Click HERE to see how Saviynt Intelligence is transforming the industry. |
10/05/2023 11:38 AM - edited 10/05/2023 11:41 AM
Exclusions for SOD can be handled in two ways
Exclusion at Oracle:
Each Oracle E-Business Suite product is delivered with one or more predefined menu hierarchies. System Administrators can assign a predefined menu hierarchy to a responsibility. To tailor a responsibility, System Administrators exclude functions or menus of functions from that responsibility using exclusion rules.
Saviynt's Out of the Box OEBS connector imports these exclusions by creating new entitlement types Excluded-OEBS-Functions and Excluded-OEBS-Menus
All the entitlements down the hierarchy assigned due to the excluded menus and functions are also excluded while evaluating that function.
Each exclusion is defined for a specific responsibility.
For example a OEBS-function INF1 is excluded for a responsibility Res1 but the same function INF1 can still be included for other responsibilities. These are defined in Oracle system.
Exclusion in SOD Ruleset at a SOD Function level:
Saviynt's ruleset is built on a correlation of risks, sod functions and function entitlements.
Each risk can have one or more sod functions and these functions need to be violated for the risk to flag as an SOD.
Each sod function is predefined with rules by mapping entitlements using AND, OR conditions.
Saviynt's has a feature to exclude any included entitlements at a SOD function level by writing SQL queries for each of the functions in the ruleset. This feature is used when you want to exclude any OEBS-Responsibility, OEBS-Menu, OEBS-Function from a SOD function.
For example, a OEBS-function INF2 is included and is imported into Saviynt.
This is flagged for a SOD Risk R001 which has SOD Function F001
However you do not want INF2 to be evaluated for the SOD risk R001, you can write a SOD function exclusion query to exclude this function from SOD evaluation for that risk. You can also write the query at menu or responsibility level. If INF2 is a function associated to a view only responsibility Res2, you can exclude Res2 for the function F001.
A sample SOD Function Exclusion Query can look like
Select ENTITLEMENT_VALUEKEY from ENTITLEMENT_VALUES where ENTITLEMENT_VALUE in ('Res1','Menu1') and status <>2;
In Non EIC, Function Exclusion queries need to be setup for each function manually from the UI.
In EIC, Function Exclusion Queries can be added in the ruleset and uploaded.
Scenario: