Short description This article explains some of the best practices for SOD
Applicable version All Saviynt Versions
SOD Best Practices (Detective)
1. It is highly recommended to use the SOD Simulation feature to test any SOD calculation and evaluation at account or entitlement or user level.
2. Detective SOD Risk Evaluation job is a sequential job. Two SOD jobs should not be scheduled at the same time or should not overlap as it can cause performance issues.
3. Detective SOD Risk Evaluation job has filters and it is recommended that they are used for improved performance and efficient evaluation.
4. The filters provided are
. Security System
. User Account Evaluation
. Entitlement Evaluation
. Inherent Query Evaluation
It is recommended to use this filter if SOD ruleset is a single system ruleset. Do not mention the system if it is a cross application ruleset or Logical/Organizational ruleset
Ruleset needs to be mandatory and this will help evaluate the SODs based on the rules defined.
User Account Evaluation:
It is highly recommended to filter the data by endpoints and account type (if applicable) or any other attributes which can help in filtering the data set
Let's assume there is a ruleset for SAP1, SAP2 and SAP3 endpoints. SAP has multiple account types A,S,FFID etc
The use case is to evaluate SOD for only specific account types and the 3 endpoints mentioned above.
Sample query would look like AND ACCOUNTS.ACCOUNTYPE='A' AND ACCOUNTS.ENDPOINTKEY in (1,2,3) AND
Note: Run the following query in data analyzer to get the endpointkeys of the endpoints.
select endpointkey, endpointname from endpoints where endpointname in ('SAP1','SAP2','SAP3'); - Replace endpoint names
It is highly recommended to use this filter if SOD needs to run on a specific entitlement type or set of entitlements.
Let's assume SOD needs to be evaluated for saproles for the endpoint SAP1.
Sample query would look like AND ENTITLEMENT_VALUES.ENTITLEMENTTYPEKEY = 1
Note: Run the following query in data analyzer to get the entitlementtypekey
select * from entitlement_types et, endpoints e where et.endpointkey = e.endpointkey and e.endpointname = 'SAP1' ; - Replace endpoint name
5. Inherent SOD Evaluation
Inherent SOD evaluation is used to evaluate the violations within the entitlement itself. Since its a data heavy operations, its recommended to turn OFF this config. If at all this is needed, then appropriate Inherent SOD filter query should added so as to not include all the entitlements.