Create an SoD policy
SoD policies define the conflicting entitlement combinations Zluri detects and how it responds when it finds a match. Creating a policy takes you through a 5-step wizard: Basics & Triggers, Scope, Rules, Remediation, and Review & Publish.
Navigate to IGA > SoD > Policy Library and select Create Policy to open the wizard. The wizard navigation lists all five steps.
Configure basics and triggers
The first step sets the policy name, owner, and detection schedule.
[SCREENSHOT: SoD policy creation wizard open on the Basics & Triggers step, showing the wizard navigation with all five steps and the policy name, description, owner, and trigger fields]
Steps
-
Enter a Policy Name. Names must be unique within your organization.
-
Enter an optional Description (up to 512 characters).
-
Select an Owner: the person responsible for this policy. Zluri defaults to the current author. Owners must hold the Owner, Admin, or IT Admin role.
-
Select Add Trigger to open the trigger picker.
-
Select Scheduled and configure the detection cadence.
- Interval: set the policy to run every N minutes, hours, days, weeks, or months. Select the timezone and the time of day the run starts.
- Cron: enter a cron expression for advanced scheduling. Zluri validates the expression and displays an inline error for invalid syntax. Select Read more to open the cron syntax reference.
- The live preview banner updates as you edit fields, for example, “Runs every 2 days at 12:00 AM IST.”
Event-based triggers appear in the picker with a Coming soon label. You cannot configure them in this release.
-
Select Save to add the trigger as a card on the Basics step.
-
Select Next to proceed to Scope.
Next becomes active only after you enter a Policy Name, assign an Owner, and add at least one trigger.
Scope identities
The Scope step defines which identities this policy evaluates. Narrowing scope reduces false positives and speeds up detection runs.
[SCREENSHOT: Scope step showing the Inclusion section with Add Identity and Add by Criteria options, and the Matched Identities panel displaying Identity, Type, Owner, and Status columns]
Steps
- In the Inclusion section, add identities using one or both methods:
- Add Identity: search for and select specific identities by name.
- Add by Criteria: build filter conditions using the attributes in the table below. Zluri joins multiple conditions with And or Or logic.
- Optionally, turn on Exclusions and define identities to subtract from the inclusion match set. The Exclusion section supports the same two input methods.
- Review the matched identities in the Matched Identities panel. The panel shows Identity, Type, Owner, and Status for each matched identity.
- Select Next to proceed to Rules.
A non-blocking warning appears if the matched identity count exceeds 50,000.
Use the following attributes to build criteria-based scope filters:
| Attribute | Description |
|---|---|
| Source | The identity source, for example, Okta, Azure AD, or BambooHR. |
| Identity Type | Employee, External, Service Account, or Group Account. |
| App Category | The category of an application the identity has access to. |
| Tags | Custom tags applied to the identity in Zluri. |
| Department | The identity’s department from the connected HRMS. |
| Location | The identity’s location from the connected HRMS. |
Configure rule sets
The Rules step defines the two conflicting entitlement sets. Set A and Set B are always present. You cannot remove them or add a third set.
[SCREENSHOT: Rules page showing the Set A card and Set B card, each in an empty state with a Configure button]
Steps
- Select Configure on the Set A card to open the rule set editor.
- Enter a Rule Set Name (defaults to “Set A”).
- Add entitlements to the Inclusion section using Add Entitlement, Add by Criteria, or both. Both methods coexist in the same rule set. Zluri joins them with OR logic.
- Optionally, turn on Exclusions and add entitlements to subtract from the inclusion match set.
- Select Save Rule Set.
- Repeat for Set B.
Both rule sets must have at least one inclusion block before Next becomes active. If Set A and Set B match identical entitlement sets, Zluri displays a non-blocking warning: “Your sets overlap. Violations may over-fire.”
Add specific entitlements
Steps
- Select Add Entitlement.
- Enter a keyword in the search bar to find entitlements by name.
- Apply filters in the Filters panel to narrow results by entitlement type (Role, Permission, or Group), application, or privilege level.
- Select one or more entitlements from the results list. Zluri displays selected entitlements in the Selected Entitlements panel.
- To require an AND condition on an entitlement, select the + button next to it. Both conditions must be true for that block to match, for example, “has this permission and belongs to this group.”
- Select Confirm to add the entitlements to the rule set.
[SCREENSHOT: Add Entitlement side sheet showing the keyword search bar at the top, the Filters panel for entitlement type and application, and the Selected Entitlements panel]
Use this method when you know the exact roles, permissions, or group memberships that form one side of the conflict.
Add entitlements by criteria
Steps
- Select Add by Criteria.
- Build filter conditions using the attributes in the table below.
- Select Preview to see the entitlements the criteria match.
- Select Save Criteria Set to add the criteria block to the rule set.
[SCREENSHOT: Add by Criteria modal showing filter conditions in the Filters panel and matched entitlements in the Preview panel]
Use this method when you want a rule that automatically adapts as entitlements change in the source application, for example, “all privileged permissions in Workday.”
