Managing SoD Risks with Veza

Overview

Veza provides queries for detecting SoD violations with a flexible interface for defining combinations of conflicting entitlements that map to your organization's SoD rules. These queries support:

• A Separation of Duties overview page for reviewing all SoD queries, with options to search or filter by name, risk level, owner, or application.

• Using Veza's Graph and Query Builder search interfaces to investigate risky users, with visibility into the organization, department, last login, access to other apps, and historical access patterns.

• Easy-to-build and customizable Dashboards for tracking SoD violations and resolutions, monitoring progress, and reporting to stakeholders.

• Continuous Rules and Alerts, with integrated service ticket creation for ServiceNow, Jira, or any target system using orchestration actions and webhooks.

To use Veza to manage SoD risks, we recommend reviewing the out-of-the-box queries available for the integrations you have added to Veza, then using our SoD tool to add more policies into Veza depending on your needs.

Detection

Detecting SoD Violations and Cross-Platform SoD Conflicts

You can model your SoD rulesets in Veza by creating detection queries to search the Veza graph for users with conflicting roles, or permissions.

To add a query, open the Separation of Duties overview and click New SoD Query. Use the Separation of Duties query builder to model each rule by:

• Specifying the type of user the rule applies to (either an identity provider identity or local user account).

• Creating AND/OR statements that define the conflicting permissions or roles across one or more target applications.

You can preview the results before saving the query. When saving the query, you should assign a risk level, add a brief description, risk explanation and document mitigating controls.

See Creating SoD Detection Queries for more information about the SoD query builder and syntax.

Setting Risk Levels for Separation of Duties (SoD) Queries

Each SoD query can be assigned a risk level for organizing your SoD queries by criticality. When a risk level is assigned to a query, users in the results are assigned a risk score based on the total number and risk levels of rules they violate.

You can assign risk levels when saving a query, by editing the saved query, or using quick actions on the Separation of Duties landing page.

To change the risk level associated with a saved SoD query and add or update details:

1. Find a query on the Separation of Duties overview and click to view details.

2. In the details view, click Edit to open the Save Query dialog.

3. On the Save Query > Details tab, click the Risk Level dropdown to set the risk level. Setting this criticality level to low, medium, high, or critical will mark the results of the query as risks and enable risk score generation.

4. Use the Risk Explanation field to describe the SoD risk.

5. Use the Risk Remediation field to document mitigating controls for the risk.

6. Click Save Query at the top right after making your changes.

You also quickly change a risk level directly from the Separation of Duties overview by locating the query, opening the Actions menu, and choosing Set Risk Level.

Using Labels to Organize SoD Queries

Queries created with Veza can have labels to organize them based on application, user type, or any other criteria.

You can add labels by editing a saved SoD query:

1. Find a query on the Separation of Duties overview and click to view details.

2. In the details view, click Edit to open the Save Query dialog.

3. On the Save Query > Details tab, click the Labels dropdown to add one or more labels or start entering text to create a label.

4. Click Save Query at the top right after making your changes.

Recommendations:

• Apply a general label like separation_of_duties to generally identify all SoD rules.

• Additionally, label the business process associated with each query, e.g., expenditure or revenue.

• While you can label the data source (identity source or target applications) associated with an SoD query, Veza provides built-in filters for sorting by integration.

Setting Up Alerts and Automation

Administrators can configure alerts to trigger when a new user is detected with conflicting roles or permissions. Alerts can trigger email notifications, custom automations with webhooks, or use built-in integrations to create service tickets. Rules for SoD queries can be configured to trigger different actions at different levels of severity.

1. On the Separation of Duties page, filter or search to find a query. Click Manage Rules from the actions menu to edit rules for the query.

2. Click Add a new rule to open the rule builder:

3. Give the rule a name and description, and set the severity level.

   1. You can configure escalating levels of rules to trigger different actions based on the severity level: High, Medium, or Low.

4. Choose to trigger the rule based on the number of Query Results, or changes in Query Properties. Typically you will want to alert when the query results increase by more than one.

5. Configure rule actions (optional): Check the box to deliver the alert via the selected orchestration action: email, webhook, ServiceNow, or Jira, or create a new orchestration action. The alert will include details about the query result that triggered the rule for remediation purposes.

6. Click Next to optionally configure On-Demand Reviews when the results change.

7. Click Save to close the rule builder.

8. On the Save Query flow, add additional rules as desired.

9. Click Save Query to save your changes.

You can review all configured rules for a query on the Separation of Duties page by clicking to to open the Query Details > Rules tab. The Query Details > Alerts tab will show a log of events for each time a rule triggers.

See Rules and Alerts for more information about enabling conditional alerts to trigger automation and notifications when new violations are detected.

Continuous Monitoring

Query Result Details and Change Tracking

The Separation of Duties overview page indicates the last update time for each query and the user who modified the query. Review these regularly to ensure that SoD rules are not changed unless required.

Clicking on a query to open the details view shows additional information about the user who created the query and the creation and last update timestamps:

Note: Veza does not currently distinguish between the query creator and owner.

Creating Dashboards for Monitoring

While the Separation of Duties overview page offers quick visibility into the status of all your SoD queries, you can use Reports to group and track specific queries, and add reports to Dashboards to get immediate visibility into trends, top risks, and share views with team members.

1. Create a report using Actions > Add to Report in the query details view, or go to Access Intelligence > Reports to create a new report.

2. Add the report to the "Dashboard Reports" collection. Use labels or queries to build the report.

3. Go to Veza Dashboards to view the report and add it to your favorites for easy access.

See below for steps to create a dynamic or query-based report with the Access Intelligence > Reports builder.

