Separation of Duties (SoD) is a fundamental security control that prevents fraud and errors by ensuring no single individual has conflicting access privileges. Veza's SoD capabilities enable you to safeguard critical business processes by distributing responsibilities among multiple users and meet regulatory requirements through robust internal controls.

Overview

Veza provides queries for detecting SoD violations with a flexible interface for defining combinations of conflicting entitlements that map to your organization's SoD rules. These queries support:

• A Separation of Duties overview page for reviewing all SoD queries, with filtering options including query name, risk level, SoD manager, platform (integration type), and labels.

• Using Veza's Graph and Query Builder search interfaces to investigate risky users, with visibility into the organization, department, last login, access to other apps, and historical access patterns.

• Easy-to-build and customizable Dashboards for tracking SoD violations and resolutions, monitoring progress, and reporting to stakeholders.

• Continuous Rules and Alerts, with integrated service ticket creation for ServiceNow, Jira, or any target system using Veza Actions and webhooks.

• Integrated Access Reviews for streamlined remediation using instant 1-Step reviews or recurring on-demand reviews triggered from SoD query results.

To use Veza to manage SoD risks, we recommend reviewing the out-of-the-box queries available for the integrations you have added to Veza, then using our SoD tool to add more policies into Veza depending on your needs.

Detection

Detecting SoD Violations and Cross-Platform SoD Conflicts

You can model your SoD rulesets in Veza by creating detection queries to search the Veza graph for users with conflicting roles, or permissions.

To add a query, open the Separation of Duties overview and click New SoD Query. Use the Separation of Duties query builder to model each rule by:

• Specifying the type of user the rule applies to (either an identity provider identity or local user account).

• Creating AND/OR statements that define the conflicting permissions or roles across one or more target applications.

You can preview the results before saving the query. When saving the query, you should assign a risk level, add a brief description, risk explanation and document mitigating controls.

See Creating SoD Detection Queries for more information about the SoD query builder and syntax.

Setting Risk Levels for Separation of Duties (SoD) Queries

You can assign risk levels when saving a query, by editing the saved query, or using quick actions on the Separation of Duties landing page.

To change the risk level associated with a saved SoD query and add or update details:

1. Find a query on the Separation of Duties overview and click to view details.

2. In the details view, click Edit to open the Save Query dialog.

3. On the Save Query > Details tab, click the Risk Level dropdown to set the risk level. Setting this criticality level to low, medium, high, or critical will mark the results of the query as risks and enable risk score generation.

4. Use the Risk Explanation field to describe the SoD risk.

5. Use the Risk Remediation field to document mitigating controls for the risk.

6. Click Save Query at the top right after making your changes.

You also quickly change a risk level directly from the Separation of Duties overview by locating the query, opening the Actions menu, and choosing Set Risk Level.

Using Labels to Organize SoD Queries

Queries created with Veza can have labels to organize them based on application, user type, or any other criteria.

You can add labels by editing a saved SoD query:

1. Find a query on the Separation of Duties overview and click to view details.

2. In the details view, click Edit to open the Save Query dialog.

3. On the Save Query > Details tab, click the Labels dropdown to add one or more labels or start entering text to create a label.

4. Click Save Query at the top right after making your changes.

Recommendations:

• Apply a general label like separation_of_duties to generally identify all SoD rules.

• Additionally, label the business process associated with each query, e.g., expenditure or revenue.

• While you can label the data source (identity source or target applications) associated with an SoD query, Veza provides built-in filters for sorting by integration.

Setting Up Alerts and Automation

Administrators can configure alerts to trigger when a new user is detected with conflicting roles or permissions. Alerts can trigger email notifications, custom automations with webhooks, or use built-in integrations to create service tickets. Rules for SoD queries can be configured to trigger different actions at different levels of severity.

1. On the Separation of Duties page, filter or search to find a query. Click Manage Rules from the actions menu to edit rules for the query.

2. Click Add a new rule to open the rule builder:

3. Give the rule a name and description, and set the severity level.

   1. You can configure escalating levels of rules to trigger different actions based on the severity level: High, Medium, or Low.

4. Choose to trigger the rule based on the number of Query Results, or changes in Query Properties. Typically you will want to alert when the query results increase by more than one.

