# 11. Seperation of Duties Matrix

<img class="page-image-landscape" src="/uploads/images/gallery/2026-02/ssp-11-sod.png" alt="system security plan separation of duties page image" />

The `metadata` / `roles` array must have one entry for each column
- an `id` with a token (use pre-defined ID values whenever possible)
- a `title` with a human-readable role name

The `system-implementation` / `users` array must have one entry for each row:
- a `uuid` (required)
- a `props` array with the following entry:
  - a `name` with `separation-of-duties-matrix`
  - a `ns` with `http://fedramp.gov/ns/oscal`
  - a `value` with `yes`
- a `role-ids` array with each entry:
  - the role ID token defined in `metadata` / `roles`
  - Only for roles where an "X" would appear in the table
- an `authorized-privileges` array with one or more entries:
  - a `title` with the text from the "Duty Description" column
  - a `functions-performed` array with at least one string entry describing the function. (This is an OSCAL required field that is not required by FedRAMP.)

```yaml
system-security-plan:
  metadata:
    roles:
    - id: asset-administrator
      title: Asset Administrator
    - id: admin-client
      title: Customer-Designated Administrator
    - id: admin-unix
      title: Unix Administrator

  system-implementation:
    users:
    - uuid: 11111111-2222-4000-8000-008000000002
      props:
      - name: separation-of-duties-matrix
        ns: http://fedramp.gov/ns/oscal
        value: 'yes'
      role-ids:
      - asset-administrator
      authorized-privileges:
      - title: Add/Remove Admins
        functions-performed:
        - This can add and remove admins.
    - uuid: 11111111-2222-4000-8000-008000000003
      props:
      - name: separation-of-duties-matrix
        ns: http://fedramp.gov/ns/oscal
        value: 'yes'
      role-ids:
      - asset-administrator
      - admin-client
      authorized-privileges:
      - title: Add/Remove Users
        functions-performed:
        - add/remove non-privliged users
    - uuid: 11111111-2222-4000-8000-008000000004
      props:
      - name: separation-of-duties-matrix
        ns: http://fedramp.gov/ns/oscal
        value: 'yes'
      role-ids:
      - asset-administrator
      authorized-privileges:
      - title: Cloud-Native Service Deployment
        functions-performed:
        - Manage services and components within the virtual cloud environment.
    - uuid: 11111111-2222-4000-8000-008000000005
      props:
      - name: separation-of-duties-matrix
        ns: http://fedramp.gov/ns/oscal
        value: 'yes'
      role-ids:
      - admin-client
      authorized-privileges:
      - title: Application User Admin
        functions-performed:
        - Add and remove users from the virtual cloud environment.  
```
<div class="callout">
  
**The `props` entry is required in each `users` entry.** It identifies which `users` array entries are intended to represent the Separation of Duties Matrix. Tools processing OSCAL SSPs only for FedRAMP should ignore any `users` entry that does not include this `props` entry.

</div>