IT Glossary

Separation of Duties (SoD)

Separation of Duties (SoD) splits critical tasks across people to prevent fraud. Learn how SoD works, common conflicts, and how Corma detects them.

July 3, 2026

What is Separation of Duties (SoD)?

Separation of Duties (SoD) is an internal control principle that divides critical tasks and the access rights behind them among multiple people, so no single individual can complete a sensitive process alone. By preventing conflicting permissions (for example, the same person both creating and approving a payment), SoD reduces fraud, error, and abuse. It is a core requirement of frameworks such as SOX, ISO 27001, and SOC 2.

How SoD works

  • Identify sensitive processes and the steps within them.
  • Map which permissions, in combination, create a conflict of interest.
  • Ensure no single user holds a "toxic combination" of those permissions.
  • Detect violations through access reviews and automated checks.
  • Remediate by reassigning access or adding compensating controls.

Common SoD conflicts

Certain permission combinations are classic SoD conflicts. Allowing one person to create a vendor and approve a payment enables fraudulent or fake payments. Allowing one person to request access and grant access enables self-approved privilege escalation. Allowing one person to develop code and deploy it to production lets unreviewed changes reach live systems.

Examples and use cases

During an audit, a reviewer finds one employee who can both add suppliers and approve invoices, a classic SoD violation. Splitting those duties (or requiring a second approver) closes the gap. At SaaS scale, these conflicts hide across dozens of tools, so detecting them manually is unreliable. Automated SoD analysis across applications turns a once-a-year scramble into a continuous control.

Related concepts

FAQ

What is a toxic combination in SoD?

It is a pair of permissions that, held by one person, lets them complete a sensitive process alone, such as creating and approving the same payment.

Why is SoD required for compliance?

Frameworks like SOX, ISO 27001, and SOC 2 expect critical duties to be split to prevent fraud and error, with evidence that conflicts are detected and resolved.

How is SoD enforced across many SaaS apps?

By analyzing access across all applications to find cross-app conflicts, which is impractical manually and is best handled with automated detection.

Request a demo