Use the following attributes to build criteria-based rules:
| Attribute group | Available attributes |
|---|---|
| Role attributes | Role Name, Role Type, Privileged Role (yes or no), Role Description |
| Permission attributes | Permission Name, Permission Type, Privileged Permission (yes or no), Permission Description |
| Group attributes | Group Name, Group Source, Group Tag |
| Application attributes | Application, App Status, App Category, App Sub-Category, App Authorization Status, App Owner, App IT Owner, App Finance Owner, App Sources, App Custom Fields |
Preview matched identities
After configuring both rule sets, verify which identities currently match the toxic combination before proceeding.
[SCREENSHOT: Rules summary page showing the configured Set A and Set B cards with entitlement chips and criteria sets, and the Preview panel showing matched identities with columns for Identity, Matched Entitlements, and Identity Type]
Steps
- Select Preview on the Rules summary page.
- Review matched identities in the Preview panel. Each row shows the identity name, matched entitlements, and identity type.
- Select View matched entitlement on any row to inspect the specific entitlements from each set that caused the match.
- Select Next to proceed to Remediation.
Simulate a policy before publishing
Simulation validates a policy’s detection accuracy without writing violations to the live violation store. The Simulate option becomes available after you configure both Scope and Rules.
Run a Quick Validation
Steps
- On the Rules summary page, select Simulate.
- Select Quick Validation.
- Search for and select a single identity.
- Zluri evaluates the selected identity against both rule sets and displays the verdict within seconds. The result shows whether Zluri detected a violation, which sets matched, and the contributing entitlements. When Zluri detects no violation, it displays an explanation of why the identity did not match.
Use Quick Validation to spot-check whether a specific identity matches the configured toxic combination before running a full simulation.
Run a Full Simulate
Steps
- On the Rules summary page, select Simulate.
- Select Full Simulate.
- Zluri runs detection across the entire matched scope in the background.
- When the simulation completes, select View Results to see matched identities and their offending entitlements. The results table shows up to the first 500 matched identities.
- Select Export CSV to download the full simulation results.
[SCREENSHOT: Full Simulate results table showing matched identities with columns for identity name, Set A entitlements, and Set B entitlements, plus the Simulate Again button and the last-run timestamp]
Zluri displays the timestamp of the most recent simulation run. Select Simulate Again to run a fresh simulation.
Use Full Simulate to understand total violation volume before publishing and to build confidence in the rule configuration before promoting to Enforce mode.
Configure remediation
The Remediation step controls what Zluri does when it detects a violation.
[SCREENSHOT: Remediation step showing the Monitor and Enforce mode selection, the Violation Handling section with Assignee configuration, Playbook pickers for Set A and Set B, the Risk level selector, and the Exemptions section]
Set up Monitor mode
Steps
- Select Monitor.
Zluri detects violations, logs them, and sends email and in-app notifications to the policy owner on scan completion. Zluri does not run automated remediation.
Use Monitor mode when deploying a new policy to validate that the rule catches the right violations before turning on enforcement.
Set up Enforce mode
Steps
- Select Enforce.
- Choose a Violation Handling shape:
- Assignee decides: Zluri routes a decision task to the configured assignee with full violation context: the identity, their offending entitlements per set, and the applications involved. The assignee selects which set to revoke, and Zluri runs the corresponding Playbook.
- Choose default side: Zluri automatically revokes entitlements from a pre-selected set using the configured Playbook. No human decision is required.
- Configure the Assignee:
- Role-based: select App Owner, Reporting Manager, or Department Head.
- Specific user: search for and select a user directly.
- Set a Fallback Assignee to receive the task if the primary assignee is unavailable.
- Select a Playbook for Set A and a Playbook for Set B. Each Playbook defines the revocation actions to run when that set is selected for removal.
- Set a Risk level for this policy: High, Medium, or Low. Zluri applies this risk level to all violations the policy raises.
Use Enforce mode after validating the policy in Monitor mode and confirming it catches the right violations.
Configure exemptions
Steps
- Turn on Allow Exemptions.
- Set a Max Duration in days. Zluri automatically re-opens the violation when the exemption duration expires.
- Select Next to proceed to Review & Publish.
Only Owner, Admin, and IT Admin roles can grant exemptions in this release.
Review and publish
The final step presents a complete summary of the policy for review before publishing.
[SCREENSHOT: Review & Publish page showing the four summary cards — Basics & Triggers, Scope, Rules, Remediation — with a pencil icon on each card and the mandatory Publish Note field at the bottom]
Steps
- Review all four summary cards: Basics & Triggers, Scope, Rules, and Remediation.
- Select the pencil icon on any card to return to that step and make changes without losing other configurations.
- Review the rule set summaries on the Rules card. Each set displays up to five category pills: Roles, Permissions, Group Memberships, Entitlement Combinations, and Criteria Sets. Zluri shows “No exclusions configured” in the exclusion section if you added no exclusions.
- Enter a Publish Note describing the reason for this publish. Publish Notes are mandatory, have a 512-character limit, and appear in the policy’s version history and audit log.
- Select Publish to activate the policy.
After publishing, the policy status changes from Draft to Active. Zluri queues the first detection scan based on the configured trigger schedule and writes an entry to the audit log with the author, timestamp, policy version, and Publish Note.