Understanding SoD in Modern Enterprises: Same App, Cross-App & Service Account

 



Segregation of Duties (SoD) in IAM and Saviynt EIC

Segregation of Duties (SoD) — also known as Separation of Duties — is a key security principle used to reduce the risk of fraud, errors, or misuse by making sure no single person has control over all parts of a sensitive task or transaction.

SoD Within the Same Application

This is the most common SoD scenario. It ensures that within a single application, users don’t get access to perform conflicting actions that could lead to fraud.

Real-Time Example in SAP:

A user named Vikram works in the Finance department.

Current Roles:

  • Role A: Create Vendor Master Data
  • Role B: Process Vendor Payments

SoD Violation:

This is a classic intra-application SoD violation:

Vikram can create a fake vendor and then initiate payment to that vendor, all within SAP.

There is no oversight or second pair of eyes — a clear fraud risk.

How Saviynt Handles It:

Create SoD Rule in Saviynt:

Rule Name: Create Vendor and Process Payments

Application: SAP ECC

Entitlement A: Role with XK01

Entitlement B: Role with F110

Risk Level: Critical

SoD Analysis in Identity Repository:

Saviynt scans current access:

  • Finds Vikram with both entitlements.
  • Displays violation under Access Risk Details.

During Access Request Workflow:

  • If Vikram requests Role B while already having Role A, Saviynt:

Violation Remediation:

  • Remove one of the conflicting roles
  • Grant temporary access using Firefighter ID (Privileged Access Management)
  • Add a monitoring alert or require supervisor review

Key Concepts:

  • Role-Based Access Control (RBAC): Roles are used to group permissions, and SoD rules define what role combinations are risky.
  • Granular Permissions: SoD works best when permissions are clearly defined and separated.

SoD Across Different Applications (Cross-Application)

SoD across applications refers to identifying and preventing conflicting access when a user has roles or entitlements in more than one system that, when combined, pose a security or compliance risk.

Most organizations use multiple systems like SAP, Oracle EBS, Salesforce, ServiceNow, etc. Users often get roles in these apps that seem fine in isolation, but together they create a toxic combination.

Why is This Important?

Without cross-application SoD:

  • Users might exploit access in one app to commit fraud in another
  • Internal audits and compliance (SOX, GDPR) may fail
  • Risk visibility is fragmented across siloed systems

Saviynt shines here because it supports cross-application SoD policies, pulling entitlement data across systems to detect toxic combinations.

Real-Time Example: SoD Violation Across SAP and ServiceNow

Scenario:

Let’s say you have a user named Anita who works in Finance.

Access Anita has:

In SAP, she has: Role A: Create Vendor Master Data (Tcode XK01: Add new vendor details)

In ServiceNow, she has: Role B: Approve Vendor Onboarding Tickets(Entitlement: sn_vndr.approver)

SoD Risk:

This is a toxic combination. Anita can: Create fake vendors in SAP & Approve her own vendor requests in ServiceNow

Even though the systems are different, the business function is the same, and it breaks the SoD principle of "no self-approval."

How Saviynt Handles This

Cross-Application SoD Rule Setup:

In Saviynt, you define a rule.

Rule Name: Create and Approve Vendor

App A: SAP → Entitlement: Create Vendor

App B: ServiceNow → Entitlement: Approve Vendor Ticket

Violation Type: High

SoD Risk Analysis:

Saviynt scans identities, finds Anita with both entitlements, and flags her in Access Risk Dashboard.

During Access Request:

If Anita requests either access:

  • Saviynt checks SoD policies across both apps.
  • Raises an SoD violation warning.
  • Routes to approvers with risk justification options.

Remediation Options:

  • Remove one of the roles
  • Add a compensating control (e.g., monthly audit)
  • Assign access via firefighter ID with logging

Why is this matter:

  • Business processes often span across multiple apps.
  • SoD must look at the full picture across systems, not just one app at a time.

