Policy Violations

After a policy runs, Zluri records every identity that matched the toxic combination as a violation. The Violations tab on the policy detail page is where you view, filter, investigate, and resolve violations.

Navigate to IGA > SoD > Policy Library, open a policy, and select the Violations tab.

View violations

The policy detail page shows an Overview tab with the configured Scope and Rules, and a Policy Details panel including the Severity badge, Enforcement Mode badge, and published version. The detail page navigation provides tabs for Violations, Exemptions, Policy Runs, and Version History.

Policy detail Overview tab showing Scope, Rules (Set A and Set B), and the Policy Details panel with Severity and Enforcement Mode

!Policy detail Overview tab showing Scope, Rules (Set A and Set B), and the Policy Details panel with Severity and Enforcement Mode

Policy detail Overview tab showing Scope, Rules (Set A and Set B), and the Policy Details panel with Severity and Enforcement Mode

After a detection run completes, violations appear in the Violations tab. Each row shows the violation ID, execution ID, policy, identity, and status. Select a row to open the violation detail drawer.

Violations tab on the policy detail page

!Violations tab on the policy detail page

Violations tab on the policy detail page

Violations filter panel showing Execution ID, Policy, Status, and Detected At filter options

!Violations filter panel showing Execution ID, Policy, Status, and Detected At filter options

Violations filter panel showing Execution ID, Policy, Status, and Detected At filter options

Violation row action menu showing Copy Link and View options

!Violation row action menu showing Copy Link and View options

Violation row action menu showing Copy Link and View options

View Density menu on the violations list showing Compact and Comfortable options

!View Density menu on the violations list showing Compact and Comfortable options

View Density menu on the violations list showing Compact and Comfortable options

Use the Open Violations filter button to show only unresolved violations. Select the filter icon to refine by Execution ID, Policy, Status, or Detected At.

Violation statuses

Each violation moves through a series of statuses from detection to resolution. The following table describes every possible state.

StatusMeaning
OpenZluri detected a conflict. No action taken yet.
ExemptedThe identity has an exception, either pre-configured on the policy or granted manually. Zluri re-opens the violation when the exemption expires.
Remediation In ProgressZluri triggered a Playbook to fix the violation. Waiting for the Playbook to complete.
RemediatedThe Playbook ran successfully and resolved the violation.
Partially RemediatedThe Playbook ran but resolved only some of the conflicting entitlements.
Remediation FailedThe Playbook ran but failed entirely.
SupersededA newer run of the same policy detected the same conflict. The old record is replaced by the updated violation.
FailedA system error occurred during processing. This is not a Playbook failure.

Open and Remediation In Progress are active states — the violation is still being worked on. All other statuses are terminal — no further automatic action occurs once a violation reaches them.

Violation lifecycle

Understanding how a violation moves through statuses helps you know what to expect after each policy run.

Detection

When a policy runs, Zluri checks every identity in scope against the configured rules. For each identity that breaks a rule:

  • If the identity has a pre-configured exemption, Zluri creates the violation as Exempted.
  • Otherwise, Zluri creates the violation as Open.

Automated remediation

If the policy is in Enforce mode with a Playbook configured, Zluri triggers remediation automatically once all violations for that run are detected.

  1. The violation moves to Remediation In Progress.
  2. The Playbook runs in the background.
  3. Zluri updates the status based on the outcome:
    • Playbook succeeds: Remediated
    • Playbook partially succeeds: Partially Remediated
    • Playbook fails: Remediation Failed

If the policy is in Monitor mode, violations stay Open. Zluri does not trigger remediation.

Manual actions

At any point you can manually update a violation:

  • Mark it as Remediated if you resolved it outside Zluri.
  • Grant an exemption to move it to Exempted.
  • Reopen a violation in a failed state.

Subsequent policy runs

When the same policy runs again, Zluri marks existing Open violations for the same identity as Superseded and creates fresh Open violations. This keeps the violation list current with the latest detection run.

Status flow at a glance

Policy runs
    │
    ├── Identity has exemption ──────────────────→ Exempted
    │
    └── No exemption ──────────────────────────→ Open
              │
              ├── Monitor mode ─────────────────→ stays Open
              │
              └── Enforce mode ──→ Remediation In Progress
                        │
                        ├── Playbook succeeds ──→ Remediated
                        ├── Partial success ────→ Partially Remediated
                        └── Playbook fails ─────→ Remediation Failed

Next policy run → old Open violations → Superseded

Policy run statuses

Each time a policy runs, Zluri creates an execution record that rolls up the outcome across all violations in that run. Zluri recalculates the execution status automatically every time an individual violation status changes.

The following table describes each execution status.

StatusMeaning
RunningViolations are still being processed or remediation is in progress.
SuccessAll violations reached a resolved state: Remediated, Exempted, or Superseded.
FailedAll violations ended in a failure state.
Completed with ErrorsMixed outcome — some violations resolved, some failed.

Understand a violation

The violation detail drawer opens when you select a violation row. The header shows the policy name, version, and identity, tagged with severity, occurrence type (Recurring for identities detected across multiple runs), current status, and enforcement mode.

The Why was this flagged section displays the matching entitlements from Set A and Set B side by side, each with the app, account type, and entitlement identifier. The Violation Details panel shows the Assignee, Violation ID, Status, Severity, Enforcement Mode, Detected at, and Occurrence count over the last 30 days. The Remediation section shows the Playbooks assigned to each set and the trigger schedule.

The Related tab shows all prior violation records for the same identity and policy (Related Violations) and any exemptions linked to this identity (Related Exemptions).

Violation detail drawer showing Why was this flagged, Set A and Set B matching entitlements, Remediate buttons, and Violation Details panel

!Violation detail drawer showing Why was this flagged, Set A and Set B matching entitlements, Remediate buttons, and Violation Details panel

Violation detail drawer showing Why was this flagged, Set A and Set B matching entitlements, Remediate buttons, and Violation Details panel

Violation detail drawer with Copy Link button highlighted in the drawer header

!Violation detail drawer with Copy Link button highlighted in the drawer header

Violation detail drawer with Copy Link button highlighted in the drawer header

Violation detail Related tab showing Related Violations and Related Exemptions sub-tables

!Violation detail Related tab showing Related Violations and Related Exemptions sub-tables

Violation detail Related tab showing Related Violations and Related Exemptions sub-tables

Resolve a violation in Enforce mode

When Zluri detects a violation in Enforce mode, it acts based on the Violation Handling shape you configured. Zluri either routes a task to the configured assignee or automatically executes the default-side Playbook.

When the assignee decides

Steps

  1. Open the violation to review the identity and matching entitlements. The Why was this flagged section shows the Set A and Set B cards side by side, each listing the matching entitlements with the app and account type.
  2. Select Remediate on the Set A or Set B card to choose which set to revoke.
  3. Confirm the action. Zluri runs the Playbook configured for the selected set and updates the violation status to Remediated.

Use this option when you want a human to review the full context before revoking access.

When the system chooses the default side

Zluri automatically runs the configured Playbook for the pre-selected set. No manual action is required. Zluri updates the violation status to Remediated after the Playbook completes.

Use this option for high-confidence conflicts where the correct set to revoke is always the same.

Export violations

Select Export CSV from the violations list to download all violation records for audit evidence. The export includes the violation record, remediation actions taken, and exemption details.