5. Configure rule actions (optional): Check the box to deliver the alert via the selected Veza Action: email, webhook, ServiceNow, or Jira, or create a new Veza Action. The alert will include details about the query result that triggered the rule for remediation purposes.

6. Click Next to optionally configure On-Demand Reviews when the results change.

7. Click Save to close the rule builder.

8. On the Save Query flow, add additional rules as desired.

9. Click Save Query to save your changes.

You can review all configured rules for a query on the Separation of Duties page by clicking to to open the Query Details > Rules tab. The Query Details > Alerts tab will show a log of events for each time a rule triggers.

See Rules and Alerts for more information about enabling conditional alerts to trigger automation and notifications when new violations are detected.

Continuous Monitoring

Query Result Details and Change Tracking

The Separation of Duties overview page indicates the last update time for each query and the user who modified the query. SoD queries updated via an API key indicate this with (via API) in the "last updated by" column. Review these regularly to ensure that SoD rules are not changed unless required.

Clicking on a query to open the details view shows additional information about the user who created the query and the creation and last update timestamps:

Query Edit History

You can track when SoD queries were last updated using the Edit History sidebar in Query Details. This can provide historical context about who made changes and when they occurred.

To access the edit history:

1. Open an SoD query to view details

2. Choose View Edit History from the query actions

The edit history chronologically shows all changes to date, which can include the original query creation and any modifications to:

• Query name, description, or labels

• Risk levels, risk explanation, or risk remediation

• SoD manager assignments

• Changes to query visibility or query parameters

Creating Dashboards for Monitoring

1. Create a report using Actions > Add to Report in the query details view, or go to Access Intelligence > Reports to create a new report.

2. Add the report to the "Dashboard Reports" collection. Use labels or queries to build the report.

3. Go to Veza Dashboards to view the report and add it to your favorites for easy access.

See below for steps to create a dynamic or query-based report with the Access Intelligence > Reports builder.

Create dynamic SoD dashboards with labels

If you have applied labels to your SoD queries, you can quickly create a dashboard for all queries with a matching label:

1. Browse to Access Intelligence > Reports

2. Click + Create Report

3. Give the report a name and description

4. For the Report Type, choose Dynamic

5. Under Collections, ensure that Dashboard Reports is selected

6. Click Next

7. On the Queries tab, use the Labels dropdown to filter which SoD queries appear in the report.

8. Click Create Report

Query-Based SoD Dashboards

You can create also custom dashboards by selecting individual queries to include:

1. Browse to Access Intelligence > Reports

2. Click + Create Report

3. Give the report a name and description.

4. For the Report Type, choose Query-Based

5. Under Collections, enable Dashboard Reports

6. Click Next

7. On the Queries tab:

   1. Click + New Section to add a group of queries

   2. Give the section a name

   3. Click the Add Queries icon

   4. In the query selection modal, click to add one or more queries to the section. You can search for queries by name or filter by integration, labels, or risk level.

8. Add more sections as needed, then click Create Report to save your changes

After saving a dashboard report, open Veza Dashboards > All Dashboards and click on the dashboard name to open it. After opening the dashboard, you can add the view to your favorites by clicking the star icon next to the report name.

SoD Manager Assignment

You can assign a manager to an SoD to distinguish between query creators and those responsible for managing SoD policies.

• Any SoD query can have one or more managers assigned, for shared responsibility and continuous oversight.

• You can add managers to one or more queries in bulk on the Separation of Duties overview page.

To assign SoD managers to queries:

1. On the Separation of Duties overview, click the Assign SoD Manager button

2. Select one or more queries using the checkboxes on the left

3. In the assignment modal that appears, select one or more users by name or email to assign as managers

4. Review your selections in the "Selected SoD managers" list

5. Click Save to apply the assignments

Remediation

Viewing Conflicting Roles and Permissions

You can review conflicting roles and permissions in Query Builder using the Show [Destination Entities] option. This will display a unique row for each source -> destination relationship in the results, which you can compare to help identify the most appropriate remediation actions.

For example, if a user in the results has one role in Coupa and another role in Salesforce, the Query Builder wll show a row for the User > Coupa Role relationships, and another row for the User > Salesforce Role relationship.

• Use the Permissions column to see both the configured system-level permissions for applicable relationships, and the effective permissions generated by Veza.

• Use the Destination columns to show any attributes Veza has discovered for the related role, resource, or other entity.

