Click HERE to see how Saviynt Intelligence is transforming the industry. |
04/12/2022 01:11 PM
Hello Team,
We have SSM version 5.5 SP3.2 and we have created an Endpoint for SAP S4. We have created SOD RuleSet, Risks and Functions as shown in the attached document. Then assigned the cross function entitlements to users in SAP and imported them in SSM.
When we run the SOD Evaluation schedule job then expected result should have been shown the SOD Violations, but it didn't show. However, when we try the same thing for Active Directory application then it worked and shown the violations.
Can you please check the logs attached for SAP SOD evaluation and let us know why it is not showing the SOD violations for SAP application/functions.
Regards,
Santosh
Solved! Go to Solution.
04/12/2022 02:32 PM
Hi Santosh,
Can you please check few items :
a) Is the endpoint for which sod need to be evaluated is added in externalConfig.properties? Is the Entitlement Type is marked as table ?
b) Once done restart the server. Re run the SoD Evaluation job. Make sure to select right security system and ruleset added. Further verify if any User Account Evaluation Criteria, Entitlement Evaluation Criteria or Inherent Role Query is added.
c) You can also test the same using Simulation. Please check adding toxic combination results in violations or not.
Thanks
04/12/2022 02:32 PM
Hi Manish,
Thanks for your response. Please find below answers:
a) Is the endpoint for which sod need to be evaluated is added in externalConfig.properties? Is the Entitlement Type is marked as table ?
externalConfig.properties::
# SOD Performance Configurations
sod.entitlement.depth=2
sod.endpoints=SAP_S4_DEV
Is the Entitlement Type is marked as table ? Yes, all marked as Table - tcode, SAP Roles, PROFILES, groups
b) Once done restart the server. Re run the SoD Evaluation job. Make sure to select right security system and ruleset added. Further verify if any User Account Evaluation Criteria, Entitlement Evaluation Criteria or Inherent Role Query is added.
- Didn't get this, what do you mean by this (Inherent Role Query is added)?
c) You can also test the same using Simulation. Please check adding toxic combination results in violations or not.
- Added the toxic combination for user as shown in the document earlier, still it's not capturing the violations.
Regards,
Santosh
04/12/2022 02:32 PM
Hi Santosh,
Can you please check the following also :
1. Ruleset marked as default ruleset --> True.
2. Risks and Functions are in Active state under this ruleset.
3. Function object mapping has valid mappings and are in active state?
4. While running SoD are you passing any User Account Evaluation Criteria, Entitlement Evaluation Criteria or Inherent Role Query ?
5. Any exclusion query is not tagged to Functions?
6. Further, can you also verify the parent child relationship of entitlement ?
Ex : SAP Roles > Child Entitlements mapping
Thanks
Manish
04/12/2022 02:32 PM
Hi Manish,
PFA document for your questions with some additional information. Please let me know if you need anymore information.
Regards,
Santosh
04/12/2022 02:32 PM
Hi Santosh,
1. Please make only SAP Role as table and rest as None.
Generally SAP Role is request-able.
2. Can you please take 1 tcode from function-object mapping and check the entitlement. If this entitlement has parent entitlement mapped?
3. Please create a simulation and add conflicting SAP Roles to verify.
04/12/2022 02:32 PM
Having exact issue as Santosh. This used to work and now has not for over 8 months. We are using position based security. I suspect it is due to not reading the child entitlement from the position as we too see blank against the entitlement>child entitlement. Strangely though it works fine for one of our SAP systems. Was there a resolution to this?