--- id: create-sod-policy sidebar_label: Create SOD Policy hide_title: true hide_table_of_contents: true api: {"operationId":"createSodPolicy","tags":["SOD Policy"],"description":"This creates both General and Conflicting Access Based policy, with a limit of 50 entitlements for each (left & right) criteria for Conflicting Access Based SOD policy\nRequires role of ORG_ADMIN","requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","properties":{"id":{"type":"string","description":"Policy id","example":"0f11f2a4-7c94-4bf3-a2bd-742580fe3bde"},"name":{"type":"string","description":"Policy Business Name","example":"policy-xyz"},"created":{"type":"string","format":"date-time","description":"The time when this SOD policy is created.","example":"2020-01-01T00:00:00.000000Z"},"modified":{"type":"string","format":"date-time","description":"The time when this SOD policy is modified.","example":"2020-01-01T00:00:00.000000Z"},"description":{"type":"string","description":"Optional description of the SOD policy","example":"This policy ensures compliance of xyz"},"ownerRef":{"type":"object","properties":{"type":{"description":"DTO type","type":"string","enum":["ACCOUNT_CORRELATION_CONFIG","ACCESS_PROFILE","ACCESS_REQUEST_APPROVAL","ACCOUNT","APPLICATION","CAMPAIGN","CAMPAIGN_FILTER","CERTIFICATION","CLUSTER","CONNECTOR_SCHEMA","ENTITLEMENT","GOVERNANCE_GROUP","IDENTITY","IDENTITY_PROFILE","IDENTITY_REQUEST","LIFECYCLE_STATE","PASSWORD_POLICY","ROLE","RULE","SOD_POLICY","SOURCE","TAG_CATEGORY","TASK_RESULT","REPORT_RESULT","SOD_VIOLATION","ACCOUNT_ACTIVITY"],"example":"IDENTITY"},"id":{"type":"string","description":"ID of the object to which this reference applies","example":"2c91808568c529c60168cca6f90c1313"},"name":{"type":"string","description":"Human-readable display name of the object to which this reference applies","example":"William Wilson"}}},"externalPolicyReference":{"type":"string","description":"Optional External Policy Reference","example":"XYZ policy"},"policyQuery":{"type":"string","description":"Search query of the SOD policy","example":"@access(id:0f11f2a4-7c94-4bf3-a2bd-742580fe3bdg) AND @access(id:0f11f2a4-7c94-4bf3-a2bd-742580fe3bdf)"},"compensatingControls":{"type":"string","description":"Optional compensating controls(Mitigating Controls)","example":"Have a manager review the transaction decisions for their \"out of compliance\" employee"},"correctionAdvice":{"type":"string","description":"Optional correction advice","example":"Based on the role of the employee, managers should remove access that is not required for their job function."},"state":{"type":"string","description":"whether the policy is enforced or not","enum":["ENFORCED","NOT_ENFORCED"],"example":"ENFORCED"},"tags":{"type":"array","description":"tags for this policy object","example":["TAG1","TAG2"],"items":{"type":"string"}},"creatorId":{"type":"string","description":"Policy's creator ID","example":"0f11f2a4-7c94-4bf3-a2bd-742580fe3bde"},"modifierId":{"type":"string","description":"Policy's modifier ID","example":"0f11f2a4-7c94-4bf3-a2bd-742580fe3bde","nullable":true},"violationOwnerAssignmentConfig":{"nullable":true,"type":"object","properties":{"assignmentRule":{"type":"string","enum":["MANAGER","STATIC"],"description":"Details about the violations owner.