See Analyzing Separation of Duties Query Results for more information.

Mapping Mitigating Controls Per Query

When you assign a Risk Level to an SoD query, two built-in fields are available for documenting risk explanations and logging mitigating procedures and/or controls:

• Risk Explanation: Use this field to explain the risk. To maintain a consistent style across SoD risks, you can begin with an "If" statement, for example: If this conflict exists, an individual can enter a fictitious payment and reconcile the cash account, thus resulting in cash position manipulation.

• Risk Remediation: Use this field to record mitigating procedures or controls for SoD risks. This might include the control ID or a brief description of the procedure or control.

These fields support markdown syntax for rich text formatting, including support for hyperlinks.

To add metadata to an SoD query, ensure the query is assigned a risk level, then complete the “Risk Remediation” and “Risk Explanation” fields. You can do this by editing or saving a query:

1. On the Separation of Duties overview page, click on a query to view details.

2. In the details view, click Edit.

3. In the Details > Risk Level section, choose a risk level: Low, Medium, High, or Critical.

4. Use the text boxes to enter the risk remediation or explanation text.

5. Click Save Query at the top right.

To see the explanation or remediation text, open an SoD query to show the details view:

Logging Notes at User Level

When a query is assigned a risk level, entities in the results can have additional notes for documenting mitigations and adding context at the user level. These can be useful for edge cases where a conflict is expected, or a unique mitigating procedure is in place.

You can add two types of notes when viewing risks in Veza:

• Risk Notes: This is a free text note section. You can use this field to document the exact entitlement to remove, when remediation will take place, or if an issue is under investigation.

• Suppression Reasons: After making an exception for a risk, use this field to document the justification why this user is not a violation, or mitigating procedures/controls which are specific for this user

Use the Query Details > Risks tab to view and add annotations to individual users:

1. On the Risks tab, search for the entity where you want to add a note or mark an exception.

2. Expand the row actions menu to choose an action:

   1. Mark Exception: Use this option to mark a risk as ignored ("suppressed"), and describe the reason. You can show or hide exceptions on the list of Risks using the Show Exceptions/Risks dropdown menu.

   2. Add Note: Use this option to note if remediation is planned or record details about the specific violation.

Export Capabilities

You can download the results of SoD queries in CSV format for audits, reporting, and analysis. Query exports include:

• A row for each user in the query results, including all attributes Veza has gathered or generated for the user.

• Data source information such as the last extraction time.

• (When exporting Risks) Risk metadata such as if the risk is marked as an exception (suppressed) and the risk assignee.

Veza supports bulk export and scheduled export for SoD queries, as well as support for exporting risk details for query results.

Bulk Export

Use the Separation of Duties overview tab to export the results of up to ten queries at a time:

1. Click the Export button above the list of queries.

2. Use the checkboxes on the left to select queries.

3. Click Export again to start the export.

Note that a unique CSV file is generated for each query.

Scheduled Export

To enable recurring exports via email or database integration for a single query:

1. Find a query on the Separation of Duties overview and choose Actions > Schedule Export.

2. On the Save Query screen, choose an export format (CSV by email, or a supported database).

3. Choose the days of the week and time of day to trigger exports.

4. Click Save Query.

See Exporting Saved Query Results to Snowflake for more details about exporting results in tabular format.

Export using the Query Details > Risks tab

For SoD queries assigned a risk level, you can export a detailed table of users, including risk metadata such as the assignee, notes, and exception status:

1. Click on an SoD query to view details.

2. Go to the Query Details > Risks tab.

3. Click the Export icon and choose CSV or PDF export.

The exported columns are Node ID,Risk,Risk Level,Query Name,Node Type,Exception,Time Triggered,Suppressed Reason,Owner Email,Notes.

Working with SoD Rulesets

You can use the Separation of Duties overview page to view queries and add new ones.

To manage and edit Separation of Duties queries:

• On the main Veza navigation, open the Separation of Duties overview page.

• Use the overview to review all queries created using the Separation of Duties query builder. To find built-in queries, filter by the Separation of Duty label.

• Expand the action menu (⠇) to the right of each row to choose an action:

  • View query details: See configured rules, alerts, reports, and an overview of the results.

  • Open in Analysis: Open the query to edit conditions on the Separation of Duties (SoD) page.

