runbookify
← All plans
Compliance, Quality & Risk / Internal Controls & SOX Testing

Segregation of Duties (SoD) Conflict Checker

Check user role and access assignments against your segregation-of-duties ruleset, flag every conflict, and route each one through a human disposition gate - remove access or accept with a documented mitigating control - then track it to resolution and export a clean violation log.

IntermediateA weekendBuilds onNext.js (App Router) on VercelSupabase (Postgres, Storage, Auth + RLS)Resend (email reports and alerts)
What you'll build

An internal web tool where you import an access list and an editable SoD ruleset, the AI detects every conflicting duty combination, the controls owner reviews and dispositions each one (remove access or accept with a mitigating control), conflicts are tracked to resolution, a report is emailed via Resend, and the full violation log exports as CSV in the columns your GRC system expects.

Gated download

Enter your email — the plan downloads instantly and a copy lands in your inbox.

By submitting your email you'll also receive the weekly runbookify newsletter. You can unsubscribe at any time.

Before you start

  • A user-to-roles/permissions export from your ERP or IT system (CSV or Google Sheet) - no live integration required
  • Your segregation-of-duties ruleset: which duty pairs conflict (e.g., create vendor + approve payment)
  • Free accounts on Vercel, Supabase, and Resend
  • No coding experience needed - you'll paste a runbook into Claude Code

The problem this kills

Segregation of duties sounds simple - one person shouldn't be able to both create a vendor and approve the payment to it - but enforcing it across hundreds of users and dozens of roles is brutal. The access data lives in an ERP export, the conflict rules live in someone's head or a stale spreadsheet, and the "review" is a heroic quarterly afternoon of eyeballing pivot tables. Conflicts get missed. Worse, the ones that get spotted get quietly cleared with no record of who decided it was fine or why.

That last part is what gets organizations in trouble at audit time. A flagged conflict that was "accepted" needs a documented mitigating control and a named owner - not a deleted row. You need a system where nothing can be silently cleared, every disposition is recorded, and you can re-run the whole check the moment access changes.

What you'll build

A small, private web tool for your internal-controls, IT-security, and audit team:

  • Import access - drop in your user-to-roles/permissions export (CSV or Google Sheet).
  • Editable ruleset - maintain your SoD conflict rules (duty pairs that shouldn't be combined) right in the app, no code changes needed.
  • Automatic detection - the tool matches every user's combined access against the ruleset and flags each conflict, deduped by user + conflict-rule so the same violation never shows up twice.
  • Human disposition gate - the controls owner opens each flagged conflict and chooses: remove access, or accept with a documented mitigating control. Nothing is recorded until a person approves it.
  • Track to resolution - open vs. dispositioned, unmitigated vs. mitigated, all visible at a glance.
  • Report + export - email a conflict report via Resend and export the violation log as a CSV in the exact columns your GRC or audit system expects.

What's inside the Implementation Plan

  • A copy-paste runbook you hand to Claude Code, step by step - you don't write the code, the AI does.
  • It opens by interviewing you about your business. Before building anything, the plan has the AI ask you about your current process, your ERP and IT systems, the real field names and role/permission naming in your export, your typical and peak user counts, your exact conflict rules, and your messy edge cases (shared service accounts, temporary access, emergency "firefighter" roles). It reflects a short tailored spec back to you for a thumbs-up - so you get a tool shaped to your data, not a generic template.
  • The full build: login, database with row-level security, the importer, the rule engine, the disposition workflow, the audit trail, the Resend report, and the CSV export.
  • A "No API yet?" fallback so the whole thing is buildable today from a spreadsheet export, with a clean CSV out.
  • A verification checklist so you can prove it works before you trust it.

The governance it includes (this is the point)

  • Login so only your team can open the tool.
  • Row-level security so each organization only ever sees its own access data and conflicts.
  • A complete audit trail - who flagged what, who dispositioned it, what they decided, and when.
  • A hard human-in-the-loop approval gate - the AI drafts the conflict list, the controls owner reviews and approves each disposition, and only then is it recorded. Conflicts can never be silently cleared.
  • Duplicate guards - a dedupe key of user + conflict-rule means the same violation can't be processed twice, even across re-runs.
  • Unmitigated vs. mitigated tracking, with the mitigating control text stored on every accepted conflict, ready for your auditor.

Who it's for

Internal-controls, IT-security, SOX, and audit teams who have to enforce segregation of duties - and prove they did. If you currently run this check in a spreadsheet once a quarter and dread the audit questions about how conflicts were cleared, this turns it into a repeatable, evidenced, re-runnable process.

You've got this - paste the first prompt and let the interview tailor the rest.

Gated download

Enter your email — the plan downloads instantly and a copy lands in your inbox.

By submitting your email you'll also receive the weekly runbookify newsletter. You can unsubscribe at any time.