\nMANAGER - identity's manager\nSTATIC - Governance Group or Identity","example":"MANAGER"},"ownerRef":{"type":"object","properties":{"type":{"description":"DTO type","type":"string","enum":["ACCOUNT_CORRELATION_CONFIG","ACCESS_PROFILE","ACCESS_REQUEST_APPROVAL","ACCOUNT","APPLICATION","CAMPAIGN","CAMPAIGN_FILTER","CERTIFICATION","CLUSTER","CONNECTOR_SCHEMA","ENTITLEMENT","GOVERNANCE_GROUP","IDENTITY","IDENTITY_PROFILE","IDENTITY_REQUEST","LIFECYCLE_STATE","PASSWORD_POLICY","ROLE","RULE","SOD_POLICY","SOURCE","TAG_CATEGORY","TASK_RESULT","REPORT_RESULT","SOD_VIOLATION","ACCOUNT_ACTIVITY"],"example":"IDENTITY"},"id":{"type":"string","description":"ID of the object to which this reference applies","example":"2c91808568c529c60168cca6f90c1313"},"name":{"type":"string","description":"Human-readable display name of the object to which this reference applies","example":"William Wilson"}}}}},"scheduled":{"type":"boolean","description":"defines whether a policy has been scheduled or not","example":true},"type":{"type":"string","description":"whether a policy is query based or conflicting access based","default":"GENERAL","enum":["GENERAL","CONFLICTING_ACCESS_BASED"],"example":"GENERAL"},"conflictingAccessCriteria":{"nullable":true,"type":"object","properties":{"leftCriteria":{"type":"object","properties":{"name":{"type":"string","description":"Business name for the access construct list","example":"money-in"},"criteriaList":{"type":"array","description":"List of criteria. There is a min of 1 and max of 50 items in the list.","items":{"type":"object","properties":{"type":{"description":"DTO type","type":"string","enum":["ACCOUNT_CORRELATION_CONFIG","ACCESS_PROFILE","ACCESS_REQUEST_APPROVAL","ACCOUNT","APPLICATION","CAMPAIGN","CAMPAIGN_FILTER","CERTIFICATION","CLUSTER","CONNECTOR_SCHEMA","ENTITLEMENT","GOVERNANCE_GROUP","IDENTITY","IDENTITY_PROFILE","IDENTITY_REQUEST","LIFECYCLE_STATE","PASSWORD_POLICY","ROLE","RULE","SOD_POLICY","SOURCE","TAG_CATEGORY","TASK_RESULT","REPORT_RESULT","SOD_VIOLATION","ACCOUNT_ACTIVITY"],"example":"IDENTITY"},"id":{"type":"string","description":"ID of the object to which this reference applies","example":"2c91808568c529c60168cca6f90c1313"},"name":{"type":"string","description":"Human-readable display name of the object to which this reference applies","example":"William Wilson"}}},"example":[{"type":"ENTITLEMENT","id":"2c9180866166b5b0016167c32ef31a66","name":"Administrator"},{"type":"ENTITLEMENT","id":"2c9180866166b5b0016167c32ef31a67","name":"Administrator"}]}}},"rightCriteria":{"type":"object","properties":{"name":{"type":"string","description":"Business name for the access construct list","example":"money-in"},"criteriaList":{"type":"array","description":"List of criteria. There is a min of 1 and max of 50 items in the list.","items":{"type":"object","properties":{"type":{"description":"DTO type","type":"string","enum":["ACCOUNT_CORRELATION_CONFIG","ACCESS_PROFILE","ACCESS_REQUEST_APPROVAL","ACCOUNT","APPLICATION","CAMPAIGN","CAMPAIGN_FILTER","CERTIFICATION","CLUSTER","CONNECTOR_SCHEMA","ENTITLEMENT","GOVERNANCE_GROUP","IDENTITY","IDENTITY_PROFILE","IDENTITY_REQUEST","LIFECYCLE_STATE","PASSWORD_POLICY","ROLE","RULE","SOD_POLICY","SOURCE","TAG_CATEGORY","TASK_RESULT","REPORT_RESULT","SOD_VIOLATION","ACCOUNT_ACTIVITY"],"example":"IDENTITY"},"id":{"type":"string","description":"ID of the object to which this reference applies","example":"2c91808568c529c60168cca6f90c1313"},"name":{"type":"string","description":"Human-readable display name of the object to which this reference applies","example":"William Wilson"}}},"example":[{"type":"ENTITLEMENT","id":"2c9180866166b5b0016167c32ef31a66","name":"Administrator"},{"type":"ENTITLEMENT","id":"2c9180866166b5b0016167c32ef31a67","name":"Administrator"}]}}}}}}},"examples":{"Conflicting Access Based Policy":{"value":{"name":"Conflicting-Policy-Name","description":"This policy ensures compliance of xyz","ownerRef":{"type":"IDENTITY","id":"2c91808568c529c60168cca6f90c1313","name":"Owner Name"},"externalPolicyReference":"XYZ policy","compensatingControls":"Have a manager review the transaction decisions for their \"out of compliance\" employee","correctionAdvice":"Based on the role of the employee, managers should