Create dynamic SoD dashboards with labels

If you have applied labels to your SoD queries, you can quickly create a dashboard for all queries with a matching label:

1. Browse to Access Intelligence > Reports

2. Click + Create Report

3. Give the report a name and description

4. For the Report Type, choose Dynamic

5. Under Collections, ensure that Dashboard Reports is selected

6. Click Next

7. On the Queries tab, use the Labels dropdown to filter which SoD queries appear in the report.

8. Click Create Report

Query-Based SoD Dashboards

You can create also custom dashboards by selecting individual queries to include:

1. Browse to Access Intelligence > Reports

2. Click + Create Report

3. Give the report a name and description.

4. For the Report Type, choose Query-Based

5. Under Collections, enable Dashboard Reports

6. Click Next

7. On the Queries tab:

   1. Click + New Section to add a group of queries

   2. Give the section a name

   3. Click the Add Queries icon

   4. In the query selection modal, click to add one or more queries to the section. You can search for queries by name or filter by integration, labels, or risk level.

8. Add more sections as needed, then click Create Report to save your changes

After saving a dashboard report, open Veza Dashboards > All Dashboards and click on the dashboard name to open it. After opening the dashboard, you can add the view to your favorites by clicking the star icon next to the report name.

Remediation

Viewing Conflicting Roles and Permissions

You can review conflicting roles and permissions in Query Builder using the Show [Destination Entities] option. This will display a unique row for each source -> destination relationship in the results, which you can compare to help identify the most appropriate remediation actions.

For example, if a user in the results has one role in Coupa and another role in Salesforce, the Query Builder wll show a row for the User > Coupa Role relationships, and another row for the User > Salesforce Role relationship.

• Use the Permissions column to see both the configured system-level permissions for applicable relationships, and the effective permissions generated by Veza.

• Use the Destination columns to show any attributes Veza has discovered for the related role, resource, or other entity.

See Analyzing Separation of Duties Query Results for more information.

Mapping Mitigating Controls Per Query

When you assign a Risk Level to an SoD query, two built-in fields are available for documenting risk explanations and logging mitigating procedures and/or controls:

• Risk Explanation: Use this field to explain the risk. To maintain a consistent style across SoD risks, you can begin with an "If" statement, for example: If this conflict exists, an individual can enter a fictitious payment and reconcile the cash account, thus resulting in cash position manipulation.

• Risk Remediation: Use this field to record mitigating procedures or controls for SoD risks. This might include the control ID or a brief description of the procedure or control.

These fields support markdown syntax for rich text formatting, including support for hyperlinks.

To add metadata to an SoD query, ensure the query is assigned a risk level, then complete the “Risk Remediation” and “Risk Explanation” fields. You can do this by editing or saving a query:

1. On the Separation of Duties overview page, click on a query to view details.

2. In the details view, click Edit.

3. In the Details > Risk Level section, choose a risk level: Low, Medium, High, or Critical.

4. Use the text boxes to enter the risk remediation or explanation text.

5. Click Save Query at the top right.

To see the explanation or remediation text, open an SoD query to show the details view:

Logging Notes at User Level

When a query is assigned a risk level, entities in the results can have additional notes for documenting mitigations and adding context at the user level. These can be useful for edge cases where a conflict is expected, or a unique mitigating procedure is in place.

You can add two types of notes when viewing risks in Veza:

• Risk Notes: This is a free text note section. You can use this field to document the exact entitlement to remove, when remediation will take place, or if an issue is under investigation.

• Suppression Reasons: After making an exception for a risk, use this field to document the justification why this user is not a violation, or mitigating procedures/controls which are specific for this user

Use the Query Details > Risks tab to view and add annotations to individual users:

1. On the Risks tab, search for the entity where you want to add a note or mark an exception.

2. Expand the row actions menu to choose an action:

   1. Mark Exception: Use this option to mark a risk as ignored ("suppressed"), and describe the reason. You can show or hide exceptions on the list of Risks using the Show Exceptions/Risks dropdown menu.

   2. Add Note: Use this option to note if remediation is planned or record details about the specific violation.

Export Capabilities

You can download the results of SoD queries in CSV format for audits, reporting, and analysis. Query exports include:

• A row for each user in the query results, including all attributes Veza has gathered or generated for the user.

• Data source information such as the last extraction time.

• (When exporting Risks) Risk metadata such as if the risk is marked as an exception (suppressed) and the risk assignee.

Veza supports bulk export and scheduled export for SoD queries, as well as support for exporting risk details for query results.

Bulk Export

Use the Separation of Duties overview tab to export the results of up to ten queries at a time:

1. Click the Export button above the list of queries.

2. Use the checkboxes on the left to select queries.

3. Click Export again to start the export.

Note that a unique CSV file is generated for each query.

Scheduled Export

To enable recurring exports via email or database integration for a single query:

1. Find a query on the Separation of Duties overview and choose Actions > Schedule Export.

2. On the Save Query screen, choose an export format (CSV by email, or a supported database).

3. Choose the days of the week and time of day to trigger exports.

4. Click Save Query.

See Exporting Saved Query Results to Snowflake for more details about exporting results in tabular format.

Export using the Query Details > Risks tab

For SoD queries assigned a risk level, you can export a detailed table of users, including risk metadata such as the assignee, notes, and exception status:

1. Click on an SoD query to view details.

2. Go to the Query Details > Risks tab.

3. Click the Export icon and choose CSV or PDF export.

The exported columns are Node ID,Risk,Risk Level,Query Name,Node Type,Exception,Time Triggered,Suppressed Reason,Owner Email,Notes.