• Download a trial
  • Sales
  • Support
  • Login
logo
  • Home
  • Products
  • Solutions
  • Partners
  • About Us
  • Consulting
  • Resources
Request a Quote
  • Workforce Identity
  • Customer Identity
  • Comparison
  • Subscriptions

All Features

Overview of all features in Workforce Identity

User Onboarding and Offboarding

Automate joiner, mover, leaver processes

Access Request

Access requests with multi-step approvals

User Access Reviews

Save time with user access reviews

Self-Service Portal

Self-service portal for all end user activities

Segregation of Duties

Detect and remediate SoD violations

Password Management

Enforce password policies and enable synchronization

Single Sign-On (SSO)

Enable SSO using standards - SAML, oAuth, OIDC

Authentication and MFA

Improve security with adaptive authentication and MFA

3rd Party IdP Integration

Integrate with your existing identity provider

Integration API

Use the REST API to add identity into your applications

Connector Library

Integrate on-premise and SaaS applications

Modern Architecture

Microservice architecture that supports deployment using RPM, Kubernetes or OpenShift

Workforce Identity Concepts

All Features

Overview of all features in Customer IAM

Authentication and MFA

Improve security with adaptive authentication and MFA 

Single Sign-On (SSO)

Enable SSO using standards - SAML, oAuth, OIDC

Password Management

Enforce password policies and enable synchronization

Modern Architecture

Microservice architecture that supports deployment using RPM, Kubernetes or OpenShift

Customer Identity Concepts

Community vs Enterprise

Summary of the differences between the Community and Enterprise editions

Subscription Benefits

Overview of the benefits provided by an OpenIAM subscription

  • Integrations
  • Verticals
  • Workforce Use Cases
  • CIAM Use Cases
  • Compliance
  • Data Breach Mitigation

Active Directory

Azure (O365)

SAP

SAP SuccessFactors

Workday

AWS

Linux Server

LDAP

Microsoft SQL Server

Google Cloud

Windows Server

Oracle EBS

ServiceNow

SAP Fiori

Oracle Fusion

Entra ID

Salesforce

Keycloak

Custom Applications

Education

Manage identity for students, staff and alumni

Financial Services

Address the compliance and security challenges of the financial sector

User Access Requests

Empower end users and improve compliance with user access requests

Strong Authentication

Improve security with adaptive authentication and MFA

Single Sign-On (SSO)

Improve customer experience with SSO

NIS2

Achieve compliance with the EU directive for cybersecurity frameworks.

DORA

Comply with the Digital Operational Resilience Act for the EU.

HIPAA

For healthcare organizations seeking HIPAA compliance.

PCI DSS

Compliance with the Payment Card Industry Data Security Standard

SOC 2

Solutions for organizations subject to SOC 2 audits

GDPR

Take advantage of OpenIAM to comply with the General Data Protection Regulation

Social Engineering Attacks

  • Partners

Current Partners

Our Current Partners

  • About Us

About OpenIAM

Learn about OpenIAM

Press Releases

References to OpenIAM press releases

OpenIAM in the Media

References to OpenIAM in the media

Careers

Learn about open positions at OpenIAM.

  • Consulting

Proof of Value

Customized engagement to confirm defined proof of value objectives

Jump Start

Customized engagement to rapidly deliver a solution into production

Solution Implementation

Engagement with the objective to deliver a complete IAM solution based on customer requirements

  • Resources

Videos

Collection of videos describing how OpenIAM can be used to solve common use cases

Community Portal

Collaborative community portal to learn more about OpenIAM

CE Documentation

Documentation for the Community Edition

Blog

Musings on identity penned by the OpenIAM team

Webinar Calendar

Upcoming webinars and training sessions

Workforce Identity Concepts

Customer Identity Concepts

What is Segregation of Duties?

Understanding Segregation of Duties (SoD)

Segregation of Duties (SoD) is a foundational control in governance and compliance. It ensures that no individual has conflicting responsibilities or privileges that could allow them to commit fraud, conceal errors, or bypass oversight.

