Short description
This article explains some of the best practices for SOD
Applicable version
All Saviynt Versions
SOD Best Practices (Detective)
1. It is highly recommended to use the SOD Simulation feature to test any SOD calculation and evaluation at account or entitlement or user level.
2. Detective SOD Risk Evaluation job is a sequential job. Two SOD jobs should not be scheduled at the same time or should not overlap as it can cause performance issues.
3. Detective SOD Risk Evaluation job has filters and it is recommended that they are used for improved performance and efficient evaluation.
4. The filters provided are
. Security System
. Ruleset
. User Account Evaluation
. Entitlement Evaluation
. Inherent Query Evaluation
Security System:
It is recommended to use this filter if SOD ruleset is a single system ruleset. Do not mention the system if it is a cross application ruleset or Logical/Organizational ruleset
Ruleset:
Ruleset needs to be mandatory and this will help evaluate the SODs based on the rules defined.
User Account Evaluation:
It is highly recommended to filter the data by endpoints and account type (if applicable) or any other attributes which can help in filtering the data set
Example:
Let's assume there is a ruleset for SAP1, SAP2 and SAP3 endpoints. SAP has multiple account types A,S,FFID etc
The use case is to evaluate SOD for only specific account types and the 3 endpoints mentioned above.
Sample query would look like AND ACCOUNTS.ACCOUNTYPE='A' AND ACCOUNTS.ENDPOINTKEY in (1,2,3) AND
Note: Run the following query in data analyzer to get the endpointkeys of the endpoints.
select endpointkey, endpointname from endpoints where endpointname in ('SAP1','SAP2','SAP3'); - Replace endpoint names
Entitlement Evaluation:
It is highly recommended to use this filter if SOD needs to run on a specific entitlement type or set of entitlements.
Example:
Let's assume SOD needs to be evaluated for saproles for the endpoint SAP1.
Sample query would look like AND ENTITLEMENT_VALUES.ENTITLEMENTTYPEKEY = 1
Note: Run the following query in data analyzer to get the entitlementtypekey
select * from entitlement_types et, endpoints e where et.endpointkey = e.endpointkey and e.endpointname = 'SAP1' ; - Replace endpoint name
5. Inherent SOD Evaluation
Inherent SOD evaluation is used to evaluate the violations within the entitlement itself. Since its a data heavy operations, its recommended to turn OFF this config. If at all this is needed, then appropriate Inherent SOD filter query should added so as to not include all the entitlements.
6. It is not recommended to run the SOD jobs in a trigger chain
7. SOD jobs are high performance jobs. Triggers for Large systems with millions of data points are recommended to run during off-hours
8. To evaluate Actual Vs Potential violations, it is mandatory to import the usage data. For SAP applications, SWNCMONIINDEX table has to be imported which brings in the usage data
9. Make sure the entitlement depth value is configured accurately in the externalconfig.properties files
For SAP the default is 4 - evaluation happens at the auth object - field level
Key Benefit
Performance Improvement