SoD in Service Accounts

Service accounts are non-human accounts used by applications or systems to run automated tasks. These accounts often have high privileges and are easy to overlook, making them a serious security risk if not managed properly.

Real-Time Example in Saviynt:

Scenario:

You are managing an SAP system using Saviynt, and there is a service account svc_batch used for running background jobs.

Risky Access Detected:

Saviynt detects that svc_batch has both:

  1. SAP Role A – Can create purchase orders (Tcode: ME21N)
  2. SAP Role B – Can approve purchase orders (Tcode: ME28)

SoD Violation:

These two roles combined violate a critical SoD rule:

Create and Approve Purchase Orders should not be performed by the same identity — whether human or service account.

If an attacker compromises svc_batch, they can create fake purchase orders and approve them — a classic fraud scenario.

What Saviynt Does:

Risk Detection: Saviynt uses its SoD rules engine to flag this combination as a violation.

Policy Enforcement: The service account may be blocked from receiving Role B.

Approval Workflow: A SoD exception request may be raised, requiring compensating controls or justification from an approver (like the risk manager).

Risk Remediation: Admin can reassign the roles, use break-glass access, or implement firefighter ID controls.

 


Comments

Post a Comment

Popular posts from this blog

Accounts in Salesforce 🏒

Image
  Salesforce Sales Cloud - Understanding Accounts 🏒 What is an Account in Salesforce? πŸ€” An Account in Salesforce is like a folder that stores information about a business or an individual you are dealing with. Think of it as a contact list for businesses or customers that your company interacts with. Real-Life Example Imagine you own a furniture business πŸ›‹️. You sell to both companies (like a hotel chain) and individuals (like a homeowner). If you are selling to a company , the company (e.g., "Luxury Hotels Ltd.") is an Account in Salesforce. If you are selling to an individual , that person (e.g., "John Doe") is also an Account in Salesforce but treated as a Person Account (more on this later). Important Fields in an Account and Their Uses πŸ“‹ Each Account contains fields that store specific information. Here are some important ones: Account Name 🏷️ – The name of the business or customer. (e.g., "Luxury Hotels Ltd.") Account Type 🏒 – Define...
Read more

πŸ’₯Important points to know about role in salesforce πŸ’₯

Image
1,  Role is optional in Salesforce but at what scenario role is necessary ? πŸ’₯ In Salesforce, the Role field is technically optional, but it becomes necessary in    certain  scenarios, particularly for security, sharing, and reporting purposes. Here are the few key  situations where a Role is required and highly recommended. with out   R ole you can not achieve below.  Role-Based Sharing Rules  If your organization uses Role Hierarchy to control data visibility, assigning a role is essential. Records owned by users with a higher role can be made visible to those in lower roles, but without a role, users might not be included in these sharing rules.  Organization-Wide Defaults & Record Access  When OWD is set to Private or Public Read-Only , users without a role may not get proper access to records unless explicitly shared. Users with roles can inherit access based on the hierarchy. Reports & Dashboards  Role-based fi...
Read more

What is contract in salesforce πŸ“œ

Image
  Understanding Contracts in Salesforce πŸ“œ Welcome to Salesforce! If you’re new to the platform, don’t worry—I’ll explain Contracts in a simple, engaging, and easy-to-understand way. Think of contracts as the formal agreements between your company and your customers that define the terms of a business deal. Let’s dive in! πŸš€ What is a Contract in Salesforce? πŸ€” A Contract in Salesforce is a record of an agreement between your company and a customer. It helps track details such as: ✅ Start & End Dates – When the contract begins and ends. ✅ Terms & Conditions – The rules both parties agree to. ✅ Status – Whether the contract is still in negotiation, active, or expired. Real-life Example: Imagine you run a software company that sells subscriptions. A client subscribes to your software for 12 months. The signed contract ensures they pay monthly and receive updates, while you guarantee service for the duration. Why are Contracts Important? πŸ”‘ Contracts help bu...
Read more