We are wanting to create and Segregation of Duties Rule to create an violation if the user has more than one role in an roleset. In our scenario, a user can only have one role in an roleset.
The roleset has 14 roles.
Thanks,
We are wanting to create and Segregation of Duties Rule to create an violation if the user has more than one role in an roleset. In our scenario, a user can only have one role in an roleset.
The roleset has 14 roles.
Thanks,
Only way I can see this work is if you create all the different combination but that doesn't scale or easy to maintain
Edwin
I have implemented a bit more simple solution. For role A create a rule. Entitlement set1 is role A. For Entitlement set2 also set role A, press advanced button and change 'in' operator to 'not in'. This way you should have something like this:
This way you will have the rule for one role. Export it and change in some editor the role name for each role. When importing the rules you should have a SoD rule for each role.
Thanks for the response.
I could not think of a better solution. We proceeded with this approach.
The only negative is that we have to remember to create another rule when we add new roles to the roleset.
Thanks,
Hi,
I think I remember solving this before.
I used a User Access rule.
the user scope is a advanced filter. it must return the id/user_ids (depends on how you build that advanced filter) for users that have more than 3 memberships in that particular role set.
pseudo SQL (from the top of my head)
User."Id" in (select rm.member_id from avuser.t_applications rs, avuser.t_av_roles rl, avuser.t_av_rolememberships rm where rl.roleset_id=rs.id and rl.id=rm.role_id and rs.name='yourroleset' and rs.resource_type='R' and rm.member_type='user' group by rl.id having count(1) > 3)
basically the rule would disallow any user having memberships / access to the roles in your roleset. but as we scope the users to only include the user IDs that have more than 3 memberships, all the ones in the safe zone drop out and don't get a violation associated with them.
query may need tweaking. that part of the product is a bit picky when it comes to joins and groupings.
Frank
Hello,
Interesting approach.
I will play with that. I may be able to use that approach for other uses.
Thank your for your response.
I have implemented a bit more simple solution. For role A create a rule. Entitlement set1 is role A. For Entitlement set2 also set role A, press advanced button and change 'in' operator to 'not in'. This way you should have something like this:
This way you will have the rule for one role. Export it and change in some editor the role name for each role. When importing the rules you should have a SoD rule for each role.