SoD Overview
Advanced Segregation of Duties (SoD) gives you complete separation of duties and access controls. Use Advanced SoD to log violations and block access to critical permissions in your system.
What Advanced SoD provides
Advanced SoD provides:
- Complete documentation of Role/Permission assignments.
- Customizable rules, where you can either use the default rules or set up your own.
- Easy role additions or modifications, where Platform Governance for NetSuite alerts you if you break a SoD rule.
- Blocking controls that can block critical role assignments such as the “Administrator” role, making it only possible to assign such roles if there is a pre-approved change request.
- Warning messages and email alerts to let you know when you are in an undesired zone.
- Custom reports for documentation, retroactive approvals and continuous access reviews, ultimately preserving audit trails.
- The power of Agent to fill gaps, monitor, and document activities of “super users” and those with positional authority.
Benefits of Advanced SoD
Advanced SoD lets you create flexible, easy-to-maintain rules.
You can create rules that:
- Are specific to permissions
- Use patterns or roles
- Warn of risks
- Work across multiple roles
- Flag violations for clearance
- Pre-clear violations
- Allow for pre-approvals of exemptions
- Have a blocking option to prevent assignment of critical roles or permissions without authorization
How Advanced SoD works
Advanced SoD works through the following System Process Flow:
Advanced SoD's also works through the following Functional Process Flow:
SoD Exemption Handling for Onboarding, Offboarding, and Cross Role Conflicts
| Use Case Causing SoD Conflict | Are SoD Conflicts Addressed by an existing Approved Exemption? | SoD Incident /Change Log Created | Platform Governance for NetSuite Systematic Updates |
|---|---|---|---|
| New Employee Onboarded and one Role assigned | Role Exemption | Compliant SoD Incidents | 1. New Employee added to Affected Employees on the Role Exemption (if All Current and Future checkbox is checked, if not it is treated as SoD Conflicts that have no Exemption) 2. Role Exemption associated to the SoD Incidents |
| Cross Role Exemption | Compliant SoD Incidents | 1. Cross Role Exemption associated to the SoD Incidents | |
| SoD Conflicts that have no Exemption | Unresolved SoD Incidents | 1. No immediate action taken 2. If an Exemption is created to resolve the SoD Conflicts in arrears, it is associated to the SoD Incidents at that time | |
| New Employee Onboarded and multiple Roles assigned | Role Exemption | Compliant SoD Incidents only for single Role SoD Incidents | 1. New Employee added to Affected Employees on the Role Exemption (if All Current and Future checkbox is checked, if not it is treated as SoD Conflicts that have no Exemption) 2. Role Exemption associated to the SoD Incidents |
| Cross Role Exemption | Compliant SoD Incidents for those caused by multiple Roles | 1. Cross Role Exemption associated to the SoD Incidents | |
| SoD Conflicts that have no Exemption | Unresolved SoD Incidents | 1. No immediate action taken 2. If an Exemption is created to resolve the SoD Conflicts in arrears, it is associated to the SoD Incidents at that time | |
| Existing Employee Offboarded by unchecking Give Access checkbox or removing all Roles | Role Exemption | 1. Employee removed from Affected Employees on the SoD Role Exemption | |
| Cross Role Exemption | 1. Employee removed from Affected Employees on the SoD Cross Role Exemption | ||
| SoD Conflicts that have no Exemption | 1. N/A. Employee has been Offboarded, no new SoD Conflict exists | ||
| Existing Employee gets a new Roles causing new SoD Incidents | Role Exemption | Compliant SoD Incidents only for single Role SoD Incidents | 1. Role Exemption associated to the SoD Incidents (if All Current and Future checkbox is checked, if not it is treated as SoD Conflicts that have no Exemption) |
| Cross Role Exemption | Compliant SoD Incidents for those caused by multiple Roles | 1. Cross Role Exemption associated to the SoD Incidents | |
| SoD Conflicts that have no Exemption | Unresolved SoD Incidents | 1. No immediate action taken 2. If an Exemption is created to resolve the SoD Conflicts in arrears, it is associated to the SoD Incidents at that time | |
| Existing Employee with a Cross Role Conflict has one or more Roles removed. SoD must be re-evaluated. | Role Exemption | Compliant SoD Incidents only for single Role SoD Incidents | 1. Role Exemption associated to the SoD Incidents (if All Current and Future checkbox is checked, if not it is treated as SoD Conflicts that have no Exemption) 2. Employee added to Affected Employees on the Role Exemption 3. If the Role removal resolved an existing SOD Conflict, Employee removed from Affected Employees on the SOD Role Exemption |
| Cross Role Exemption | Compliant SoD Incidents for those caused by multiple Roles | 1. Cross Role Exemption associated to the SOD Incidents. 2. If the Role removal resolved an existing SOD Conflict, Employee removed from Affected Employees on the SOD Cross Role Exemption | |
| SoD Conflicts that have no Exemption | Unresolved SoD Incidents | 1. No immediate action taken 2. If an Exemption is created to resolve the SoD Conflicts in arrears, it is associated to the SoD Incidents at that time |