Page tree

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


Segregation of Duties (SoD) is a mechanisms that prevents accumulating of too much power in the hands of a single person. It places a constraints on assignments of entitlements to users. For example SoD may prevent a single user to create from creating a request and also approve approving it.

In its simplest form the Segregation of Duties is implemented at the RBAC level by role exclusions. It means that roles that exclude each other cannot be assigned to the same user at the same time. This is the basic SoD mechanism that is implemented in midPoint now. More complex SoD rules will be implemented in the future.