You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. If on verification, the definition of a security role or the role assignments of a user violate the rules, the conflict is logged. All conflicts must be resolved by the security administrator.

For each logged conflict, you can:

  • Deny the role assignment – Deny the assignment of the user to the additional security role. If you deny an automatic role assignment, the user is marked as excluded from the role. The excluded user is not granted the access that is associated with the role, and the user cannot be assigned to the role until the security administrator removes the exclusion.
  • Allow the role assignment – Override the conflict and allow the user to be assigned to both security roles. If you override a conflict, you must enter a reason in the Reason for override field.
Complete the following procedure to view and resolve conflicts.


Standard procedure

1. Click Security management.
2. Click the Segregation of duties rules tab.
3. Sub-task: Deny assignment.
  3.1 In the Segregation of duties rules list, find and select the desired record.
  3.2 In the Conflicts list, find, select, and review a conflict.
  3.3 Click Deny assignment.
  3.4 In the Select the role to exclude the user from field, select an option.
  3.5 Click OK.
4. Sub-task: Allow assignment.
  4.1 In the Segregation of duties rules list, find and select the desired record.
  4.2 In the Conflicts list, find, select, and review a conflict.
  4.3 Click Allow assignment.
  4.4 In the Reason for override field, type a value.
  4.5 Click OK.

Provide feedback