Separation of Duties

RPCs

Base URL: https://<Domain id="api"/>

Authentication: Bearer token with governance.sod:write (create/delete) or :read (list/check).

Rule shape

An SoD rule defines two sets of permissions that cannot both be held by the same identity:

{
  "id": "sod_01H7X3K9Q1",
  "name"

enforcement options:

• WARN -- violation recorded, Keto write proceeds.
• BLOCK -- violation recorded, Keto write rejected with AVNOLOGY_AUTH_102.
• REQUIRE_APPROVAL -- write converted into an access request.

Create a rule

curl -X POST "https://api-id.avnology.net/v1/governance/sodRules" \
  -H "Authorization: Bearer $AVNOLOGY_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "PO creator vs approver",
    "conflicting_sets": [
      { "namespace": "purchase_orders", "relation": "creator" },
      { "namespace": "purchase_orders", "relation": "approver" }
    ],
    "severity": "HIGH",
    "enforcement": "BLOCK"
  }'