remove access that is not required for their job function.","state":"ENFORCED","tags":["string"],"creatorId":"0f11f2a4-7c94-4bf3-a2bd-742580fe3bde","modifierId":"0f11f2a4-7c94-4bf3-a2bd-742580fe3bde","violationOwnerAssignmentConfig":{"assignmentRule":"MANAGER","ownerRef":{"type":"IDENTITY","id":"2c91808568c529c60168cca6f90c1313","name":"Violation Owner Name"}},"scheduled":true,"type":"CONFLICTING_ACCESS_BASED","conflictingAccessCriteria":{"leftCriteria":{"name":"money-in","criteriaList":[{"type":"ENTITLEMENT","id":"2c9180866166b5b0016167c32ef31a66"},{"type":"ENTITLEMENT","id":"2c9180866166b5b0016167c32ef31a67"}]},"rightCriteria":{"name":"money-out","criteriaList":[{"type":"ENTITLEMENT","id":"2c9180866166b5b0016167c32ef31a68"},{"type":"ENTITLEMENT","id":"2c9180866166b5b0016167c32ef31a69"}]}}}},"General Policy":{"value":{"description":"Description","ownerRef":{"type":"IDENTITY","id":"2c918087682f9a86016839c05e8f1aff","name":"Owner Name"},"externalPolicyReference":"New policy","policyQuery":"policy query implementation","compensatingControls":"Compensating controls","correctionAdvice":"Correction advice","tags":[],"state":"ENFORCED","scheduled":false,"creatorId":"2c918087682f9a86016839c05e8f1aff","modifierId":null,"violationOwnerAssignmentConfig":null,"name":"General-Policy-Name"}}}}}},"responses":{"201":{"description":"SOD policy created","content":{"application/json":{"schema":{"type":"object","properties":{"id":{"type":"string","description":"Policy id","example":"0f11f2a4-7c94-4bf3-a2bd-742580fe3bde"},"name":{"type":"string","description":"Policy Business Name","example":"policy-xyz"},"created":{"type":"string","format":"date-time","description":"The time when this SOD policy is created.","example":"2020-01-01T00:00:00.000000Z"},"modified":{"type":"string","format":"date-time","description":"The time when this SOD policy is modified.","example":"2020-01-01T00:00:00.000000Z"},"description":{"type":"string","description":"Optional description of the SOD policy","example":"This policy ensures compliance of xyz"},"ownerRef":{"type":"object","properties":{"type":{"description":"DTO type","type":"string","enum":["ACCOUNT_CORRELATION_CONFIG","ACCESS_PROFILE","ACCESS_REQUEST_APPROVAL","ACCOUNT","APPLICATION","CAMPAIGN","CAMPAIGN_FILTER","CERTIFICATION","CLUSTER","CONNECTOR_SCHEMA","ENTITLEMENT","GOVERNANCE_GROUP","IDENTITY","IDENTITY_PROFILE","IDENTITY_REQUEST","LIFECYCLE_STATE","PASSWORD_POLICY","ROLE","RULE","SOD_POLICY","SOURCE","TAG_CATEGORY","TASK_RESULT","REPORT_RESULT","SOD_VIOLATION","ACCOUNT_ACTIVITY"],"example":"IDENTITY"},"id":{"type":"string","description":"ID of the object to which this reference applies","example":"2c91808568c529c60168cca6f90c1313"},"name":{"type":"string","description":"Human-readable display name of the object to which this reference applies","example":"William Wilson"}}},"externalPolicyReference":{"type":"string","description":"Optional External Policy Reference","example":"XYZ policy"},"policyQuery":{"type":"string","description":"Search query of the SOD policy","example":"@access(id:0f11f2a4-7c94-4bf3-a2bd-742580fe3bdg) AND @access(id:0f11f2a4-7c94-4bf3-a2bd-742580fe3bdf)"},"compensatingControls":{"type":"string","description":"Optional compensating controls(Mitigating Controls)","example":"Have a manager review the transaction decisions for their \"out of compliance\" employee"},"correctionAdvice":{"type":"string","description":"Optional correction advice","example":"Based on the role of the employee, managers should remove access that is not required for their job function."