  • View Trend Chart: Save a visualization of the changes over a selected time.

  • Clone Query: Make a copy of the SoD violation for further editing.

  • Delete Query: Delete the query.

  • Manage Rules: Configure rules to trigger alerts and run Veza Actions.

  • Schedule Export (Early Access): Export the current results from Veza to an external database.

  • Set Risk Level: Set whether query results are considered low, medium, high, or critical risks.

Query Details View

Clicking on a query on the Separation of Duties overview opens the full details view, including a simplified table of the current results and a trend chart showing changes over time. The details view shows all individual users in the query results, with the option to show or hide columns displaying each user attribute.

Switch between tabs in the Details view to review information about the query:

• Results: Use this tab to visualize trends over time, review query metadata, and inspect the current query results and their attributes using a simplified table view. You can also open the search in Query Builder or Graph for further analysis.

• Rules: Use this page to quickly review, add, and delete any rules configured for the query.

Inspecting Conflicting Roles and Permissions in Query Builder

Opening a Separation of Duties query in the Access Intelligence Query Builder shows more details about each user in violation of the SoD rule.

While the Query Details view is intended to provide a quick overview of results, the full Query Builder can provide additional insight into the conflicting roles to help identify the appropriate remediation steps.

By default, opening an SoD query in Query Builder will list all users in the results, with one row for each user:

You can alter the query to return a row for each unique user-to-destination relationship. When Show [Destination Entities] is enabled, the results include the permissions, roles and resources triggering the SoD violation:

Using the Show Summary Entities option, you can get additional visibility into hierarchical groups, roles, or other access controls that enable the access described in a row. See Intermediate Entities for more details about inspecting authorization paths in Query Builder.

Note: SoD queries should be based on your actual environment, configuration, and roles. These are examples and not necessarily indicative of actual access.

Veza provides a way to write SoD queries that encompass multiple platforms, e.g., rules involving both NetSuite and Coupa roles. Queries for SoD controls can be:

• Single Application: Queries within a single application. For example, a user with the “approver” role cannot also be a “submitter” on Zendesk.

• Multi-dimensional: Queries spanning applications. For example, an “approver” in Coupa cannot also be a “submitter” in Zendesk.

See the following examples for queries involving different types of applications:

Oracle Fusion Cloud

In this conflict involving Oracle Fusion roles, an individual can enter a fictitious payment and reconcile the cash account, resulting in cash position manipulation:

• Source Entity Type: Oracle Fusion Cloud User

  • Related to Oracle Fusion Cloud Role: "Accounts Payable Payment Supervisor" OR "Accounts Payable Manager"

  • (AND) Has relation to Oracle Fusion Cloud Role: "Cash Manager"

Workday

In this conflict, a user could modify compensation data and reconcile payroll records, potentially concealing unauthorized changes:

• Source Entity Type: Workday Account

  • Related to Workday Domain Security Policy “Access Compensation Basis” OR “Add Compensation Plans”

  • (AND) Has relation to Workday Domain Security Policy "Manage: Global Payroll Reconciliation"

Okta, Salesforce, and AWS

This query detects identities with access to Salesforce who can also delete critical S3 storage infrastructure:

• Source Entity Type: Okta User

  • Related to (Any) S3 Bucket with s3:DeleteBucket permission

  • (AND) Has relation to (Any) Salesforce User

GitHub

Here is a simple SoD conflict for GitHub, requiring that Personal Accounts in a GitHub organization can’t be assigned to either the developers or qa team, and also be admins:

• Source Entity Type: GitHub User

  • Related to GitHub Team: "developers" OR "qa"

  • (AND) Related to GitHub Team: "admins"

Okta, Snowflake, and ServiceNow

Here is a more complex query involving Okta User assignments to applications, and their access to data in Snowflake. In it, users assigned to Salesforce and ServiceNow can’t also have permissions on the ACCESS schema in Snowflake, or any write permission on the AUDITLOG_RESULTS table:

• Source Entity Type: Okta User

  • First Condition (either):

    • Has relation to Okta App: Salesforce.com OR

    • Has relation to Okta App: ServiceNow UD

  • AND Second Condition (either):

    • Has relation to Snowflake Schema: ACCESS (Any Permissions) OR

    • Has relation to Snowflake Table: AUDITLOG_RESULTS (Metadata Write)

Overview

Use the Separation of Duties query builder to detect SoD conflicts, and save searches to create customized SoD rulesets in Veza. The SoD query interface provides a streamlined version of the Access Intelligence Query Builder, with special support for defining SoD violations with AND and OR statements.

For each query, you will need to:

• Define the type of user the rule applies to (either an identity provider identity or a local user account).

• Identify the conflicting roles or permissions across one or more target applications by specifying each destination entity type, and the roles or permissions that represent an SoD conflict.

Click Run to view the current results or Open in Query Builder for more details. Click Edit and Save to assign a risk level, and add risk explanation and remediation details. You can optionally add rules, schedule exports, or add the query to reports while saving it.

Using the SoD Query Builder

To define a conflict, use the builder to create groups of access conditions using logical AND or OR operators. Each condition describes a relationship between the source and destination entity type:

For example:

• If a user with Role A, Role B, or Role C would create conflict if they were also assigned Role D and Role E:

  • The query conditions would be (Role A OR Role B OR Role C) AND (Role D OR Role E).

• If a user is in conflict when they can delete AWS S3 Buckets and also access Salesforce:

  • The query conditions would be (Any Salesforce User) AND (Any S3 Bucket with s3:DeleteBucket permission)

You can add many groups of conditions to the query, and each condition can apply to a different destination application.

To create an SoD query:

1. Go to the Separation of Duties page.

2. Click + New SoD Query

3. From the Select User Type dropdown menu, select the user type the SoD risk applies to, for example, Azure AD User or Snowflake Local User.

4. Use the condition builder to define the relationships that constitute a violation of separation of duties.

   For each condition, select a related entity type (e.g., Oracle Fusion Role, Workday Domain Security, S3 Bucket), and optionally a specific entity of that type (e.g., a role, permission, or local user):

   • Add conditions by clicking the + And button and + Or buttons to describe the SoD violation.

   • For each condition, choose the related Entity Type (e.g., “Workday Domain Security Policy”) and expand the Select Entity Name dropdown to search for a single entity (e.g., “Process: Expense Reports”).

     When an optional name is not provided, the condition applies to any entity of the chosen type. A condition can describe a single role assignment or table, or access to ANY roles or resources of the chosen type.

   • For some entities, such as AWS S3 Buckets or database tables, you can choose a Permission Type to filter by system-level permissions, or filter by effective permissions the user has on the resource.

5. Review the query logic: The query output section below the conditions describes the logic for identifying the SoD violation. Refer to this description to verify that the query correctly represents the rule’s intent.

6. Click Run to preview the potential violations based on current data.

7. Customize the display output for more information about the results. You can focus on the most important attributes by using the column selection menu to hide or show columns.

8. Click Edit and Save to finalize your changes. While saving the query, you can:

   • Give it a name, description, label, and risk level, and set whether it is public or private.

     1. Use the query name to briefly identify the system and risk (e.g. Oracle: Cash and Accounts Payable)

     2. Add a risk level to enable the Risk Remediation and Risk Explanation fields for additional logging and notes.

Overview

Separation of Duties queries can have both a creator and one or more managers responsible for actual policy enforcement. You can view and manage these users on the Separation of Duties overview page.

Manager assignments support:

• Multiple Users per Query: You can assign more than one SoD manager to each query for shared responsibility and continuous oversight.

• Bulk Operations: You can select multiple SoD queries and assign one or more managers to all queries, and combine bulk actions with filters for faster administration.

You can view the current SoD managers on the Separation of Duties overview. To focus on specific users, use the table controls to sort or filter by the "SOD MANAGERS" column.

Changes to SoD managers are also shown as "Edit" events in the Query Details > Edit History sidebar.

Guidelines and Best Practices for SoD Management

Typically, a query creator is the person who initially defined the SoD query, while the SoD manager is responsible for oversight of the SoD policy represented by the query.

When assigning SoD managers, consider the following best practices:

• Assign managers who understand and are responsible for the business process and security implications of the SoD policy

• Consider assigning multiple managers to ensure coverage during absences

• Review manager assignments periodically to ensure they remain appropriate as organizational roles change

• For SoD policies that involve multiple teams or applications, consider assigning managers from different teams to provide additional perspectives

Notes on Terminology:

• The term "SoD Manager" replaces "Query Owner" in the SoD UI, to distinguish between the query creators and those responsible for managing SoD policies.

