title: Resolve a Separation of Duties conflict category: Policies tags: sod conflict, remediation, certification queue priority: Normal
Resolve a Separation of Duties conflict
When Certification Center detects a Separation of Duties (SoD) conflict — an identity holding a toxic pair of access — it routes that conflict into the certification queue so a person can decide what to do. This guide walks through resolving one from detection to a clean, documented outcome.
Prerequisites
- A Certification Center workspace with directories connected and synced
- At least one SoD rule defined (see SoD policy examples and toxic pairs)
- Reviewer access to the certification queue
Step 1: See the conflict
When a rule matches, the conflict appears in the certification queue alongside your access review items. Open it to see the full picture.
| What you see | Meaning |
|---|---|
| Identity | The person holding the conflicting access |
| Side A / Side B | The two capabilities that together form the toxic pair |
| Rule | Which SoD rule was triggered |
| Severity | How urgent this conflict is |
| Detected | When the combination was first found |
Step 2: Decide which side to remove
A conflict is resolved by breaking the pair — the person keeps the access they need for their job and gives up the side they do not.
- Confirm the person's actual role. Which side of the pair is core to their job?
- Identify the side to remove — usually the access that is incidental or left over from a previous role.
- If both sides are genuinely required (common on very small teams), you will record a justified exception instead of revoking — see Step 4.
Step 3: Remediate by revoking one side
From the conflict, choose Revoke on the side to remove. The revoke is written back to the source directory (Active Directory, Entra ID, Google Workspace, AWS IAM, or SCIM), so the access is actually taken away — not just marked as reviewed. The action is timestamped and attributed to you in the attestation trail.
Once one side is removed, the pair no longer exists, and the conflict clears on the next evaluation.
Step 4: When both sides are required — accept with justification
Sometimes true separation is not possible. A three-person finance team may need one person to both enter and approve, backed by a compensating control (for example, a monthly management review). In that case:
- Choose to accept the conflict rather than revoke
- Enter a justification explaining why the combination is necessary and what compensating control exists
- Set an expiration or review date so the exception is re-examined rather than living forever
Important: An accepted conflict is not a hidden one. It stays on record with its justification, which is exactly what an auditor expects to see. Do not accept a conflict just to clear the queue.
Step 5: Confirm it is resolved
After you revoke or accept, the conflict moves out of the open queue. If access changes again later and the toxic pair reappears, a new conflict is raised — so recurring problems stay visible.
Troubleshooting
| Symptom | Fix |
|---|---|
| Conflict reappears after revoking | The access was re-granted elsewhere; check group nesting or an automated provisioning rule |
| Not sure which side to keep | Confirm the person's current role with their manager before deciding |
| Too many conflicts at once | The rule may be mapped too broadly; tighten each side in the rule set |
Still stuck?
Email support@certification-center.com with the rule name and the identity involved.
Next steps
- Separation of Duties: policy examples and toxic pairs — define and tune the rules
- Reviewer guide: how to approve or revoke access — the reviewer experience
- Produce audit evidence for a SOX access review