27 Using Segregation of Duties SoD 27-1 27 Using Segregation of Duties SoD The concept of Segregation of Duties SoD is aimed at applying checks and balances on business processes. Each stage of a business process may require the involvement of more than one individual. An organization can convert this possibility into a requirement for all IT-enabled business processes by implementing SoD as part of its user provisioning solution. The overall benefit of SoD is the mitigation of risk arising from intentional or accidental misuse of an organizations resources. This chapter contains the following sections: ■ Understanding the SoD Validation Process ■ Introducing the SoD Invocation Library ■ Installing the SoD-enabled Connectors ■ Deploying the SIL and SIL Providers ■ Configuring the SoD Engine ■ Enabling and Disabling SoD ■ Enabling SSL Communication ■ Configuring Workflows on Non SoD-enabled Connectors ■ Marking Fields as Entitlements ■ Custom Combination of Target Systems and SoD Engines ■ Performing Role SoD Check with Oracle Identity Analytics ■ Using SoD in Provisioning Workflow ■ Enabling Logging for SoD-Related Events ■ Troubleshooting SoD Check

27.1 Understanding the SoD Validation Process

Oracle Identity Manager is a user provisioning solution with which entitlement requests can also be validated and managed. In the Oracle Identity Manager implementation of SoD, user requests for IT privileges entitlements are checked and approved by an SoD engine and other users. Multiple levels of system and human checks ensure that even changes to the original request are vetted before the request is cleared. This preventive approach helps identify and correct potentially conflicting entitlement assignments before the requested entitlements are assigned. The SoD validation process in Oracle Identity Manager occurs when a user creates a request for an entitlement on a particular target system. The request is funneled 27-2 Oracle Fusion Middleware Developers Guide for Oracle Identity Manager through a resource approval workflow and, if it passes that initial workflow, a resource provisioning workflow. ■ The resource approval workflow is configured to validate requests in real time using an SoD engine. The SoD engine has predefined rules that are used to determine if the entitlement assignment would lead to SoD violations. The determination, once made, is returned to Oracle Identity Manager. ■ The resource provisioning workflow provisions an entitlement request that has passed the resource approval workflow on the target system. If the users request passes SoD validation and an approver approves the request, the resource provisioning workflow is initiated. If the request fails SoD validation, the resource approval workflow can be configured to take remediation steps. Oracle Identity Manager communicates with both the SoD engine and the target system. In addition, the target system and SoD engine communicate with each other to enable the synchronization of entitlement data. Figure 27–1 shows the flow of data during the SoD validation process. Figure 27–1 SoD Validation Process in Oracle Identity Manager

27.2 Introducing the SoD Invocation Library

The SoD Invocation Library SIL forms the basis of the SoD implementation in Oracle Identity Manager. The SIL is a collection of Java-based adapters that enable integration with predefined Oracle Identity Manager connectors. The connectors, in turn, link Oracle Identity Manager with the target systems. The following Oracle Identity Manager connectors are preconfigured with adapters for SoD validation: ■ Oracle e-Business User Management release 9.1.0 and later ■ SAP CUA release 9.1.0 and later Note: The resource provisioning workflow can be configured to perform the SoD validation again - immediately before the entitlement assignment is provisioned to the target system - to ensure SoD compliance.