Preventative Separation of Duties

I am unclear with Preventative SOD. Does this only work for requests via the UI or does it work for API as well?

On the page Handling Policy Violations - SailPoint Identity Services it says

If a user requests access that would put the recipient in violation of an SoD policy, that request will display a warning icon in their Requests tab once it has been submitted. They can review the policies they would be violating and cancel the request if needed.

I want a solution that is automatic, in that if a request is submitted (via API) it is rejected/cancelled automatically due to SOD violation.

I do not want to handle this reactively, through certification or any type of review process

Any ideas?

Thank you.

@jrossicare One option is to disabled the policy then it will not be the preventative. I don’t think is there any option available using certification.

Thanks.

Hi @jrossicare,

The OOB preventive SOD feature works in such a way that after the request is submitted through request center or API, it displays a warning sign to the requestor and the approver. The requests will need to be manually cancelled or rejected by the approver, or else, the access provisioning will go through and they will need to be handled through a violation report.

If you are making an API call from an external system, consider using the API to catch the violation before submitting it.

Else, you may need to make use a WF with provisioning completed trigger to identify a provisioning event, compare it with the violating items and deprovision the violating access.

2 Likes

Hi

I’ve used predict sod violations(beta). I think check-violations (v3) works as well. In either case you need to drill down from the requestable item to get down to the entitlement. The predict sod
violations works really well but now say “deprecated”… shame. :slight_smile: The other tip I have is that, as I have built a couple of external request solutions to allow other service desk solutions now, I always use an intermediate API… saves upsetting the service desk solution when these API deprecations come :-).

Cheers
Julian`

1 Like