--- title: Manage policy rules description: Policy rules set the criteria for violation conditions, specify who the criteria applies to, outline decision options, determine scan types, and manage the lifecycles of violations. component: pingoneaic page_id: pingoneaic:identity-governance:administration/sod-rules canonical_url: https://docs.pingidentity.com/pingoneaic/identity-governance/administration/sod-rules.html keywords: ["segregation of duties", "SoD", "policy rules", "create rules", "edit rules", "manage rules", "violation conditions"] section_ids: edit-policies-rules: Edit policy rules --- # Manage policy rules Policy rules set the criteria for violation conditions, specify who the criteria applies to, outline decision options, determine scan types, and manage the lifecycles of violations. 1. In the Advanced Identity Cloud admin console, click Governance > Compliance. 2. On the Policy Rules tab, click [icon: add, set=material, size=inline] New Rule. 3. On the New Policy Rule page, enter the policy rule details, and then click Next: | Field | Description | | ------------------ | --------------------------------------------------------------------------------------------------------------------- | | Name | Enter a name for your policy rule. Follow any naming convention established by your company. | | Description | (Optional) Enter a general description for the new policy. | | Owner | Select a policy owner for this new policy rule. | | Risk Score | Assign a risk score for this rule. The range is 0 – 100. For example, a high risk score could be 80 – 100 for a rule. | | Mitigating Control | (Optional) Enter instructions on what to do if a violation is unavoidable. | | Control URL | (Optional) Enter a URL link to a reference site, such as an internal corporate policy page. | | #Correction Advice | (Optional) Enter instructions on how to correct the violation. | 4. On the Violation Condition page, do the following: 1. Use the filter to set your initial violation conditions. When done, click [icon: add, set=material, size=inline], and then click Add Rule or Add Group. | Field | Description | | --------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------- | | Select entitlements if `Any` or `All` conditions are met. | Select either Any or All. | | Select a property | Values could include the following, depending on your glossary items:- Description - Display Name - Entitlement Owner - Requestable | | Connector | Values include:- contains - is - starts with - ends with | | Attribute Value | Enter an attribute. | 2. Next, enter a condition that `can't conflict with` the previous condition. When done, click [icon: add, set=material, size=inline], and then click Add Rule or Add Group. Click Next: | Field | Description | | --------------------------------------------------------- | -------------------------------------------------------------------------------- | | Select entitlements if `Any` or `All` conditions are met. | Select either Any or All. | | Select a property | Values include:- Description - Display Name - Entitlement Owner - Requestable | | Connector | Values include:- contains - is - starts with - ends with | | Attribute Value | Enter an attribute. | 5. On the Applies To page, select the end users for whom this policy applies. When done, click Next. Values include: | Field | Description | | ---------- | ---------------------------------------------------------------------------------------------------------------- | | Applies to | Options are:- All users - A single user - Users matching a filter: Create a filtered condition to match users. | 6. On the Settings page, select the policy rule settings: | Field | Description | | ------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | Violation Owner | Confirm the violation owner of the policy rule. Select an alternate owner if necessary. | | Decision Options | Select the option to allow or grant a temporary exception to retain access:- Enable Allow: Click to allow an end user to retain their violating access permanently. - Enable Exception: Click to allow a user to be granted temporary exception to retain access. If you select this option, additional properties are displayed: * Exception Duration: Enter a number (in days) for the maximum duration for the exception. * Require a justification when allowing exceptions: Click to this option to always require a justification for the exception. | | Scan Types | At least one value must be selected. Values include:- Preventative: Click to enforce rule during access request and provisioning. When this property is enabled, the end user sees a warning message when trying to request for a non-compliant entitlement: ``` Granting access to these entitlement(s) will result in a Segregation of Duties (SoD) violation. ``` - Detective: Click to enforce rule during compliance scans. | | Violation Lifecycle | Select the settings for the violation life cycle:- When a violation is found: Select a setting if a violation is found. Options are: * Do nothing: Click to leave the violation as-is with no corrective action. The violation's owner must decide what to do with the violation and take corrective action. * Launch Violation Workflow: Select the workflow to launch when a rule violation is triggered. - Violations Expire: Select what happens when a violation expires. Options are: * Never: Never expire the violation automatically. * After a specified time: Enter the number of times, in days, after which the violations expire. - When violation expires: Determines what happens when a violation expires. Options are: * Close violation: Closes the expired violation. The conflicting entitlements still remain with the user. * Create a new violation: Create a new violation. * Do nothing: Violation expires and no action is taken. The conflicting entitlements still remain with the user. | 7. Click Save. ## Edit policy rules 1. In the Advanced Identity Cloud admin console, click Governance > Compliance. 2. On the Policies page, click Policy Rules. 3. Click a policy rule and change any aspect of a policy rule. Click Save to keep your changes.