Within Identity Governance and Administration (IGA), SoD policies ensure that conflicting roles or entitlements are never assigned to the same person, closing one of the most common risk gaps in enterprise environments.

SoD prevents “all-powerful” access by separating critical duties across different roles — protecting both your organization and your users.

Why SoD Matters in Identity Governance

In large organizations, it’s common for employees to accumulate access rights as they change roles or take on new projects. Without governance checks, these privileges can overlap — creating SoD violations that go unnoticed.

Examples of SoD Conflicts

  • A user who can both create a vendor and approve a payment could commit or conceal fraud.
  • A developer with production access and deployment approval can bypass QA or change management.
  • A system administrator who can grant access and certify access can override controls.

SoD policies reduce these risks by enforcing checks and balances in access management.

They are essential for:

  • Compliance with SOX, GDPR, HIPAA, and ISO 27001.
  • Fraud prevention and accountability.
  • Operational integrity across financial, IT, and HR systems.
  • Audit readiness through documented enforcement and remediation.

SoD sits at the intersection of security, compliance, and governance — ensuring trust in every access decision.

How SoD Works in an IAM Context

 1. Define SoD Policies 

Organizations first identify which combinations of roles, entitlements, or actions should never coexist.

Policy Type  Example Conflict  Description 
Financial Control  Create Vendor vs. Approve Payment  Prevents financial fraud. 
Operational Control  Deploy Code vs. Approve Change Request  Enforces DevOps separation of duties. 
Administrative Control  Grant Access vs. Certify Access  Prevents unauthorized privilege escalation. 

 


These rules form the foundation of both preventive and detective controls.

 2. Detect SoD Violations 

Detection in OpenIAM is not a one-time activity — it’s a continuous, policy-driven process.

As users gain, change, or lose access across systems, OpenIAM’s governance engine constantly evaluates those entitlements against defined SoD policies.

When conflicts are found, the system automatically flags the violation and can trigger a range of actions based on severity or policy rules:

  • Immediate alerting to role owners, application owners, or managers.
  • Automatic remediation workflows (e.g., revoke one role, initiate review).
  • Risk-based escalation for approval or documented exception.
  • Audit logging for traceability and reporting.

This approach ensures that SoD violations are caught the moment they occur — not just when a review campaign happens — dramatically reducing risk exposure between certification cycles.

In OpenIAM, SoD detection is continuous, contextual, and auditable — delivering true “always-on” governance.

 3. Preventive Controls 

Preventive SoD controls are enforced during access request and approval workflows, not during automated birthright provisioning.

When a user requests access through the catalog, OpenIAM evaluates all existing entitlements against SoD policies.

If a conflict is identified, OpenIAM will:

  • Block the request, or
  • Route it for risk-based approval and justification.

This ensures that:

  • Birthright access (pre-approved baseline privileges) is always provisioned smoothly.
  • Non-standard or elevated access is validated for SoD compliance before being granted.

Preventive SoD ensures that conflicts are caught at the moment of request — keeping standard access automated while maintaining strong control over exceptions.

4. Detective Controls 

Detective SoD controls identify conflicts that may arise over time as users change roles, teams, or applications.

In OpenIAM, detective enforcement happens continuously — not just during scheduled reviews.

Continuous Monitoring

OpenIAM constantly evaluates all users, roles, and entitlements against active SoD policies.

If a violation is detected (for example, after a role import or system synchronization), the platform can:

  • Automatically flag the violation,
  • Notify the appropriate owner or manager,
  • Trigger an automated remediation or approval workflow, and
  • Document every action for audit evidence.

Access Review Integration

At scheduled intervals, OpenIAM’s access certification campaigns provide a second line of defense.

Managers review any remaining SoD exceptions, confirm business justifications, or revoke access as needed.

Continuous SoD monitoring ensures that violations are addressed immediately — while certifications provide formal verification for audit and compliance purposes.