},"state":{"type":"string","description":"whether the policy is enforced or not","enum":["ENFORCED","NOT_ENFORCED"],"example":"ENFORCED"},"tags":{"type":"array","description":"tags for this policy object","example":["TAG1","TAG2"],"items":{"type":"string"}},"creatorId":{"type":"string","description":"Policy's creator ID","example":"0f11f2a4-7c94-4bf3-a2bd-742580fe3bde"},"modifierId":{"type":"string","description":"Policy's modifier ID","example":"0f11f2a4-7c94-4bf3-a2bd-742580fe3bde","nullable":true},"violationOwnerAssignmentConfig":{"nullable":true,"type":"object","properties":{"assignmentRule":{"type":"string","enum":["MANAGER","STATIC"],"description":"Details about the violations owner.\nMANAGER - identity's manager\nSTATIC - Governance Group or Identity","example":"MANAGER"},"ownerRef":{"type":"object","properties":{"type":{"description":"DTO type","type":"string","enum":["ACCOUNT_CORRELATION_CONFIG","ACCESS_PROFILE","ACCESS_REQUEST_APPROVAL","ACCOUNT","APPLICATION","CAMPAIGN","CAMPAIGN_FILTER","CERTIFICATION","CLUSTER","CONNECTOR_SCHEMA","ENTITLEMENT","GOVERNANCE_GROUP","IDENTITY","IDENTITY_PROFILE","IDENTITY_REQUEST","LIFECYCLE_STATE","PASSWORD_POLICY","ROLE","RULE","SOD_POLICY","SOURCE","TAG_CATEGORY","TASK_RESULT","REPORT_RESULT","SOD_VIOLATION","ACCOUNT_ACTIVITY"],"example":"IDENTITY"},"id":{"type":"string","description":"ID of the object to which this reference applies","example":"2c91808568c529c60168cca6f90c1313"},"name":{"type":"string","description":"Human-readable display name of the object to which this reference applies","example":"William Wilson"}}}}},"scheduled":{"type":"boolean","description":"defines whether a policy has been scheduled or not","example":true},"type":{"type":"string","description":"whether a policy is query based or conflicting access based","default":"GENERAL","enum":["GENERAL","CONFLICTING_ACCESS_BASED"],"example":"GENERAL"},"conflictingAccessCriteria":{"nullable":true,"type":"object","properties":{"leftCriteria":{"type":"object","properties":{"name":{"type":"string","description":"Business name for the access construct list","example":"money-in"},"criteriaList":{"type":"array","description":"List of criteria. There is a min of 1 and max of 50 items in the list.","items":{"type":"object","properties":{"type":{"description":"DTO type","type":"string","enum":["ACCOUNT_CORRELATION_CONFIG","ACCESS_PROFILE","ACCESS_REQUEST_APPROVAL","ACCOUNT","APPLICATION","CAMPAIGN","CAMPAIGN_FILTER","CERTIFICATION","CLUSTER","CONNECTOR_SCHEMA","ENTITLEMENT","GOVERNANCE_GROUP","IDENTITY","IDENTITY_PROFILE","IDENTITY_REQUEST","LIFECYCLE_STATE","PASSWORD_POLICY","ROLE","RULE","SOD_POLICY","SOURCE","TAG_CATEGORY","TASK_RESULT","REPORT_RESULT","SOD_VIOLATION","ACCOUNT_ACTIVITY"],"example":"IDENTITY"},"id":{"type":"string","description":"ID of the object to which this reference applies","example":"2c91808568c529c60168cca6f90c1313"},"name":{"type":"string","description":"Human-readable display name of the object to which this reference applies","example":"William Wilson"}}},"example":[{"type":"ENTITLEMENT","id":"2c9180866166b5b0016167c32ef31a66","name":"Administrator"},{"type":"ENTITLEMENT","id":"2c9180866166b5b0016167c32ef31a67","name":"Administrator"}]}}},"rightCriteria":{"type":"object","properties":{"name":{"type":"string","description":"Business name for the access construct list","example":"money-in"},"criteriaList":{"type":"array","description":"List of criteria. There is a min of 1 and max of 50 items in the list.","items":{"type":"object","properties":{"type":{"description":"DTO type","type":"string","enum":["ACCOUNT_CORRELATION_CONFIG","ACCESS_PROFILE","ACCESS_REQUEST_APPROVAL","ACCOUNT","APPLICATION","CAMPAIGN","CAMPAIGN_FILTER","CERTIFICATION","CLUSTER","CONNECTOR_SCHEMA","ENTITLEMENT","GOVERNANCE_GROUP","IDENTITY","IDENTITY_PROFILE","IDENTITY_REQUEST","LIFECYCLE_STATE","PASSWORD_POLICY","ROLE","RULE","SOD_POLICY","SOURCE","TAG_CATEGORY","TASK_RESULT","REPORT_RESULT","SOD_VIOLATION","ACCOUNT_ACTIVITY"],"example":"IDENTITY"},"id":{"type":"string","description":"ID