(1)Hitachi ID Identity Manager includes what is probably the most advanced segregation of duties (SoD) engine available. The Identity Manager SoD engine supports:
This is a very general model. It supports rules such as "No user shall belong to more than 2 of these 30 groups."
This is a practical model. It allows organizations to knowingly violate rules where there is a strong business reason to do so and where suitable compensating controls are in place.
SoD should be proactive rather than after-the-fact, wherever possible. This is supported by Identity Manager.
SoD reporting is the defense of last resort.
To the best of Hitachi ID Systems' knowledge, no other SoD engine will detect SoD violations where the SoD rule is defined in terms of one level of the role hierarchy but the violation takes place at another level. This means that other SoD engines in reality only give organizations a false sense of security!