Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SOD violation appears at the second approver after removed violating role.

ssingh16
New Contributor III
New Contributor III

‎08/04/2023 01:27 PM

Hello Team,

We disabled "Enable Recalculate SOD (Beta)" under global configuration to raise a new user account request with a violation, and it went for two levels of risk owner approval.

After disabling the option, the recalculate SOD button is not available on the request approval page and hence can't be utilized to refresh SOD violations on the request approval page if the violating role is removed prior to Risk Owner 2 approval. SOD violations appeared as expected on the request approval page for Risk Owner 2.

Once we removed the SOD violating role and the request was approved by Risk Owner 2 (without SOD recalculation), we observed that the request went to Risk Owner 1 for approval. On the request approval page for Risk Owner 1, SOD violations were appearing (though the SOD violating role was removed prior to approval by Risk Owner 2).

After Risk Owner 1 approved the request, access was provisioned as expected, and no violation appeared in the SOD workbench.

Our concern is that when Risk Owner 2 approves the request and the violating role is removed before the approval, then on the Risk Owner 1 approval page, the violation should be removed, but here it remains the same as on the Risk Owner 2 approval page. For Risk Owner 1, it creates confusion about whether a violation is there or not.

As of now, we are using a serial-type workflow.

Do you have any resolutions to avoid this confusion?

Regards,

Satyam

Labels:
0 Kudos
6 REPLIES 6

sai_sp
Saviynt Employee
Saviynt Employee

‎08/08/2023 02:19 PM

@ssingh16 how is the violating role removed when the request is still pending for the user?Is violating role part of the request or you are saying it is already assigned to the user and you are removing it by creating another request before this risk owner approval is done?

0 Kudos

ssingh16
New Contributor III
New Contributor III

‎08/09/2023 07:41 AM

yes, the below step process is followed to remove a violating role:

1. First, Assigned a role "A" assigned separately to the user
2. Raise a request for another role "B",
3. Remove the first assigned role "A", before approval from Risk Owner 2.

0 Kudos

sai_sp
Saviynt Employee
Saviynt Employee
In response to ssingh16

‎08/17/2023 09:34 AM

@ssingh16 in this scenario the only way to recalculate SOD is to use the 'Recalculate SOD' feature. Otherwise Saviynt does not do an auto calculation of SOD at every step.

0 Kudos

ssingh16
New Contributor III
New Contributor III
In response to sai_sp

‎08/18/2023 08:38 AM

 

Thanks, @Sai, for the update!

If it is possible to make some modifications or changes at the workflow level, then it might be working. I mean to say that at workflow, can we add this recalculate SOD feature? Could you please share your insights on this?

0 Kudos

sai_sp
Saviynt Employee
Saviynt Employee
In response to ssingh16

‎08/21/2023 04:51 PM

@ssingh16 No, recalculate is not supported at workflow level.

0 Kudos

ssingh16
New Contributor III
New Contributor III
In response to sai_sp

‎08/22/2023 01:08 PM

Thanks for the information!

0 Kudos
Copyright © 2024 Khoros, LLC