Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

SOD SAP evaluation not working with auth object, mina and max values.

RSA
New Contributor
New Contributor

Hello,

We had already configured SoD with tcode ruleset and found this to be working. But when we try to add auth object with min and max value the SoD detection is not as expected.

Eg: The different combinations for same tcodes needs to be checked.

RSA_0-1726993003306.png

If the user have V_VBRK_FKA auth with min value 3 and V_VBRK_VKO as 2 the SoD should be detected for the V_VBRK_VKO but this is not being detected.

When the violating roles are assigned there is no violations for this risk if one of the tcode-auth-min value is not matching. If there is only one row for the tcode with the auth object then the violation is getting detcted. Issue is only when there are multiple auth-min vlaue rows for the same tcode. 

Please can you help me how to get this combination to work? 

Thank You in advance for your reply,

Thanks,
Rasmy 

 

4 REPLIES 4

NM
Honored Contributor II
Honored Contributor II

If auth min value for 2 different tcode are same then it detects the violation?

@RSA can you share the SS with the violation.

prtkrh007
Saviynt Employee
Saviynt Employee

under 1 tcode, all the objects needs to be violated.To violate 1 object, under the object, if the relation are OR, then to violate an object, violation should be on any 1 entry. But if it's AND, then to violate an object, violation should be on all the entries under that object.

RSA
New Contributor
New Contributor

Hi @prtkrh007 ,

ThankU for your reply. This is a OR condition and the issue is of the bunch of saproles, if  3of the  saproles have the permissions but not matching the value (instead of 2 the value is 3) and 1 saprole have the permission with the value then, the SoD violation should be detected for the 1 sap role. This is not happening. As per our discussion in the Saviynt connect, will send out email with all the details.