Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

SAP SOD Evaluation not working

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on January 4 2021 at 15:07 UTC

Hello Team,


We have SSM version 5.5 SP3.2 and we have created an Endpoint for SAP S4. We have created SOD RuleSet, Risks and Functions as shown in the attached document. Then assigned the cross function entitlements to users in SAP and imported them in SSM.

When we run the SOD Evaluation schedule job then expected result should have been shown the SOD Violations, but it didn't show. However, when we try the same thing for Active Directory application then it worked and shown the violations.

Can you please check the logs attached for SAP SOD evaluation and let us know why it is not showing the SOD violations for SAP application/functions.


Regards,

Santosh

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.
6 REPLIES 6

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on January 8 2021 at 12:04 UTC

Hi Santosh,


Can you please check few items :

a) Is the endpoint for which sod need to be evaluated is added in externalConfig.properties? Is the Entitlement Type is marked as table ?

b) Once done restart the server. Re run the SoD Evaluation job. Make sure to select right security system and ruleset added. Further verify if any User Account Evaluation Criteria, Entitlement Evaluation Criteria or Inherent Role Query is added.

c) You can also test the same using Simulation. Please check adding toxic combination results in violations or not.


Thanks

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on January 8 2021 at 14:36 UTC

Hi Manish,

Thanks for your response. Please find below answers:

a) Is the endpoint for which sod need to be evaluated is added in externalConfig.properties? Is the Entitlement Type is marked as table ?

externalConfig.properties::

# SOD Performance Configurations

sod.entitlement.depth=2

sod.endpoints=SAP_S4_DEV

Is the Entitlement Type is marked as table ? Yes, all marked as Table - tcode, SAP Roles, PROFILES, groups

b) Once done restart the server. Re run the SoD Evaluation job. Make sure to select right security system and ruleset added. Further verify if any User Account Evaluation Criteria, Entitlement Evaluation Criteria or Inherent Role Query is added.

- Didn't get this, what do you mean by this (Inherent Role Query is added)?

c) You can also test the same using Simulation. Please check adding toxic combination results in violations or not.

- Added the toxic combination for user as shown in the document earlier, still it's not capturing the violations.


Regards,

Santosh

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on January 11 2021 at 04:44 UTC

Hi Santosh,


Can you please check the following also :


1. Ruleset marked as default ruleset --> True.

2. Risks and Functions are in Active state under this ruleset.

3. Function object mapping has valid mappings and are in active state?

4. While running SoD are you passing any User Account Evaluation Criteria, Entitlement Evaluation Criteria or Inherent Role Query ?

5. Any exclusion query is not tagged to Functions?

6. Further, can you also verify the parent child relationship of entitlement ?

Ex : SAP Roles > Child Entitlements mapping


Thanks

Manish

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on January 23 2021 at 01:51 UTC

Hi Manish,

PFA document for your questions with some additional information. Please let me know if you need anymore information.

Regards,

Santosh

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on January 27 2021 at 17:26 UTC

Hi Santosh,


1. Please make only SAP Role as table and rest as None.

Generally SAP Role is request-able.


2. Can you please take 1 tcode from function-object mapping and check the entitlement. If this entitlement has parent entitlement mapped?


3. Please create a simulation and add conflicting SAP Roles to verify.


This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on May 24 2021 at 02:28 UTC

Having exact issue as Santosh. This used to work and now has not for over 8 months. We are using position based security. I suspect it is due to not reading the child entitlement from the position as we too see blank against the entitlement>child entitlement. Strangely though it works fine for one of our SAP systems. Was there a resolution to this?

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.