--- title: Manage violations and exceptions description: Any end user authorized as a violation owner can view and act on violations. Actions include viewing the violating entitlements, revoke the violation, allow an exception, extend or revoke the exception. component: pingoneaic page_id: pingoneaic:identity-governance:end-user/sod-violations canonical_url: https://docs.pingidentity.com/pingoneaic/identity-governance/end-user/sod-violations.html keywords: ["segregation of duties", "SoD", "violations", "exceptions", "manage violations", "allow violation", "revoke violation", "manage exceptions"] section_ids: view-violations-enduser: View violations allow-violation-enduser: Allow violations revoke-violation-enduser: Revoke violations forward-violation-enduser: Forward violations view-exceptions-enduser: View exceptions extend-exceptions-enduser: Extend exceptions revoke-exception-enduser: Revoke exceptions --- # Manage violations and exceptions Any end user authorized as a *violation owner* can view and act on violations. Actions include viewing the violating entitlements, revoke the violation, allow an exception, extend or revoke the exception. ## View violations 1. In the Advanced Identity Cloud end-user UI, click Inbox > Violations. All violations found during the scans or forwarded to the end user are displayed. ![Identity Governance compliance violations - end user view](../_images/governance-violations-enduser.png) * 1 Click Inbox > Violations on the Advanced Identity Cloud end-user UI. * 2 Click to filter violations by status: In-progress or Completed. * 3 Click the filter icon ([icon: filter_list, set=material, size=inline]) to display violations by owner, rule, or date range. * 4 Click the column icon ([icon: view_column, set=material, size=inline]) to customize the columns displayed on the page. * 5 Displays the violations by user. * 6 Displays the rule violation. * 7 Displays the creation date of the violation. * 8 Click Allow or Revoke. * 9 Click ellipsis ([icon: more_horiz, set=material, size=inline]) to forward the violation to another user or to view its details. ## Allow violations When a violations owner allows a violation, they create an *exception*. The [Exceptions](#view-exceptions-enduser) page displays all active exceptions. 1. In the Advanced Identity Cloud end-user UI, click Inbox > Violations. 2. Select a violation, and then click Allow. 3. In the Allow an exception modal, enter the following, and click Allow when complete: | Field | Description | | ------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Rule Violated | Displays the rule and description associated with the violation. | | View Details | Click to display the violation details. | | Allow an exception | Select an options:- Forever: Allow the exception to exist without an expiration date. - Until Specified Date: Click to set an expiration date for the exception. Click Date and select a date on the calendar. - Justification: Enter a justification for the exception. If you clicked the Require a justification when allowing exceptions on the policy rule settings, end users are required to enter an exception reason. | ## Revoke violations When a violations owner opens their violations, they have the option to revoke the violation. Identity Governance displays two sets of entitlements: one set of entitlements existing for the end user; the other set, the conflicting entitlements. You can click one set of entitlements to revoke, which moves them to the cart on the right. 1. In the Advanced Identity Cloud end-user UI, click Inbox > Violations. 2. Select a violation, and then click Allow. 3. In the Allow an exception modal, enter the following, and click Revoke Entitlements when complete: | Field | Description | | ----------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | | User | Displays the user and user's email address. | | Rule Violated | Displays the rule and description associated with the violation. | | View Details | Click to display the violation details. | | How to Fix | Displays any instructions entered when configuring the policy rule. | | Entitlements (Number) | Displays the existing entitlement(s) on the left.- Click Revoke all to revoke the entitlement(s). The entitlements appear in the right pane. | | Conflicting Entitlements (Number) | Displays the conflicting entitlement(s) on the right.- Click Revoke all to revoke the entitlements. The entitlements appear in the right page. | | Justification | Enter a justification for revoking the entitlement(s). | | Entitlements to Revoke (right pane) | Displays the selected entitlement(s) to revoke. | ## Forward violations 1. In the Advanced Identity Cloud end-user UI, click Inbox > Violations. 2. Click ellipsis ([icon: more_horiz, set=material, size=inline]) and click Forward. 3. In the Forward Violation modal. Select or enter the following: | Field | Description | | ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Forward this violation to | Select one of the following:- Another user: Forward to another end user, and select in the Forward to menu. - Users with assigned role: Forward to another end user with the selected role in the Forward to menu. | | Comment | Enter a comment as to why the violation is being forwarded. | | OK | Click to forward the violation. The end user receives an email notification for the forwarded violation. | ## View exceptions The Exceptions page displayed all *allowed* violations, or exceptions. 1. In the Advanced Identity Cloud end-user UI, click Inbox > Violations > Exceptions. ![Identity Governance compliance exceptions - end user view](../_images/governance-exceptions-enduser.png) * 1 Click the filter icon ([icon: filter_list, set=material, size=inline]) to display the exceptions. * 2 Click the column icon ([icon: view_column, set=material, size=inline]) to customize the columns displayed on the page. * 3 Displays the violations by user. * 4 Displays the rule violation. * 5 Displays the creation date of the violation. * 6 Displays the latest violation date. * 7 Displays the expiration date of the exception. * 8 Click ellipsis ([icon: more_horiz, set=material, size=inline]) to extend the violation, revoke the exception, or to view its details. ## Extend exceptions Violation owners can extend an exception on the Exceptions page. 1. In the Advanced Identity Cloud end-user UI, click Inbox > Violations > Exceptions. 2. In the Extend Exception modal, select or enter the following: | Field | Description | | ---------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Rule Violated | Displays the policy rule, description, and the date of the exception associated with the violation. | | View Details | Click to display the violation details. | | Extend Exception | Select an options:- Forever: Allow the exception to exist without an expiration date. - Until Specified Date: Click to set an expiration date for the exception. Click Date and select a date on the calendar. - Justification: Enter a justification for the exception. | 3. Click Extend: The Exception page displays the updated expiration date. ## Revoke exceptions 1. In the Advanced Identity Cloud end-user UI, click Inbox > Violations > Exceptions. 2. In the Revoke Exception modal, enter a justification to revoke the previously granted exception. 3. Click Revoke: The Exceptions page no longer displays the exception.