Overview
Segregation of Duties is the process of separating critical system and business responsibilities so no single individual can both initiate and approve sensitive actions. It reduces the risk of fraud, errors, and unauthorized changes by enforcing role-based access and independent oversight.
Step-by-Step Process
Define conflicting duties
The Security Lead identifies system actions that must not be performed by the same individual, such as user provisioning and approval, or code deployment and production approval. These conflicts are documented in a Segregation of Duties (SoD) matrix that maps roles to prohibited combinations. The output is an approved SoD matrix used for access reviews.
Role: Security Lead
Inventory privileged roles
The Security Lead collects a list of all privileged and sensitive roles across in-scope systems, including identity providers, cloud platforms, and administrative tools. This inventory is compiled into a central list showing role name, system, and access level. The output is a current privileged role inventory.
Role: Security Lead
Map users to roles
The Security Lead exports current user-to-role assignments from each system and maps them against the SoD matrix. Any users holding conflicting roles are flagged for review. The output is a completed access mapping worksheet with identified conflicts.
Role: Security Lead
Review and approve conflicts
The Security Lead reviews identified conflicts with relevant managers to determine whether access is inappropriate or requires documented justification. Decisions are recorded, and approvals are obtained for any approved exceptions. The output is a conflict review log with documented decisions.
Role: Security Lead
Remediate access issues
The Security Lead removes or modifies access for any unapproved conflicts directly in the relevant systems. Changes are validated to ensure conflicting access has been fully removed. The output is updated system access aligned with the SoD matrix.
Role: Security Lead
Document evidence and retain records
The Security Lead saves all exports, review notes, approvals, and remediation screenshots in the compliance evidence repository. Records are labeled with the review period and completion date. The output is a complete, audit-ready evidence set for the quarter.
Role: Security Lead
What You Need Before Starting
- Approved Segregation of Duties (SoD) matrix
- Access to Okta admin console
- Access to AWS IAM console
- List of in-scope systems for SOC 2
- Compliance evidence repository (e.g., GRC tool or shared drive)
Evidence Your Auditor Expects
- Dated SoD matrix showing conflicting role definitions (PDF or spreadsheet)
- Okta role assignment export with timestamp from Admin Console > Directory > People
- AWS IAM credential report CSV with generation date
- Completed access review worksheet with reviewer name and review date
- Screenshots showing removal of conflicting access with system timestamps
How This Looks In Your Tools
Okta
Log in to the Okta Admin Console and navigate to Directory > People. Use the filter or search to select each privileged user, then open the Assignments tab to view assigned groups and applications.
Export user assignments by going to Reports > Directory > User and Group Assignments and downloading the CSV. Compare assigned groups against the SoD matrix to identify conflicts, then remove access by editing group membership and saving changes.
AWS IAM
Sign in to the AWS Management Console and navigate to IAM > Access reports > Credential report. Click Download report to export the CSV with a timestamp.
Review attached policies and group memberships under IAM > Users > [Username] > Permissions. Remove conflicting policies or group memberships by selecting Detach policy or Remove user from group, then confirm changes.
Spreadsheet
Open the SoD review spreadsheet and create tabs for Role Inventory, User Access, Conflicts, and Remediation. Paste exported data from Okta and AWS IAM into the User Access tab with the export date noted.
Use filters or conditional formatting to flag users with conflicting roles based on the SoD matrix. Record review decisions, approvals, and remediation dates directly in the spreadsheet and save it as a dated file.
Common Audit Findings
- Conflicting access not identified
- This occurs when role inventories are incomplete or reviews are not performed regularly. Prevent it by maintaining a centralized SoD matrix and performing documented quarterly reviews.
- Lack of documented review evidence
- Auditors see this when access reviews are done informally without records. Always retain exports, review notes, and dated approvals in a central repository.
- Excessive privileged access
- Users accumulate access over time due to role changes. Prevent this by validating access against job responsibilities during each quarterly review.
- Unapproved SoD exceptions
- Exceptions are sometimes granted verbally without formal approval. Require written justification and management approval for all exceptions and retain them as evidence.