You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. If on verification, the definition of a security role or the role assignments of a user violate the rules, the conflict is logged. All conflicts must be resolved by the security administrator.

For each logged conflict, you can:

• Deny the role assignment – Deny the assignment of the user to the additional security role. If you deny an automatic role assignment, the user is marked as excluded from the role. The excluded user is not granted the access that is associated with the role, and the user cannot be assigned to the role until the security administrator removes the exclusion.
  
• Allow the role assignment – Override the conflict and allow the user to be assigned to both security roles. If you override a conflict, you must enter a reason in the Reason for override field.

Complete the following procedure to view and resolve conflicts.

Standard procedure

1.	Click Integrated risk management.
2.	Click the Enhanced SoD conflicts tab.
3.	Sub-task: Deny assignment.
3.1	In the list, find, select, and review a conflict.
3.2	Click Edit.
3.3	Click Deny assignment.
3.4	In the Select the role to exclude the user from field, select an option.
3.5	Click OK.
3.6	Close the page.
4.	Sub-task: Allow assignment.
4.1	In the list, find, select, and review a conflict.
4.2	Click Edit.
4.3	Click Allow assignment.
4.4	In the Override reason field, type a value.
4.5	Click OK.
4.6	Close the page.