• SoD managers are different from the risk assignees who will remediate individual risks in SoD query results.

Assigning SoD Managers

To assign SoD managers to queries:

1. On the Separation of Duties overview, click the Assign SoD Manager button
2. Pick one or more queries using the checkboxes on the left
3. In the assignment modal that appears, search for users by name or email to assign as managers
4. Review your selections in the list of "Selected SoD managers"

5. Click Save to apply the assignments

Overview

Veza supports creating access reviews directly from Separation of Duties (SoD) queries. This can enable a streamlined sign-off and remediation process when users with conflicting entitlements are detected. There are two primary methods for integrating SoD with Veza Access Reviews:

• 1-Step Access Reviews: Create an immediate review of current SoD query results

• On-demand Access Reviews: Schedule recurring reviews or whenever SoD results change

Both options provide ways to assign SoD conflicts to the appropriate reviewers for approval, rejection, and remediation. User access reviews can be used as documentation to capture the review of SoD results.

1-Step Access Reviews

Use the 1-Step review creation workflow to create an access review with the latest query results. This is ideal for quickly acting on conflicting users, without creating a full configuration for on-demand or scheduled reviews.

For any saved query in Veza, you can open the query to view details, and expand the ⠇ menu in the top right corner to view query actions. Choose the Launch Access Review option to create a review using the 1-step builder.

You can launch an access review directory from the Separation of Duties overview page:

1. Open the Separation of Duties page and locate the query you want to review

2. Open the "Actions" dropdown menu and select "Launch Access Review"
3. Configure the review:

   • Review name: Enter a descriptive name for the review

   • Due date: Set the deadline for review completion

   • Reviewers: Assign default reviewers for all rows

   • Auto-assign reviewers: Optionally enable automatic assignment based on Veza metadata

   • Fallback reviewers: Specify reviewers to use when auto-assignment fails

   • Access Intelligence: Enable display of risk scores and levels in the reviewer interface

4. Choose to either:

   • Create and Publish: Make the review immediately available to assigned reviewers

   • Create: Save a draft review to preview and customize before publishing

After creation, you can manage the review through the Access Reviews interface. If created as a draft, you can make further adjustments to the review before publishing it and notifying reviewers.

On-demand Access Reviews

On-demand reviews can be triggered by rule conditions when SoD query results change, such as when new conflicts are detected, or when the total conflicts (the query results) exceeds a threshold. On-demand reviews use alert rules to initiate reviews and auto-assign reviewers based on an existing review configuration, based on the query results when the rule is activated.

To enable on-demand reviews:

2. On the Separation of Duties overview page, locate the SoD query for on-demand reviews

3. Open the "Actions" dropdown menu and select "Manage Rules"
4. Click "Add a new Rule" to open the rule builder
5. Configure the rule:

   • Name and describe the rule

   • Set the severity level

   • Define trigger conditions (e.g., results increase by more than one)

6. As the Action, choose "Create Review"

7. Configure the on-demand review plan:

   • Select a review configuration for the SoD query

   • Set the review duration

   • Specify reviewer assignment options, if available

   • Configure any review intelligence rules

8. Save the rule, and click "Save Query" to finalize the changes

When the rule conditions are met, Veza will automatically create a new access review with the specified settings, and notify the assigned reviewers.

Scheduling Reviews

To conduct recurring reviews on a schedule, you will first need to create a review configuration.you can create a review configuration using the SoD query, and then enable scheduled reviews for the configuration.

2. On the Access Reviews > Configurations page, find the new configuration and choose Actions > Create Schedule

3. Set the Duration of created reviews

4. Choose the Frequency: Weekly, Biweekly, Monthly, Every other Month, or Quarterly

5. Choose a Start Date for the schedule

6. Choose the days of the week, time of day, and time zone to create reviews

7. Assign default reviewers

8. Save the schedule

Managing Reviews

All reviews created from SoD queries, whether 1-Step or on-demand, are managed through the Access Reviews interface. From there, operators can:

• Monitor review progress

• Modify reviewer assignments if needed

• Send reminders to reviewers

• View decision history

• Export review results

Integration with Access Reviews Features

Reviews generated from SoD queries support all standard Access Reviews features, including: