I appreciate your passion for this subject. I didn't lay out the whole proposed approach nor describe the environment. The roles don't change very often, the client staff is spread thin and have very little knowledge of the function or relationships between any two objects or transactions etc. The roles are very tight for SODs within a role and we certainly have assessment proposals using typical GRC methods to assess changes to roles.

So my question is still open. Is it technically possible to specify explicit forbidden role to role combinations?

I suppose I could do it by creating a unique dummy transaction for each role and then specifying prohibited combinations of dummy transactions but I would prefer not using a workaround.

Thanks

Hi,

This is not at all possible in RAR tool. You won't be able to configure role to role violations in RAR. You may just use excel spreadsheet and SUIM to check for this kind of SoD. Anyhow, if you think some of the roles by themselves are sensitive then you can mark them as critical roles in RAR.

Alpesh

Hi Corwin,

To my knowledge, it is not technically possible to combine role combinations in SOD business functions or risks.

Another approach might be to include one or more unique transactions, or each of the role transactions in new, different business functions. Then, combine the business functions together in individual risks. A problem might arise if there are same transactions shared across different roles unless those transactions can be separated by other objects (e.g. FB02, separated be Account Type, K, S, D, M...).

Have you tried running the standard delivered SOD rules against the existing users and role assignments? Was it big?

The problem I foresee with your proposal is that the customer may never get educated on the real way of analyzing SOD risks and may as a result make some wrong assumptions in the future about SOD analysis. By comparing high level role names, a transaction will eventually sneak in and could show up on an audit finding that they didn't expect. Just my two cents.

Hope you find a good solution.

Thanks for your reply. I think that my dummy tcode approach that has a unique transaction for every master role would accomplish that.

The problem with a much more granular approach is the effort to address the impact of combinations and write mitigations. For every list of actions there are n*(n-1)/2 combinations of any two actions. I need to minimize this list for day to day assessment purposes. Its easier to tell a dispenser that you can't give someone two drugs in combination than it is to say there are 10 possible side effects that should be evaluated and mitigated. Besides I cannot readily reformulate my medicine so that the conflict will be voided.

I wouldn't be so simplistic but the client's roles are quite well designed and we will evaluate adding new transactions to roles using classical action and object rules but that evaluation will be a different set of users with more experience in transaction codes, authorization objects etc.

Well it would be pitiful if business processes changed and roles changed and there were no reevaluation of the SOD combinations. It strikes me from your description that process management was the problem and SOD identification was just a downstream casualty.

No one should lead with their SOD tool no matter how granular it is.

Drastically changing business processes and constantly changing roles are certainly a risk factor that would call into question a role to role evaluation methodology.