of the object to which this reference applies","example":"2c91808568c529c60168cca6f90c1313"},"name":{"type":"string","description":"Human-readable display name of the object to which this reference applies","example":"William Wilson"}}},"example":[{"type":"ENTITLEMENT","id":"2c9180866166b5b0016167c32ef31a66","name":"Administrator"},{"type":"ENTITLEMENT","id":"2c9180866166b5b0016167c32ef31a67","name":"Administrator"}]}}}}}}},"examples":{"Conflicting Access Based Policy":{"value":{"id":"0f11f2a4-7c94-4bf3-a2bd-742580fe3bde","name":"Conflicting-Policy-Name","created":"2020-01-01T00:00:00.000000Z","modified":"2020-01-01T00:00:00.000000Z","description":"This policy ensures compliance of xyz","ownerRef":{"type":"IDENTITY","id":"2c91808568c529c60168cca6f90c1313","name":"Owner Name"},"externalPolicyReference":"XYZ policy","policyQuery":"@access(id:2c9180866166b5b0016167c32ef31a66 OR id:2c9180866166b5b0016167c32ef31a67) AND @access(id:2c9180866166b5b0016167c32ef31a68 OR id:2c9180866166b5b0016167c32ef31a69)","compensatingControls":"Have a manager review the transaction decisions for their \"out of compliance\" employee","correctionAdvice":"Based on the role of the employee, managers should remove access that is not required for their job function.","state":"ENFORCED","tags":["string"],"creatorId":"0f11f2a4-7c94-4bf3-a2bd-742580fe3bde","modifierId":"0f11f2a4-7c94-4bf3-a2bd-742580fe3bde","violationOwnerAssignmentConfig":{"assignmentRule":"MANAGER","ownerRef":{"type":"IDENTITY","id":"2c91808568c529c60168cca6f90c1313","name":"Violation Owner Name"}},"scheduled":true,"type":"CONFLICTING_ACCESS_BASED","conflictingAccessCriteria":{"leftCriteria":{"name":"money-in","criteriaList":[{"type":"ENTITLEMENT","id":"2c9180866166b5b0016167c32ef31a66"},{"type":"ENTITLEMENT","id":"2c9180866166b5b0016167c32ef31a67"}]},"rightCriteria":{"name":"money-out","criteriaList":[{"type":"ENTITLEMENT","id":"2c9180866166b5b0016167c32ef31a68"},{"type":"ENTITLEMENT","id":"2c9180866166b5b0016167c32ef31a69"}]}}}},"General Policy":{"value":{"description":"Description","ownerRef":{"type":"IDENTITY","id":"2c918087682f9a86016839c05e8f1aff","name":"Owner Name"},"externalPolicyReference":"New policy","policyQuery":"policy query implementation","compensatingControls":"Compensating controls","correctionAdvice":"Correction advice","tags":[],"state":"ENFORCED","scheduled":false,"creatorId":"2c918087682f9a86016839c05e8f1aff","modifierId":null,"violationOwnerAssignmentConfig":null,"type":"GENERAL","conflictingAccessCriteria":null,"id":"52c11db4-733e-4c31-949a-766c95ec95f1","name":"General-Policy-Name","created":"2020-05-12T19:47:38Z","modified":"2020-05-12T19:47:38Z"}}}}}},"400":{"description":"Client Error - Returned if the request body is invalid.","content":{"application/json":{"schema":{"type":"object","properties":{"detailCode":{"type":"string","description":"Fine-grained error code providing more detail of the error.","example":"400.1 Bad Request Content"},"trackingId":{"type":"string","description":"Unique tracking id for the error.","example":"e7eab60924f64aa284175b9fa3309599"},"messages":{"type":"array","description":"Generic localized reason for error","items":{"type":"object","properties":{"locale":{"type":"string","description":"The locale for the message text, a BCP 47 language tag.","example":"en-US"},"localeOrigin":{"type":"string","enum":["DEFAULT","REQUEST"],"description":"An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.","example":"DEFAULT"},"text":{"type":"string","description":"Actual text of the error message in the indicated locale.","example":"The request was syntactically correct but its content is semantically invalid."}}}},"causes":{"type":"array","description":"Plain-text descriptive reasons to provide additional detail to the text provided in the messages field","items":{"type":"object","properties":{"locale":{"type":"string","description":"The locale for the message text, a BCP 47 language tag.","example":"en-US"},"localeOrigin":{"type":"string","enum":["DEFAULT","REQUEST"],"description":"An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.","example":"DEFAULT"},"text":{"type":"string","description":"Actual text of the error message in the indicated locale.","example":"The request was syntactically correct but its content is semantically invalid."}}}}}}}}},"401":{"description":"Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.","content":{"application/json":{"schema":{"type":"object","properties":{"error":{"description":"A message describing the error","example":"JWT validation failed: JWT is expired"}}}}}},"403":{"description":"Forbidden - Returned if the user you are running as, doesn't have access to this end-point.","content":{"application/json":{"schema":{"type":"object","properties":{"detailCode":{"type":"string","description":"Fine-grained error code providing more detail of the error.","example":"400.1 Bad Request Content"},"trackingId":{"type":"string","description":"Unique tracking id for the error.","example":"e7eab60924f64aa284175b9fa3309599"},"messages":{"type":"array","description":"Generic localized reason for error","items":{"type":"object","properties":{"locale":{"type":"string","description":"The locale for the message text, a BCP 47 language tag.","example":"en-US"},"localeOrigin":{"type":"string","enum":["DEFAULT","REQUEST"],"description":"An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.","example":"DEFAULT"},"text":{"type":"string","description":"Actual text of the error message in the indicated locale.","example":"The request was syntactically correct but its content is semantically invalid."}}}},"causes":{"type":"array","description":"Plain-text descriptive reasons to provide additional detail to the text provided in the messages field","items":{"type":"object","properties":{"locale":{"type":"string","description":"The locale for the message text, a BCP 47 language tag.","example":"en-US"},"localeOrigin":{"type":"string","enum":["DEFAULT","REQUEST"],"description":"An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.","example":"DEFAULT"},"text":{"type":"string","description":"Actual text of the error message in the indicated locale.","example":"The request was syntactically correct but its content is semantically invalid."}}}}}},"examples":{"403":{"summary":"An example of a 403 response object","value":{"detailCode":"403 Forbidden","trackingId":"b21b1f7ce4da4d639f2c62a57171b427","messages":[{"locale":"en-US","localeOrigin":"DEFAULT","text":"The server understood the request but refuses to authorize it."}]}}}}}},"429":{"description":"Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again.","content":{"application/json":{"schema":{"type":"object","properties":{"message":{"description":"A message describing the error","example":" Rate Limit Exceeded "}}}}}},"500":{"description":"Internal Server Error - Returned if there is an unexpected error.","content":{"application/json":{"schema":{"type":"object","properties":{"detailCode":{"type":"string","description":"Fine-grained error code providing more detail of the error.","example":"400.1 Bad Request Content"},"trackingId":{"type":"string","description":"Unique tracking id for the error.","example":"e7eab60924f64aa284175b9fa3309599"},"messages":{"type":"array","description":"Generic localized reason for error","items":{"type":"object","properties":{"locale":{"type":"string","description":"The locale for the message text, a BCP 47 language tag.","example":"en-US"},"localeOrigin":{"type":"string","enum":["DEFAULT","REQUEST"],"description":"An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.","example":"DEFAULT"},"text":{"type":"string","description":"Actual text of the error message in the indicated locale.","example":"The request was syntactically correct but its content is semantically invalid."