Skip to content
IAM Day by Day

Separation of Duties (SoD)

Preventing Toxic Combinations

Section titled “Preventing Toxic Combinations”

Separation of Duties (SoD) is the strategic practice of ensuring that no single individual has enough authority to execute a high-risk business process from start to finish without oversight. By dividing critical tasks among multiple people, organizations eliminate the risk of fraud, internal theft, and catastrophic human error. In identity architecture, SoD is implemented by identifying “Toxic Combinations” of permissions—where possessing both Rule A and Rule B creates an unacceptable risk to the enterprise.

SOD

Internal Control
Core Mission
Distributed Authority. Breaking down sensitive workflows into discrete steps owned by different identities, ensuring that collusion would be required to compromise a critical system.
Like a Two-Key System: To launch a missile from a submarine, two different officers must turn two different keys at exactly the same time. Neither officer can launch the missile alone. This ensures that a single rogue individual or an accidental mistake cannot trigger a world-changing event. SoD is the "Two-Key System" for your company's finances and data.
Financial Systems / Production Deployments / Root Admin Access

The SoD Control Matrix

Section titled “The SoD Control Matrix”

SoD isn’t just about blocking access; it’s about building a layered defense that includes prevention, detection, and mitigation.

Strategic Control Comparison

Section titled “Strategic Control Comparison”
Control TypeMechanismStrategyTrade-off
PreventiveHard-block during Role assignment.Stop the conflict before it happens.High friction for admins.
DetectiveAudit logs and scheduled scans.Find and remediate existing conflicts.Risk remains until discovered.
CompensatingEnhanced logging / Second approval.Mitigate risk when SoD isn’t possible.Higher manual overhead.
OrganizationalDepartmental/Team silos.Ensure rivals or separate teams review work.Management complexity.

The Conflict Detection Flow

Section titled “The Conflict Detection Flow”

A modern SoD engine evaluates every access request against a library of “Toxic Combinations” before a single permission is granted.

1

Identify "Toxic Sets"

Security and Finance teams define pairs of permissions that must never coexist (e.g., "Create Vendor" + "Approve Payment").

2

Evaluate Request

When a user requests a new role, the system instantly cross-references their existing permissions with the requested ones to find overlaps.

3

Enforce or Mitigate

The system blocks the request if a conflict is found. If access is critical, an "Exception Workflow" triggers high-risk approvals and enhanced auditing.

Technical SoD Implementation Guides

Section titled “Technical SoD Implementation Guides”

Master the patterns for preventing and detecting internal authorization conflicts.

Conflict-Free Roles

Designing role hierarchies that are built to avoid inherent SoD violations by design.

Detective Scanning

Using periodic reviews to discover "Ghost SoD" issues that arise from ad-hoc permissions.

Governance Engine

Integrating SoD rules into your centralized Identity Governance and Administration (IGA) platform.

Reporting Compliance

Providing auditors with proof of SoD enforcement and exception management lifecycles.

Next Steps

Section titled “Next Steps”