Question:
We have a filterset with multiple tasks and combinations with SoD conflicts.
The following audits have already performed:
- User Analysis: users with listed conflicts
- Role Analysis (expert mode: users deselected, roles selected): role with conflicts in it
We also would like to examine what combination of roles cause conflicts.
How do we do that?
Answer:
To do an SoD analysis at the level of profiles it is sufficient to do a role analysis in expert mode in "Prepare" and with all needed single and composite roles selected, while deselecting all users.
Then you do a 2nd level multiple run of minimal all queries needed for the conflicts that you want to check. The results will automatically be saved in the Resulting Container. Make sure to start with an empty Result Container before the analysis.
Once the analysis is complete, you can use the Segregation of Duties functionality to see which conflicts are in one single role (thus not in a combination of role A and role B).
If however you want to check whether new conflicts arise by merging roles, there is an alternative procedure:
Create a composite role with the two single roles, for which you want to check the cumulation. Do a multiple run 2nd level for queries you need, where you select only the 2 single roles in the "Prepare" AND the new composite role.
If this results in additional SoD conflicts that did not show in either single role, you know that this conflict results from the combination of two single roles.