Skip to main content

← Back to glossary

Term · 2. Authentication & Authorization

Separation of Duties SoD

Separation of duties (SoD) splits a sensitive process so no single person can complete it alone — for example, the developer who writes code cannot also deploy it to production, and the person who requests access cannot approve it. SoD detects and prevents fraud and error, and is a core control for SOX, banking regulation and access-governance standards.

IDM/IGA Domain

Definition

Control principle preventing any single individual from completing a sensitive process — split between two or more people to detect/prevent fraud. Examples: developer cannot deploy to production; user requesting access cannot also approve; auditor cannot edit logs. Required by SOX, PCI DSS, HIPAA, and bank regulations.

Application
Enforced in IGA platforms via SoD policies: conflicting roles cannot be held simultaneously. Common SoD pairs: AP creator + AP approver, code committer + production deployer, system admin + audit reviewer. Violations detected during access requests and certifications.
Sources
FAQ

Frequently asked questions

What is separation of duties (SoD)?

SoD ensures that completing a high-risk action requires more than one person, so no individual has end-to-end control. Classic examples are request-vs-approve and develop-vs-deploy. It is a primary defense against insider fraud and undetected error.

How is SoD enforced in an IGA platform?

Through an SoD policy engine that defines toxic combinations of entitlements and blocks or flags them at request time and during certification. Violations that must be granted are handled as documented, time-bound exceptions with compensating controls.

SoD vs least privilege?

Least privilege limits how much access one identity has; SoD limits which combinations of access any one identity may hold. You need both — an account can be least-privileged yet still hold a toxic two-permission combination that SoD is designed to catch.