IAM role-based access control policies not enforcing GL module segregation of duties for financial compliance

mark_ops · February 1, 2025, 4:34pm

We’re failing audit requirements because our IAM policies aren’t properly enforcing segregation of duties in the GL module. Users who should only have journal entry creation rights are able to approve their own entries, which violates SOD principles.

Our current policy structure:

{
  "statements": [
    {"allow group GL_Users to manage journals in compartment Finance"}
  ]
}

We’ve set up separate groups (GL_Creators and GL_Approvers) with role-based access control, but the policy conditions aren’t working as expected. Users in GL_Creators group can still perform approval actions. We need dynamic group membership based on user attributes, but I’m not sure how to implement policy conditions that check the request type (create vs approve) and prevent the same user from doing both. This SOD violation was flagged in our audit and needs immediate resolution.

johndata · February 3, 2025, 9:00am

Your policy is way too broad - ‘manage’ grants all permissions. You need to break it down into specific verbs: ‘use’, ‘read’, ‘inspect’ for different operations. For SOD enforcement, create separate policies for each group with explicit verbs. GL_Creators should only have ‘use’ permission for journal creation, while GL_Approvers get ‘manage’ for approval workflows. The ‘manage’ verb is essentially admin access and bypasses any SOD controls you’re trying to implement.

helen_analyst · February 10, 2025, 10:56am

I tried breaking down the permissions, but I’m struggling with the policy conditions syntax. How do I specify that GL_Creators can only perform ‘create’ operations and not ‘approve’ operations on the same resource? Also, for dynamic group membership, we want to automatically assign users to groups based on their department attribute in our identity provider. Is this possible with OCI IAM federation?

mark_cloud · March 4, 2025, 9:13am

The segregation of duties enforcement requires a combination of IAM policies and application-level controls. At the IAM level, you can use resource-level permissions and policy conditions, but OCI IAM doesn’t have native support for workflow-based approvals. You need to implement this in your application logic - the GL module should track who created each journal entry and prevent that same user from approving it, regardless of their IAM permissions. IAM policies control access to resources, but business logic like SOD needs to be enforced in the application layer.

johndata · March 17, 2025, 4:42pm

Let me provide a comprehensive solution addressing all four aspects of your SOD challenge:

1. Role-Based Access Control Implementation: Replace your overly permissive policy with granular, verb-specific policies:

GL_Creators Policy:

{
  "statements": [
    {
      "allow group GL_Creators to use journals in compartment Finance where request.operation='CreateJournalEntry'"
    },
    {
      "allow group GL_Creators to read journals in compartment Finance"
    },
    {
      "deny group GL_Creators to manage journals in compartment Finance where request.operation='ApproveJournalEntry'"
    }
  ]
}

GL_Approvers Policy:

{
  "statements": [
    {
      "allow group GL_Approvers to manage journals in compartment Finance where request.operation='ApproveJournalEntry'"
    },
    {
      "allow group GL_Approvers to read journals in compartment Finance"
    },
    {
      "deny group GL_Approvers to use journals in compartment Finance where request.operation='CreateJournalEntry'"
    }
  ]
}

2. Segregation of Duties Enforcement: The key is using explicit DENY statements. OCI IAM evaluates policies in this order: Deny → Allow. Even if a user is accidentally added to both groups, the deny policy prevents them from performing the conflicting action. Additionally, implement these safeguards:

Never assign users to both GL_Creators and GL_Approvers groups
Use OCI audit logs to monitor for policy violations
Implement periodic access reviews to verify group memberships
Create an alert rule that triggers when a user is added to multiple conflicting groups

3. Policy Conditions: Policy conditions use the ‘where’ clause to evaluate request context. Available conditions include:

request.operation: The specific API operation being performed
request.user.id: The OCID of the user making the request
target.resource.id: The OCID of the resource being accessed
request.networkSource.name: Network source of the request

For SOD enforcement, the critical condition is request.operation, which allows you to permit/deny specific actions. However, note that operation names must match the actual OCI API operations - you may need to work with your application team to identify the exact operation names used by your GL module.

4. Dynamic Group Membership: OCI dynamic groups are for compute instances, not users. For user group assignment based on attributes, configure federation group mapping:

SAML Federation Setup:

In your IdP, create groups matching your OCI groups (GL_Creators, GL_Approvers)
Configure SAML assertion to include group membership attribute
In OCI Identity Federation, map IdP groups to OCI IAM groups
Users automatically inherit OCI group membership based on their IdP groups

Mapping Configuration:

{
  "groupMappings": [
    {"idpGroup": "Department-GL-Create", "ociGroup": "GL_Creators"},
    {"idpGroup": "Department-GL-Approve", "ociGroup": "GL_Approvers"}
  ]
}

Critical Additional Controls: IAM policies alone cannot fully enforce SOD for complex business workflows. You MUST implement application-level controls:

Database-level enforcement: Store creator user ID with each journal entry
Application logic: Check if approver.id == creator.id and reject if true
Audit trail: Log all creation and approval actions with user IDs and timestamps
Workflow engine: Implement multi-stage approval requiring different users at each stage

For audit compliance, document that your SOD control has two layers:

IAM Policy Layer: Prevents users from having both create and approve permissions simultaneously
Application Layer: Prevents the same user from approving entries they created, even if they later gain approval permissions

This defense-in-depth approach satisfies auditors and provides true SOD enforcement. Make sure your audit team understands that OCI IAM controls resource access, while business logic controls workflow-based SOD requirements.

Topic		Replies	Views
Analytics dashboard access denied for custom IAM role despite correct policy assignment in OCI security Oracle Cloud question , analytics , security , dashboard , access-control , oci-2019 , json , iam-policy , compartment	4	0	August 31, 2025
Mounting OCI Object Storage bucket as filesystem in container fails with permission denied error Oracle Cloud question , storage , iam , oci-2021 , permission-denied , container-servi , dynamic-group , s3fs , filesystem	6	0	October 21, 2025
IAM policy denied error when accessing Autonomous Database from OCI Compute instance Oracle Cloud question , compute , security , authentication , iam , oci-2021 , policy-denied , autonomous-database , dynamic-group	6	0	February 28, 2025
Best practices for secure sharing of User Defined Objects in analytics reporting environment Oracle JD Edwards discussion , data-governance , reporting-analytics , security-auth , access-control , audit-logging , analytics-report , jde-9-2-0 , udo-security	5	1	November 16, 2025
Autonomous Database access policy sync fails after IAM group updates Oracle Cloud question , security , compliance , access-control , iam , oci-2019 , autonomous-database , oci-cli , policy-sync-fail	7	0	October 14, 2025
Centralized IAM vs application-level access control for analytics workloads IBM Cloud discussion , data-governance , analytics , compliance , access-control , iam , ic-2020 , app-security , policy-management	5	0	November 7, 2025
IAM least privilege vs role-based access for ERP users: balancing security with operational efficiency Google Cloud Platform (GCP) discussion , compute , security , access-control , iam , gcp-2021 , rbac , user-provisioning , least-privilege	6	0	August 22, 2025
IAM policy misconfiguration exposes sensitive data in audit logs, triggering compliance alert Google Cloud Platform (GCP) question , security , iam , gcp-2019 , least-privilege , security-audit , compliance-gove , cloud-audit-logs , data-redaction	5	0	February 7, 2025
Audit logs missing for database user activity after enabling Unified Auditing in security policies Oracle Cloud question , security , compliance , database , oci-2019 , unified-auditing , audit-policy , dbms-audit-mgmt , database-security	6	0	March 26, 2025

IAM role-based access control policies not enforcing GL module segregation of duties for financial compliance

Related topics