← Internal hub
internal · sales arsenal

SoD rule library

Pre-built Segregation-of-Duties toxic-combo rules per industry. Use these in demos as "out-of-the-box governance" — and copy-paste them into the SoD Rules editor when a customer doesn't know what to start with.
How to use. Each card contains a JSON body that pastes directly into the SoD Rules editor (governance › Rules & policies → SoD Rules → New rule). The DSL uses app/core/attribute_path.py:evaluate_filter — same operators as workflow trigger filters.

Banking / fintech

critical Vendor master vs payment release (4-eyes)

bankingfintechSOX · Classic 4-eyes for vendor payments. Same person creating a vendor + releasing a payment = textbook fraud risk.

{ "business_id": "sod-vendor-payment-4eyes", "label": "Vendor master vs payment release", "severity": "critical", "auto_action": "flag_only", "condition_a": { "path": "entitlement.business_id", "op": "in", "value": ["sap-vendor-master-edit", "sap-vendor-create"] }, "condition_b": { "path": "entitlement.business_id", "op": "in", "value": ["sap-payment-release", "sap-bank-transfer-approve"] } }

critical Loan origination vs loan approval

bankingFFIEC · BSA-mandated separation. Originator submitting a loan they approve themselves = self-dealing exposure.

{ "business_id": "sod-loan-origination-approval", "label": "Loan origination vs loan approval", "severity": "critical", "auto_action": "flag_only", "condition_a": { "path": "entitlement.attributes.process_step", "op": "eq", "value": "loan_origination" }, "condition_b": { "path": "entitlement.attributes.process_step", "op": "eq", "value": "loan_approval" } }

warning Trader vs back-office settlement

capital marketsMiFID II · MiFID II separation. Trader who can also settle their own trades = market-manipulation vector.

{ "business_id": "sod-trader-settlement", "label": "Trader vs back-office settlement", "severity": "warning", "condition_a": { "path": "entitlement.attributes.team", "op": "eq", "value": "trading" }, "condition_b": { "path": "entitlement.attributes.team", "op": "eq", "value": "settlements" } }

Healthcare / life sciences

critical Patient record read vs prescription edit

healthcareHIPAA · HIPAA-flagged separation. A user who can both read patient records and modify prescriptions creates an audit-trail integrity risk.

{ "business_id": "sod-patient-prescription", "label": "Patient record read vs prescription edit", "severity": "critical", "auto_action": "flag_only", "condition_a": { "path": "entitlement.attributes.data_class", "op": "eq", "value": "PHI" }, "condition_b": { "path": "entitlement.business_id", "op": "in", "value": ["epic-rx-edit", "cerner-rx-edit"] } }

warning Clinical trial protocol vs data integrity

life sciencesFDA 21 CFR Part 11 · Same individual amending protocol AND modifying trial data = FDA 21 CFR Part 11 violation.

{ "business_id": "sod-trial-protocol-data", "label": "Clinical trial protocol vs data integrity", "severity": "warning", "condition_a": { "path": "entitlement.business_id", "op": "eq", "value": "ctms-protocol-edit" }, "condition_b": { "path": "entitlement.business_id", "op": "eq", "value": "edc-trial-data-edit" } }

IT & security

critical Production deploy vs production audit

techSOXSOC2 · Engineer who can deploy AND review their own deploy logs = unaccountable changes. SOX general-IT control.

{ "business_id": "sod-prod-deploy-audit", "label": "Production deploy vs production audit", "severity": "critical", "condition_a": { "path": "entitlement.attributes.environment", "op": "eq", "value": "prod" }, "condition_b": { "path": "entitlement.attributes.action", "op": "in", "value": ["audit_log_read", "audit_log_purge"] } }

warning Domain admin vs SIEM admin

security · Same person has AD/Entra Global Admin + SIEM admin = they can both create backdoor accounts AND silence the alerts that would catch it.

{ "business_id": "sod-domain-siem-admin", "label": "Domain admin vs SIEM admin", "severity": "warning", "condition_a": { "path": "entitlement.business_id", "op": "in", "value": ["entra-global-admin", "ad-domain-admin"] }, "condition_b": { "path": "entitlement.attributes.system", "op": "eq", "value": "siem" } }

Retail / e-commerce

warning Product master vs price edit

retail · Same person creating products and setting prices = margin-skim risk on mass-market SKUs.

{ "business_id": "sod-product-price", "label": "Product master vs price edit", "severity": "warning", "condition_a": { "path": "entitlement.attributes.module", "op": "eq", "value": "product_master" }, "condition_b": { "path": "entitlement.attributes.module", "op": "eq", "value": "price_management" } }

How to ship to a tenant

  1. Frontend: governance › Rules & policies → SoD Rules → New rule
  2. Paste the JSON body in the editor
  3. Click Dry-run to preview matching violations BEFORE saving
  4. If dry-run looks reasonable: Save — detector runs on next 6h sweep (or trigger manually)
  5. Violations appear in the Advisor inbox + drive sod_violation_* risk-score components
Always run Dry-run first. SoD rules with empty condition_a or condition_b are rejected at save (would match every identity). Big tenant + sloppy rule = inbox-flood.