Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
No ratings

Oracle EBS SOD Exclusion

sai_sp
Saviynt Employee
Saviynt Employee

‎10/05/2023 11:38 AM - edited ‎10/05/2023 11:41 AM

Exclusions for SOD can be handled in two ways

  1. At the target
  2. In the SOD ruleset at a SOD function level

Exclusion at Oracle:

Each Oracle E-Business Suite product is delivered with one or more predefined menu hierarchies. System Administrators can assign a predefined menu hierarchy to a responsibility. To tailor a responsibility, System Administrators exclude functions or menus of functions from that responsibility using exclusion rules.

Saviynt's Out of the Box OEBS connector imports these exclusions by creating  new entitlement types Excluded-OEBS-Functions and Excluded-OEBS-Menus

sai_sp_2-1696530875384.png

All the entitlements down the hierarchy assigned due to the excluded menus and functions are also excluded while evaluating that function.

Each exclusion is defined for a specific responsibility.

For example a OEBS-function INF1 is excluded for a responsibility Res1 but the same function INF1 can still be included for other responsibilities. These are defined in Oracle system.

Exclusion in SOD Ruleset at a SOD Function level:

Saviynt's ruleset is built on a correlation of risks, sod functions and function entitlements.

Each risk can have one or more sod functions and these functions need to be violated for the risk to flag as an SOD.

Each sod function is predefined with rules by mapping entitlements using AND, OR conditions.

Saviynt's has a feature to exclude any included entitlements at a SOD function level by writing SQL queries for each of the functions in the ruleset. This feature is used when you want to exclude any OEBS-Responsibility, OEBS-Menu, OEBS-Function from a SOD function.

For example, a OEBS-function INF2 is included and is imported into Saviynt.

This is flagged for a SOD Risk R001 which has SOD Function F001

However you do not want INF2 to be evaluated for the SOD risk R001, you can write a SOD function exclusion query to exclude this function from SOD evaluation for that risk. You can also write the query at menu or responsibility level. If INF2 is a function associated to a view only responsibility Res2, you can exclude Res2 for the function F001.

A sample SOD Function Exclusion Query can look like

Select ENTITLEMENT_VALUEKEY from ENTITLEMENT_VALUES where ENTITLEMENT_VALUE in ('Res1','Menu1') and status <>2;

sai_sp_3-1696530894684.png

In Non EIC, Function Exclusion queries need to be setup for each function manually from the UI.

In EIC, Function Exclusion Queries can be added in the ruleset and uploaded.

Scenario:

  1. If you have the 'prompt' attribute as blank in OEBS-Menu and if any hierarchy corresponding to that needs to be excluded in SOD evaluation,  it is recommended to exclude those menus or functions in Oracle for the required responsibilities. As mentioned above, exclusion of functions and menus in oracle is specific to each responsibility and it is not a global setting. Saviynt does not import data based on 'prompt' attribute and the SOD function exclusion query cannot be used in such scenarios.
  2.  If you have any read-only roles you would like to exclude for SOD evaluations, you can use        entitlement upload feature to mark a customproperty of the entitlement with some value eg: 'ReadOnly'. This can be then used in the function exclusion query to exclude from being evaluated for SOD.
0 Kudos
Version history
Last update:
‎10/05/2023 11:41 AM
Updated by:
Saviynt Employee
Contributors
Copyright © 2024 Khoros, LLC