Implementing SoD with OpenIAM

OpenIAM embeds SoD directly into its Identity Governance workflows.

This integration allows organizations to both prevent new conflicts and detect existing ones automatically across all connected systems.

With OpenIAM, you can:

  • Define SoD policies centrally across applications, roles, and entitlements.
  • Evaluate access requests in real time against SoD rules.
  • Continuously monitor for new conflicts introduced through system changes.
  • Automate remediation via risk-based workflows and delegated approvals.
  • Certify SoD compliance through campaign-driven access reviews.
  • Generate audit-ready reports detailing SoD policy effectiveness and resolution history.

OpenIAM transforms SoD from a static control into a dynamic, continuously monitored policy framework that reduces risk without slowing down operations.

Example: Continuous SoD Enforcement

A finance employee changes roles within the company.

Their new responsibilities include approving payments, while their existing role still grants vendor creation access.

During the next synchronization cycle, OpenIAM detects this new conflict:

  1. The continuous monitoring engine evaluates all user entitlements.
  2. It detects a violation between Vendor Creation and Payment Approval.
  3. The system triggers an SoD remediation workflow.
  4. The manager receives a notification to review and resolve the conflict immediately.

No waiting for the next certification campaign — the issue is caught and addressed in real time.

SoD, Role Models, and Certifications

SoD policies are most effective when built on a structured access model.

They work hand-in-hand with:

  • Role-Based Access Control (RBAC): Simplifies enforcement by defining consistent job functions.

  • Attribute-Based Access Control (ABAC): Adds context like department or region.
  • Access Certification: Provides periodic validation and audit assurance.
  • Identity Governance (IGA): The overall framework that orchestrates SoD detection, remediation, and reporting.

Together, these elements create a closed governance loop — from prevention to detection to continuous compliance.

Benefits of Automating SoD Controls

  • Continuous Risk Reduction: Detect and resolve conflicts as they occur.
  • Compliance Readiness: Always audit-ready with up-to-date evidence.
  • Operational Efficiency: Reduce manual reviews and exception approvals.
  • Centralized Policy Management: Manage all SoD rules and violations in one place.
  • Governance Integration: Link SoD enforcement with provisioning, requests, and certifications.

Automated SoD enforcement ensures that security, compliance, and productivity can coexist — without compromise.

Frequently Asked Questions

1) What’s the difference between SoD and Least Privilege?

Least Privilege limits how much access a user has; SoD ensures no one person can perform all critical steps in a sensitive process.

2) What happens when an SoD conflict is detected?

OpenIAM flags or blocks the assignment, notifies the owner, and launches a remediation workflow to resolve the conflict immediately.

3) Can SoD apply to service or machine identities?

Yes. Machine accounts can violate SoD policies — for example, automation scripts that both create and approve records. OpenIAM monitors and enforces SoD for non-human identities as well.

4) Is SoD only relevant for finance?

No. SoD applies to IT, HR, and operational systems — anywhere conflicting privileges could lead to risk or non-compliance.

Related Concepts

  • Identity Governance (IGA)
  • Role-Based Access Control (RBAC)
  • Attribute-Based Access Control (ABAC)
  • Access Certification
  • Workforce Identity Concepts

Let’s Connect

Managing identity can be complex. Let OpenIAM simplify how you manage all of your identities from a converged modern platform hosted on-premises or in the cloud.

For 15 years, OpenIAM has been helping mid to large enterprises globally improve security and end user satisfaction while lowering operational costs.

Download a Trial Contact Sales
footer-top-logo
openIAM-white-logo

All modules of our IAM platform share a common infrastructure allowing customers to see one unified identity solution versus a collection of disparate products.

  • linkedin-icon
  • facebook-icon
  • twitter-icon
  • youtube-icon

sales@openiam.com

(858)935-7561

Copyright © 2025 OpenIAM. All rights reserved.
  • Privacy Policy