You can use Identity Audit to detect Segregation of Duties (SoD) violations. The detection mechanism of IDA monitors users' actual access to resources, and captures any violations on a continuous basis. This can be one of the following types:
Detective mode: In a detective mode, the entire identity warehouse of users can be monitored for anomalies or toxic combinations of user access rights.
Preventive mode: In preventative mode, any access that is requested via the access catalog in real-time can be automatically detected as an Identity Audit policy violation, and preventative action can be taken.
There may be multiple audit policies defined. A single audit policy detects a specific violation on users. An audit policy is composed of one or more audit rules, and each rule detects a cause of the violation. User profiles as well as their associated roles, accounts, entitlements, and organizations are then scanned for identity audit policy violations. User accounts (including entitlements), user attributes, and roles/access policies that violate an identity audit policy are flagged and tracked until the violation is resolved. The solution also maintains a comprehensive history of audit scans.
The concepts related to Identity Audit are described in the following sections.