Virsa Config Logic?: Include Role/Prof mitigating contls in User Analysis
After changing configurations option "26 Include Role/Prof mitigating contls in User analysis(YES/NO)" to YES from NO, I noticed that the mitigation seems to be overextending itself into other roles. Example:
User with RoleA, RoleB and RoleC has potential conflicts. It turns out that RoleC is not a real problem but RoleA and RoleB are. So, I mitigate one rule against RoleC.
With the configuration option 26 set to YES, I would expect that The mitigation control would apply only against RoleC and SoD issues against RoleA and RoleB should still be a problem; however, RoleA and RoleB are now also mitigated. Therefore, this means that roles which I had not intended to be mitigated are mitigated.
How should the logic within Virsa be understood?