}}}},"causes":{"type":"array","description":"Plain-text descriptive reasons to provide additional detail to the text provided in the messages field","items":{"type":"object","properties":{"locale":{"type":"string","description":"The locale for the message text, a BCP 47 language tag.","example":"en-US"},"localeOrigin":{"type":"string","enum":["DEFAULT","REQUEST"],"description":"An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.","example":"DEFAULT"},"text":{"type":"string","description":"Actual text of the error message in the indicated locale.","example":"The request was syntactically correct but its content is semantically invalid."}}}}}},"examples":{"500":{"summary":"An example of a 500 response object","value":{"detailCode":"500.0 Internal Fault","trackingId":"b21b1f7ce4da4d639f2c62a57171b427","messages":[{"locale":"en-US","localeOrigin":"DEFAULT","text":"An internal fault occurred."}]}}}}}}},"method":"post","path":"/sod-policies","servers":[{"url":"https://{tenant}.api.identitynow.com/beta","description":"This is the beta API server.","variables":{"tenant":{"default":"sailpoint","description":"This is the name of your tenant, typically your company's name."}}}],"security":[{"oauth2":[]}],"securitySchemes":{"oauth2":{"type":"oauth2","description":"OAuth2 Bearer token (JWT). See [IdentityNow REST API Authentication](https://developer.sailpoint.com/docs/authentication.html) for more information.\n- Directions for generating a [personal access token](https://developer.sailpoint.com/docs/authentication.html#personal-access-tokens)\n- Directions using [client credentials flow](https://developer.sailpoint.com/docs/authentication.html#client-credentials-grant-flow)\n- Directions for using [authorization code flow](https://developer.sailpoint.com/docs/authentication.html#authorization-code-grant-flow)\n\nWhich authentication method should I choose? See our [guide](https://developer.sailpoint.com/docs/authentication.html#which-oauth-2-0-grant-flow-should-i-use)\n\nLearn more about how to find your `tokenUrl` and `authorizationUrl` [in our docs](https://developer.sailpoint.com/docs/authentication.html#finding-your-tenant-s-oauth-details)\n","flows":{"clientCredentials":{"tokenUrl":"https://tenant.api.identitynow.com/oauth/token","scopes":{"sp:scopes:default":"default scope","sp:scopes:all":"access to all scopes"}},"authorizationCode":{"authorizationUrl":"https://tenant.identitynow.com/oauth/authorize","tokenUrl":"https://tenant.api.identitynow.com/oauth/token","scopes":{"sp:scopes:default":"default scope","sp:scopes:all":"access to all scopes"}}}}},"jsonRequestBodyExample":{"id":"0f11f2a4-7c94-4bf3-a2bd-742580fe3bde","name":"policy-xyz","created":"2020-01-01T00:00:00.000000Z","modified":"2020-01-01T00:00:00.000000Z","description":"This policy ensures compliance of xyz","ownerRef":{"type":"IDENTITY","id":"2c91808568c529c60168cca6f90c1313","name":"William Wilson"},"externalPolicyReference":"XYZ policy","policyQuery":"@access(id:0f11f2a4-7c94-4bf3-a2bd-742580fe3bdg) AND @access(id:0f11f2a4-7c94-4bf3-a2bd-742580fe3bdf)","compensatingControls":"Have a manager review the transaction decisions for their \"out of compliance\" employee","correctionAdvice":"Based on the role of the employee, managers should remove access that is not required for their job