Which policy type is appropriate when a user should not submit and approve salary changes?

The appropriate policy type for a scenario where a user should not submit and approve salary changes is Segregation of Duties (SoD). This policy type is crucial in risk management and compliance, as it ensures that no single individual has control over all aspects of a transaction or process, thereby reducing the risk of fraud or error.

In this case, implementing a Segregation of Duties policy means separating the roles and responsibilities associated with salary changes. The user who can submit salary changes should not be the same person who approves those changes. This division of roles helps ensure accountability and oversight, as it requires multiple individuals to be involved in the process, creating a system of checks and balances.

General Policy typically covers a broader range of topics and behaviors within the organization, without specific regard to transaction controls like salary changes. Access Policy deals with the permissions and rights associated with accessing resources and information, rather than the specific operational controls involved in processing changes to sensitive information like salary. Therefore, while those types of policies serve important functions, they do not adequately address the need to separate duties related to salary change requests, which is the essence of the SoD approach.