflict: Request is blocked and discarded.

Our Questions:

  1. What is the most effective way to identify potential SoD conflicts based on the specified criteria?
  2. Are there any built-in features or best practices within SailPoint that can assist in this process?
  3. If custom workflows are necessary to implement the desired SoD logic, could you provide guidance on the best approach?
  4. What are the recommended techniques for creating custom workflows to evaluate SoD conflicts and manage approvals according to our requirements?
  5. How can we effectively manage different conflict resolution scenarios?
  6. Can you provide examples of how to implement dynamic approver groups and conditional approvals based on conflict levels?
  7. What is the best way to maintain and update the SoD rules as our organization’s requirements evolve?
  8. In rare cases, a high-conflict pair may be granted to the user by directly provisioning it on the target application. In SailPoint we then aggregate the new entitlements. What happens at this point SOD wise?
    8.1. Would an approval start automatically to solve the conflict?
    8.2. Would SailPoint remove the entitlement pair automatically?
  9. We have a matrix (an excel table) with conflicts. How can we upload this to automatically generate SOD policies in ISC?
2

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.