function.","state":"ENFORCED","tags":["TAG1","TAG2"],"creatorId":"0f11f2a4-7c94-4bf3-a2bd-742580fe3bde","modifierId":"0f11f2a4-7c94-4bf3-a2bd-742580fe3bde","violationOwnerAssignmentConfig":{"assignmentRule":"MANAGER","ownerRef":{"type":"IDENTITY","id":"2c91808568c529c60168cca6f90c1313","name":"William Wilson"}},"scheduled":true,"type":"GENERAL","conflictingAccessCriteria":{"leftCriteria":{"name":"money-in","criteriaList":[{"type":"ENTITLEMENT","id":"2c9180866166b5b0016167c32ef31a66","name":"Administrator"},{"type":"ENTITLEMENT","id":"2c9180866166b5b0016167c32ef31a67","name":"Administrator"}]},"rightCriteria":{"name":"money-in","criteriaList":[{"type":"ENTITLEMENT","id":"2c9180866166b5b0016167c32ef31a66","name":"Administrator"},{"type":"ENTITLEMENT","id":"2c9180866166b5b0016167c32ef31a67","name":"Administrator"}]}}},"info":{"contact":{"email":"developers@sailpoint.com","name":"Developer Relations","url":"https://developer.sailpoint.com/discuss"},"description":"These are the public, beta APIs for SailPoint's SaaS services and are subject to change.","title":"SailPoint - Beta SaaS API","version":"3.1.0-beta"},"postman":{"name":"Create SOD Policy","description":{"content":"This creates both General and Conflicting Access Based policy, with a limit of 50 entitlements for each (left & right) criteria for Conflicting Access Based SOD policy\nRequires role of ORG_ADMIN","type":"text/plain"},"url":{"path":["sod-policies"],"host":["{{baseUrl}}"],"query":[],"variable":[]},"header":[{"key":"Content-Type","value":"application/json"},{"key":"Accept","value":"application/json"}],"method":"POST","body":{"mode":"raw","raw":"\"\"","options":{"raw":{"language":"json"}}}}} sidebar_class_name: "post api-method" info_path: docs/sailpoint-api-beta/sail-point-beta-saa-s-api --- import ApiTabs from "@theme/ApiTabs"; import MimeTabs from "@theme/MimeTabs"; import ParamsItem from "@theme/ParamsItem"; import ResponseSamples from "@theme/ResponseSamples"; import SchemaItem from "@theme/SchemaItem" import SchemaTabs from "@theme/SchemaTabs"; import DiscriminatorTabs from "@theme/DiscriminatorTabs"; import TabItem from "@theme/TabItem"; ## Create SOD Policy This creates both General and Conflicting Access Based policy, with a limit of 50 entitlements for each (left & right) criteria for Conflicting Access Based SOD policy Requires role of ORG_ADMIN
Request Body required
    ownerRef object
    violationOwnerAssignmentConfig object
    ownerRef object
    conflictingAccessCriteria object
    leftCriteria object
    criteriaList object[]
    List of criteria. There is a min of 1 and max of 50 items in the list.
    rightCriteria object
    criteriaList object[]
    List of criteria. There is a min of 1 and max of 50 items in the list.
SOD policy created
Schema
    ownerRef object
    violationOwnerAssignmentConfig object
    ownerRef object
    conflictingAccessCriteria object
    leftCriteria object
    criteriaList object[]
    List of criteria. There is a min of 1 and max of 50 items in the list.
    rightCriteria object
    criteriaList object[]
    List of criteria. There is a min of 1 and max of 50 items in the list.
Client Error - Returned if the request body is invalid.
Schema
    messages object[]
    Generic localized reason for error
    causes object[]
    Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.
Schema
Forbidden - Returned if the user you are running as, doesn't have access to this end-point.
Schema
    messages object[]
    Generic localized reason for error
    causes object[]
    Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again.
Schema
Internal Server Error - Returned if there is an unexpected error.
Schema
    messages object[]
    Generic localized reason for error
    causes object[]
    Plain-text descriptive reasons to provide additional detail to the text provided in the messages field