Skip to main content

Segregation of Duties Policy Enforcement - Hitachi ID Identity Manager

Hitachi ID Identity Manager includes the most advanced segregation of duties (SoD) engine available. It actually works, whereas competitor product SoD engines can be bypassed where both SoD rules and roles are deployed.

The Identity Manager SoD engine supports:

  • Policy definition:
    • An SoD rule is defined as a toxic sets of entitlements.
    • Entitlements that participate in the SoD rule may themselves be roles, login IDs on specified target systems or membership in specific security groups.
    • Users who have at least N of the M SoD entitlements are considered to be in violation.

    This is a very general model. It supports rules such as "No user shall belong to more than 2 of these 30 groups."

  • Approved exceptions:
    • Users may be allowed to violate SoD rules, so long as an authorized person has approved the violation.
    • Access certification is used to periodically renew approved SoD exceptions.

    This is a practical model. It allows organizations to knowingly violate rules where there is a strong business reason to do so and where suitable compensating controls are in place.

  • Proactive enforcement:
    • Identity Manager's SoD engine is an integral part of the workflow engine.
    • All change requests that pass through the Identity Manager workflow engine must either:
      1. Satisfy all SoD rules (i.e., violate none); or
      2. Include a request for an approved exception to every violated rule.
    • Requesters -- via the Identity Manager UI, API or automation engine -- simply cannot ask for violations without also asking for an approved exception.

    SoD should be proactive rather than after-the-fact, wherever possible. This is supported by Identity Manager.

  • Reporting on out-of-band and pre-existing violations:
    • There are several ways to bypass the Identity Manager pro-active SoD enforcement engine:
      • Pre-existing conditions, where a user violated the SoD rule before Identity Manager was implemented.
      • Pre-existing conditions, where a user violated the SoD rule before the rule was added to Identity Manager.
      • Out of band changes, made by administrators outside of Identity Manager.
    • In these cases, there is no general way for Identity Manager to know which of the offending entitlements is inappropriate, so it cannot automatically remediate the violating users.
    • Instead, Identity Manager includes reports to identify violating users and help security staff make appropriate remediating changes.

    SoD reporting is the defense of last resort.

  • Deep inspection:
    • Consider an SoD rule: "no user may have roles R1 and R2."
    • Now assume that role R1 contains entitlements E1 and E2, while role R2 contains E3, E4.
    • Next, consider a user who already has E1, E2 and E3, but has never been explicitly assigned R1. This user effectively has R1. If this user requests E4 or R2, the request should be flagged as an SoD violation.
    • The Identity Manager SoD engine, perhaps uniquely in the marketplace, will detect such violations. In general, it supports enforcement where SoD rules may cover any combination of individual entitlements and nested roles.

    To the best of Hitachi ID Systems' knowledge, no other SoD engine will detect SoD violations where the SoD rule is defined in terms of one level of the role hierarchy but the violation takes place at another level. This means that other SoD engines in reality only give organizations a false sense of security!

Watch a Movie

Review violations to segregation of duties (SoD) policies

Play movie


  • Review a list of users violate an SoD policy.
  • For each violation, either remove one of the offending security entitlements or create an approved exception.

Key concepts:

  • SoD rules may be expressed in terms of individual entitlements (accounts, group memberships), roles or both.
  • SoD violations must be corrected manually, since the system cannot predict which of several conflicting entitlements should be removed and which are appropriate to the user's needs and should be kept.
  • SoD violations can also be approved, which means that there is a business reason to violate the policy.

Read More:

  • Secure User Administration:
    Changing business processes and infrastructure to secure user administration.
  • Locking Down Identity Manager:
    Protecting the Identity Manager server, its data and its communications against attack.
  • Finding and Deactivating Orphan Accounts:
    Using Identity Manager to find and deactivate dormant and orphan login accounts.
  • User Access Deactivation:
    Prompt and reliable user access termination are essential to internal controls over enterprise IT infrastructure.
  • Access Change Authorization:
    Use Identity Manager to enforce robust processes to authorize changes to user access rights.
  • Enforcing Security Standards:
    Standards are an important way to ensure that users get just the entitlements they need, and no more. Naming standards are also important, as they help in the implementation of accountability measures, such as connecting security events on different systems back to individual users.
  • Global Access Reporting:
    One of the key requirements for secure identity management and access governance is the ability to find out who has access to what systems of data. This capability must span systems and platforms -- hence global access reporting.
  • Segregation of Duties Policy Enforcement:
    Detecting users whose already-assigned security entitlements violate policy and preventing users from acquiring new entitlements that would violate segregation of duties rules.
  • Entitlement and Request History:
    Hitachi ID Identity and Access Management Suite retains a history of all change requests – including requester, recipient, authorizers, times and dates, operations, attributes, entitlements and either connector results or implementer feedback.
page top page top