Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
No ratings
Saviynt Employee
Saviynt Employee

Short description
This article explains some of the best practices for SOD

Applicable version
All Saviynt Versions


SOD Best Practices (Detective)
1. It is highly recommended to use the SOD Simulation feature to test any SOD calculation and evaluation at account or entitlement or user level.
2. Detective SOD Risk Evaluation job is a sequential job. Two SOD jobs should not be scheduled at the same time or should not overlap as it can cause performance issues.
3. Detective SOD Risk Evaluation job has filters and it is recommended that they are used for improved performance and efficient evaluation.
4. The filters provided are
. Security System
. Ruleset
. User Account Evaluation
. Entitlement Evaluation 
. Inherent Query Evaluation
Security System:
It is recommended to use this filter if SOD ruleset is a single system ruleset. Do not mention the system if it is a cross application ruleset or Logical/Organizational ruleset
Ruleset needs to be mandatory and this will help evaluate the SODs based on the rules defined.
User Account Evaluation:
It is highly recommended to filter the data by endpoints and account type (if applicable) or any other attributes which can help in filtering the data set 
Let's assume there is a ruleset for SAP1, SAP2 and SAP3 endpoints. SAP has multiple account types A,S,FFID etc
The use case is to evaluate SOD for only specific account types and the 3 endpoints mentioned above.
Sample query would look like AND ACCOUNTS.ACCOUNTYPE='A' AND ACCOUNTS.ENDPOINTKEY in (1,2,3) AND
Note: Run the following query in data analyzer to get the  endpointkeys of the endpoints. 
select endpointkey, endpointname from endpoints where endpointname in ('SAP1','SAP2','SAP3'); - Replace endpoint names
Entitlement Evaluation:
It is highly recommended to use this filter if SOD needs to run on a specific entitlement type or set of entitlements.
Let's assume SOD needs to be evaluated for saproles for the endpoint SAP1.
Note: Run the following query in data analyzer to get the entitlementtypekey 
select * from entitlement_types et, endpoints e where et.endpointkey = e.endpointkey and e.endpointname = 'SAP1' ; - Replace endpoint name
5. Inherent SOD Evaluation
Inherent SOD evaluation is used to evaluate the violations within the entitlement itself. Since its a data heavy operations, its recommended to turn OFF this config. If at all this is needed, then appropriate Inherent SOD filter query should added so as to not include all the entitlements.
6. It is not recommended to run the SOD jobs in a trigger chain
7. SOD jobs are high performance jobs. Triggers for Large systems with millions of data points are recommended to run during off-hours
8. To evaluate Actual Vs Potential violations, it is mandatory to import the usage data. For SAP applications, SWNCMONIINDEX table has to be imported which brings in the usage data
9. Make sure the entitlement depth value is configured accurately in the files
For SAP the default is 4 - evaluation happens at the auth object - field level
Key Benefit
Performance Improvement


Is there a way to get the OOTB Ruleset for all the apps supported by Saviynt?

Saviynt Employee
Saviynt Employee

@Manu269 OOTB rulesets are provided based on the licenses procured for each customer. Please check with the CSM or the partner contact from Saviynt. They can help you with the rulesets.

New Contributor III
New Contributor III

Is there a way to email the list of Violations detected after an SODEvaluation job gets completed?

Instead of having to go to Saviynt, can I get the report directly by email?

or can I get an alert for every SOD violation detected when the SODEvaluation job runs?


Saviynt Employee
Saviynt Employee

You should be able to use an Analytics report to email any SOD violations. 

Just tune the report to the exact data you want to share etc.



Version history
Last update:
‎06/22/2023 07:36 AM
Updated by: