on 10-15-2015 3:05 PM
Hi Guys,
We have been asked to check if a certain set of roles, when assigned to a user causes an SoD or not. We have 10 sets like that and each set is causing atleast 15 SoDs.
And we are expected to provide role removal options for each SoD, i.e the removal of which role can avoid an SoD in that set of roles.
We usually do this in User Level : Simulation, where we manually enter a role under Exclude values and check if it avoids the SoD but this is very time consuming.
Please let me know if there is a simpler way to check this in GRC or anywhere else
Thanks in Advance
Raghav
Hi Raghavendar,
In situations like this, I prefer to setup all role combinations as test accounts in the QA environment (assuming the rulesets are consistent between QA and Production). Then, run risk analysis for the test accounts.
When trying to determine which roles to remove, it can get quite complicated. However, I like to do this:
Now, there can be underlying issues with the Role design itself. I prefer to configure task-based roles, which are small roles with task-specific transactions. This allows the most flexibility for adding/removing combinations of roles to produce the most compliant user accounts possible. If Role-redesign seems like the best option, good luck because this is an entire project in itself.
Having said that, it is unrealistic to promise SOD-free accounts. The reason is because Authorization Objects are typically common amongst many tcodes, and this "sharing" of auth objects and values creates an incredibly complex technical landscape. You can work really hard to get very close to SOD-free, but typically you will need to design and implement Mitigating Controls. MCs will allow you to provision user accounts that have SODs, but the issues are "Mitigated" by the different types of controls you have assigned to the SOD issues. I like providing mitigation at the Risk-level, not the permission/rule level because there are just too many rules contributing to each risk.
Hope this helps!
-Ken
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Raghav,
You can use SOD review process,will helps for your requirement
check the below link
Regards
Baithi
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.