Skip to main content

What’s an access conflict?

An access conflict is when two entitlements assigned to the same user violate a separation of duties (SoD) policy or other regulation. Ensuring SoD is enforced across your organization is an important part of adhering to standards such as SOX, FDA 21 CFR Part 11, and ISO 27001. Set up an access conflict monitor by defining groups of mutually exclusive access. C1 automatically identifies existing and new access conflicts so you can take action. Each conflict monitor also creates detailed audit logs and downloadable reports so you can prove your SoD compliance to auditors and certifiers.

Create a new conflict monitor

This task requires the Super Administrator role in C1.
Follow the steps below to create a conflict monitor. You can set up multiple conflict monitors to adhere to the various regulations and policies your organization must follow.

Set up the conflict monitor

1
Navigate to Governance > Access conflicts.
2
Click New conflict monitor.
3
Give the new conflict monitor a name and add a description.
4
Click Submit. The new conflict monitor is created for you.

Choose conflicting access to monitor

In this step you’ll create two groups of entitlements and define the condition that triggers an alert.
1
On the Settings tab, go to the Conflicting access section and click Edit in the Group A row.
2
Use the search and filter tools to add entitlements to Group A. You can select up to 32 entitlements for each group. When you’re done, click Save.
3
Repeat the process to add entitlements to Group B.
4
When editing Group B, set the Condition for when an alert should fire:
  • Is in — Alert when a user holds entitlements in both Group A and Group B. Use this for standard mutual-exclusion rules (for example, no one should have both Approve Payments and Submit Invoices).
  • Is not in — Alert when a user holds an entitlement in Group A but not in Group B. Use this to flag users who have sensitive access without the compensating control that’s supposed to go with it (for example, anyone with Production DB Write access should also be in the Security-Approved group).
Edit and refine your selections as necessary. No alerts will be triggered until you enable the conflict monitor.

Optional: Set up notifications

1
In the Settings area of the page, click Edit and go to the Notifications area.
2
If you want C1 to send an email when new alerts are generated by the conflict monitor:
  • Click to turn on Direct message.
  • Select one or more C1 users to receive notifications by email when new alerts are generated by your conflict monitor.
3
If you want C1 to send Slack notifications when new alerts are generated by the conflict monitor:
  • Click to turn on Slack. You’ll see an error with instructions if the C1 app for Slack isn’t set up for your organization.
  • Type the name of the channel where you want to receive notifications when new alerts are generated by your conflict monitor. If you enter the name of a channel that does not yet exist, the C1 app for Slack will create it for you.
4
Click Save.

Enable the conflict monitor

1
When you’re finished configuring the conflict monitor, click Enable at the top of the page.
2
Click Alerts to see the list of any conflicts immediately detected by the new conflict monitor.As additional conflicts are detected by the monitor, they will be added here, and an orange dot will appear in the sidebars next to Governance and Access conflictsto alert you that new conflicts have been detected.

Manage alerts

When your conflict monitor alerts you that conflicting access is assigned to a user, you have three choices for how to proceed:
  • Resolve the conflict: Revoke access to one of the entitlements to resolve the conflict. When one of the conflicting entitlements is no longer assigned to the user, the alert’s status changes to Resolved.
  • Exempt the conflict: Click Exempt and provide a reason why you are allowing a particular user to retain a potentially risky combination of access. The alert’s status then changes to Exempted.
  • Do nothing: If you take no action, the alert’s status remains Active until you either exempt or resolve the conflict.
To learn more about a conflict and see its log of past actions, click View audit log at the end of the row.
An audit log for a conflict monitor alert.

Review access conflicts in a campaign

You can use your conflict monitors to scope an access review campaign. When you create a campaign and select the Access conflicts review type, C1 generates review tasks for users who have active violations detected by your conflict monitors. This lets you systematically review and remediate separation of duties violations across your organization. To set up an access conflict campaign, see Create an access review campaign.

Generate reports

Generate a report of the conflict monitor’s alerts, their current state, and all audit log entries by clicking the Generate CSV icon. Your report will be prepared for you and posted in the downloads center at the top of the page when ready.
A report of a conflict monitor's alerts.
If you use the search and filter tools to limit what’s shown on the page, clicking Generate CSV will create a report of only the filtered list of alerts.

Frequently asked questions about access conflicts

By default, the conflict monitor syncs data once an hour. If you need to run a sync on demand, click the (more actions) menu in the upper right corner of the page and select Sync now.
Yes. The Insights section on review and request tasks includes information about any relevant conflict monitors. If existing access has triggered an alert, this is shown on review tasks. If the requested access would trigger an alert if granted, this is shown on request tasks.