# Segregation of Duties - IAM Risk Analyzer

## Segregation of Duties (SoD) & Toxic Combinations

### 1. Overview

Segregation of Duties (SoD) is a foundational control in Identity Governance that prevents a single user from having excessive or conflicting access that could lead to fraud, data misuse, or compliance violations.

In complex enterprise environments, access risk does not arise from a single entitlement — but from **toxic combinations** across roles, responsibilities, and applications.

BalkanID’s SoD engine enables organizations to:

* Detect toxic access combinations
* Continuously monitor risk exposure
* Prevent policy violations before provisioning
* Provide auditor-ready evidence
* Reduce blast radius from over-privileged identities

### 2. What Are Toxic Combinations?

A **toxic combination** occurs when a user has access to two or more permissions that, when combined, allow them to:

* Create and approve payments
* Create vendors and issue payments
* Modify financial records and reconcile them
* Create users and assign privileged roles

These combinations create:

* Fraud risk
* Regulatory violations (SOX, ISO, SOC 2 etc.)
* Insider threat exposure
* Audit findings

### 3.SoD Lifecycle

Segregation of Duties risk management is not a one-time audit exercise. It is a continuous control process designed to proactively identify, evaluate, and remediate toxic access combinations across the organization.

BalkanID supports the full SoD lifecycle as outlined below:<br>

<figure><img src="/files/rweghusKIYXj78YrzAOC" alt="" width="563"><figcaption></figcaption></figure>

1\. Policy Definition

Organizations begin by defining risk scenarios aligned to regulatory requirements (e.g., SOX) and internal control standards.

These policies identify business-critical conflicts such as:

* Create Vendor + Approve Vendor
* Create Invoice + Approve Payment
* Create User + Assign Privileged Role

Clear policy definition ensures SoD enforcement is based on **business risk impact**, not just technical entitlement overlaps.

2\. Baseline Rule Configuration

Defined policies are translated into enforceable SoD rules within BalkanID.

This involves mapping:

* Roles
* Responsibilities
* Functions
* Privilege inheritance paths

A well-configured baseline establishes a consistent framework for detecting toxic combinations across production and sandbox environments.

3\. Risk Detection

BalkanID continuously evaluates user access against configured SoD rules.

Detection includes:

* Direct role conflicts
* Indirect (inherited) privilege conflicts
* Cross-role and cross-responsibility violations
* Cross-application combinations (if applicable)

This ensures real-time visibility into toxic access exposure.

4\. Violation Analysis

Identified conflicts are reviewed by designated stakeholders to determine risk severity and business impact.

During analysis, organizations assess:

* Scope of exposure
* Compensating controls (if any)
* User role criticality
* Regulatory implications

This step helps prioritize remediation based on actual risk.

5\. Mitigation or Remediation

Appropriate corrective action is taken to eliminate or formally manage the risk.

Common remediation approaches include:

* Removing conflicting access
* Redesigning roles
* Implementing compensating controls
* Documenting risk acceptance with approval

Effective mitigation reduces over-privileged access and strengthens control posture.

6\. Continuous Monitoring

SoD risk evolves as users join, move, or leave the organization and as access changes over time.

BalkanID continuously monitors:

* New access grants
* Role modifications
* Bulk provisioning changes
* Campaign outcomes

This ensures that new violations are detected promptly and compliance posture is maintained.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.balkan.id/iam-risk-analyzer/segregation-of-duties-iam-risk-analyzer.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.