SoD Cockpit
SoD conflicts
Introduction
- The SOD engine of CSI Accelerator uses queries to define SOD rules. A query contains transaction codes and authorization values that will be checked during an audit. The CSI applications use a two step approach. First, the relation (user – query) or (role – query) is set up and in a second phase the SOD analysis is being performed.
- CSI Accelerator uses two different relations: Query Concept and Query Norm
- This unique approach allows CSI Accelerator to cover SOD issues like
:
-
Highlight differences between conceptual design and live concept.
-
Highlight the accumulation of access rights problem.
-
Allow non-technical people to perform simulations without changing the roles and without changing the assignments (User-Role).
Single Roles – Query Concept
- This information is shown in the Query tab.
- It represents the conceptual set-up of the roles. In other words it reflects what content the single roles should contain. In a two-layer concept (RBAC) the single role represents the tasks layer. Usually Role – Query is then a 1-1 relation. For instance the role “vendor master data maintenance” will be linked during the conceptual phase with the Query “vendor master data maintenance”
Single Roles – Query Norm
Compare "Single role - Query concept" versus "Single role - Query norm"
- The comparison of both results will give the end user the differences between conceptual design and live concept.
Composite Roles – Query Concept
- This information cannot be documented in CSI Accelerator. By definition a composite role contains single roles and the query concept is only defined on single role level. The composite role will thus inherit conceptually all queries that are assigned to the corresponding single roles.
- This information can be found in the Σ Queries tab.
Composite Roles – Query Norm
- This information is shown in the Norm tab.
- It represents the actual set-up of the composite role (based on the saved audit results). In other words it reflects what the composite roles give access to.
Composite Roles – Σ Query Norm
- This information is shown in the Query View tab
- It represents the sum of the actual set-up of all single roles assigned to this composite role.
Compare “Composite Role – Query Norm” vs “Composite Role – Σ Query Norm”
- The comparison of both results will give the end-user an overview of the accumulation of access rights problem.
Summary: there are 4 item – query relations possible:
- Single Role – Query Concept
- Single Role – Query Norm
- Composite Role – Query Norm
- User – Query Norm
Query Concept is thus only possible on single role.
The entries can be created manually or automatically using the audit engine of CSI Accelerator® (AGR audit) or the audit engine of CSI Authorization Auditor® (UST audit)
Overview
- Since Query Norm can be defined on every level, you need to set in the application configuration how the SOD analysis should be performed on Query Norm level. For a user SOD analysis does the application need to check the User – Query Norm relation or the User – Single roles – Query Norm relation? The difference between the two is accumulation of access rights.
This can be found here
Data source
- Queries (concept) : run SoD using queries on roles or users.
- Queries (norm): include norm on the queries.
- Cross logical system: a cross system SOD check.
- Report all logical system conflicts: reports conflicts.
- Exclude norm (not allowed): take into account the norms that are excluded in the query norms master data.
- Result container data: read queries from the result container instead of the concept database.
- Filter variants: make a selection of variants.
- Filter logical systems: make a selection of logical systems.
- Exclude norm (not allowed): take into account the norms that are excluded in the query norms master data.
Select SoD conflicts in the grid.
This document is up to date with version 10.0.4.90 of CSI Accelerator