We are delighted to share our new EIC Delivery Methodology for efficiently managing Saviynt Implementations and delivering quick time to value. CLICK HERE.
No ratings
sai_sp
Saviynt Employee
Saviynt Employee

Short description
This article explains some of the best practices for SOD


Applicable version
All Saviynt Versions

 

SOD Best Practices (Detective)
 
1. It is highly recommended to use the SOD Simulation feature to test any SOD calculation and evaluation at account or entitlement or user level.
 
2. Detective SOD Risk Evaluation job is a sequential job. Two SOD jobs should not be scheduled at the same time or should not overlap as it can cause performance issues.
 
3. Detective SOD Risk Evaluation job has filters and it is recommended that they are used for improved performance and efficient evaluation.
 
4. The filters provided are
. Security System
. Ruleset
. User Account Evaluation
. Entitlement Evaluation 
. Inherent Query Evaluation
 
Security System:
It is recommended to use this filter if SOD ruleset is a single system ruleset. Do not mention the system if it is a cross application ruleset or Logical/Organizational ruleset
 
Ruleset:
Ruleset needs to be mandatory and this will help evaluate the SODs based on the rules defined.
 
User Account Evaluation:
It is highly recommended to filter the data by endpoints and account type (if applicable) or any other attributes which can help in filtering the data set 
 
Example:
 
Let's assume there is a ruleset for SAP1, SAP2 and SAP3 endpoints. SAP has multiple account types A,S,FFID etc
The use case is to evaluate SOD for only specific account types and the 3 endpoints mentioned above.
Sample query would look like AND ACCOUNTS.ACCOUNTYPE='A' AND ACCOUNTS.ENDPOINTKEY in (1,2,3) AND
 
Note: Run the following query in data analyzer to get the  endpointkeys of the endpoints. 
select endpointkey, endpointname from endpoints where endpointname in ('SAP1','SAP2','SAP3'); - Replace endpoint names
 
Entitlement Evaluation:
It is highly recommended to use this filter if SOD needs to run on a specific entitlement type or set of entitlements.
 
Example:
 
Let's assume SOD needs to be evaluated for saproles for the endpoint SAP1.
Sample query would look like AND ENTITLEMENT_VALUES.ENTITLEMENTTYPEKEY = 1
 
Note: Run the following query in data analyzer to get the entitlementtypekey 
select * from entitlement_types et, endpoints e where et.endpointkey = e.endpointkey and e.endpointname = 'SAP1' ; - Replace endpoint name
 
5. Inherent SOD Evaluation
Inherent SOD evaluation is used to evaluate the violations within the entitlement itself. Since its a data heavy operations, its recommended to turn OFF this config. If at all this is needed, then appropriate Inherent SOD filter query should added so as to not include all the entitlements.
 
 
6. It is not recommended to run the SOD jobs in a trigger chain
 
7. SOD jobs are high performance jobs. Triggers for Large systems with millions of data points are recommended to run during off-hours
 
8. To evaluate Actual Vs Potential violations, it is mandatory to import the usage data. For SAP applications, SWNCMONIINDEX table has to be imported which brings in the usage data
 
9. Make sure the entitlement depth value is configured accurately in the externalconfig.properties files
For SAP the default is 4 - evaluation happens at the auth object - field level
 
Key Benefit
Performance Improvement



Comments
Manu269
All-Star
All-Star

Is there a way to get the OOTB Ruleset for all the apps supported by Saviynt?

sai_sp
Saviynt Employee
Saviynt Employee

@Manu269 OOTB rulesets are provided based on the licenses procured for each customer. Please check with the CSM or the partner contact from Saviynt. They can help you with the rulesets.

anandshahgrange
New Contributor III
New Contributor III

Is there a way to email the list of Violations detected after an SODEvaluation job gets completed?

Instead of having to go to Saviynt, can I get the report directly by email?

or can I get an alert for every SOD violation detected when the SODEvaluation job runs?

Anand

Version history
Last update:
‎06/22/2023 07:36 AM
Updated by:
Contributors