Two fundamental elements of internal control are restricted access and segregation of certain key duties. Segregation of duties (SOD) and system access controls are used to prevent fraud and safeguard information assets, intellectual property, personally identifiable information (PII) and protected health information (PHI).

The underlying idea behind SOD is that no employee or group of employees should be in a position to both perpetrate and conceal errors or fraud in the normal course of their duties. The principal duties typically outlined as incompatible and which should be segregated are:

  • Custody of assets
  • Authorization or approval of related transactions affecting those assets
  • Recording or reporting of related transactions

In Information Technology (IT), privilege controls are usually restricted according to user role. With today’s evolving technologies, SOD for information technology processes are critical to maintain safe and reliable data and protect against fraud.  A consistent framework should also encompass management duties (e.g., granting or revoking the proper rights to the appointed people, reporting and managing any exception to the procedures) and governance duties (evaluating, directing and monitoring SOD rules and practices in accordance with corporate governance).

This alternate model encompasses some management duties within the authorization of access granted and segregates them from the other duties. 

Learning Objectives
  • Explore the basic tenets of segregation of duties (SOD) as it relates to information technology (IT) processes.
  • Identify user categories for segregation of duties (SOD) related to information technology (IT).
  • Explore role based access controls (RBAC).
  • Discover methods to “scope” IT SOD through scoping of:
    • Assets as boundaries
    • Processes as boundaries
    • Identify the criticality of mapping activities with duties
    • Evaluation of systems and applications
    • Detecting conflicts that may arise
  • Discover the National Institute of Standards and Technology (NIST) categories of RBAC.
Last updated/reviewed: May 12, 2022
12 Reviews (55 ratings)


Member's Profile
Very comprehensive and imfo content The instructor explained all topics in the course in easy and friendly manner I highly recommend this course to everyone who seeks cybersecurity course or to fulfill isaca cpe for isca certifications. Many thanks to illumeo All your courses are excellent and comprehensive in all fields.

Anonymous Author
Good explanation of RBAC & SOD relating to information technology (IT) processes. Good definitions og user categories for segregation of duties (SOD) and methods to “scope” IT SOD, Identify the criticality of mapping activities with duties and introduction to NIST.

Anonymous Author
There is a great deal of information presented in this course, relevant to business as well as IT roles. Very thought-provoking and more complex than my initial assumptions on this topic.

Anonymous Author
Great concise course over SoD and role based access provisioning methods and the mitigating controls structures. I would recommend this course for any entry level IT associate.

Anonymous Author
Test is poorly written based on materials for this course. I would suggest a re-write as this was not representative of the materials and the concepts.

Member's Profile
Difficult training - more examples within the slides could be added as examples provided orally in the recording are very generic.

Anonymous Author
This is a refreshing RBAC training. Nothing surprised me. It will be most beneficial to performance auditors.

Anonymous Author
This course provides an understanding of segregation of duties from an information technology aspect.

Anonymous Author
This was an excellent course and the slides provided great explanations.

Anonymous Author
Good course review for IT personnel and intro for new IT personnel.

Anonymous Author
A good course that covered the importance of segregation of dutes.

Anonymous Author
Final exam didn't seem to fully correspond with covered material.

Course Complexity:

No advanced preparation or prerequisites are required for this course.

Education Provider Information
Company: Illumeo, Inc., 75 East Santa Clara St., Suite 1215, San Jose, CA 95113
Contact: For more information regarding this course, including complaint and cancellation policies, please contact our offices at (408) 400- 3993 or send an e-mail to .
Instructor for this course
Course Syllabus
  Introduction to Role Based Access Information Technology Controls and Segregation of Duties5:19
  SOD Basic Tenants & Role Based Access Control17:52
  Designations of RBAC3:33
  Implementing RBAC6:25
  RBAC VS. ACLS & User Categories9:32
  Benefits of RBAC8:29
  Specific SOD7:05
  Introduction to Role Based Access Information Technology Controls and Segregation of Duties 1:00:21
  Slides: Introduction to Role Based Access Information Technology Controls and Segregation of DutiesPDF
  Introduction to Role Based Access Information Technology Controls and Segregation of Duties Glossary/IndexPDF