Click HERE to see how Saviynt Intelligence is transforming the industry. |
10/08/2024 07:07 AM
We are currently addressing a specific requirement for our Oracle EBS SoD scans within Saviynt. Unlike the standard exclusions for inquiry roles or view-only roles, we are focusing on the exclusion of known false positives based on specific paths within parent roles. Our objective is to ensure that when an SoD scan identifies a specific combination of a parent role and function, it should not be flagged as a true conflict.
Could you provide guidance on how this configuration can be achieved in Saviynt? We are contemplating whether this would necessitate an additional query at the function level within the exclusion settings, or if there might be an alternative approach to effectively address this requirement.
Any suggestions or insights on the best way to implement this exclusion would be greatly appreciated. We aim to refine our SoD scan process to accurately reflect true conflicts while eliminating known false positives from the results.
10/08/2024 10:53 AM
10/08/2024 11:25 AM
Hi, Thank you for your response.
For example, we are seeing this SoD violation below where the entitlement AP_APXSUMPS is triggering the AP_Maintain Setups side of the SoD rule because the role AP_WORLDSIDE_SETUP contains it.
Risk Name | Role | Parent Role | Entitlement | Function |
AP_Maintain Setups and AP_Maintain Suppliers | AP_WORLDWIDE_SETUP | AP_WORLDWIDE_SETUP > AP_NAVIGATE_GUI12 > AP_ACCOUNTING_GUI12 | AP_APXSUMPS | AP_Maintain Setups |
Upon review, we've determined that the path AP_NAVIGATE_GUI12 > AP_ACCOUNTING_GUI12 > AP_APXSUMPS is a false positive, as it does not grant the ability to maintain AP setups. We still want to evaluate for the function but only when it is being accessed through the path defined in the parent role that we would want it to be excluded.
Given that this path appears in other SoD violations, we are looking to implement an exclusion query. The goal is to ensure that when SoD analysis is conducted—whether preventatively or detectively—this path is not flagged in the results.