We are wanting to create and Segregation of Duties Rule to create an violation if the user has more than one role in an roleset. In our scenario, a user can only have one role in an roleset.
The roleset has 14 roles.
I have implemented a bit more simple solution. For role A create a rule. Entitlement set1 is role A. For Entitlement set2 also set role A, press advanced button and change 'in' operator to 'not in'. This way you should have something like this:
This way you will have the rule for one role. Export it and change in some editor the role name for each role. When importing the rules you should have a SoD rule for each role.
Only way I can see this work is if you create all the different combination but that doesn't scale or easy to maintain
Thanks for the response.
I could not think of a better solution. We proceeded with this approach.
The only negative is that we have to remember to create another rule when we add new roles to the roleset.
I think I remember solving this before.
I used a User Access rule.
the user scope is a advanced filter. it must return the id/user_ids (depends on how you build that advanced filter) for users that have more than 3 memberships in that particular role set.
pseudo SQL (from the top of my head)
User."Id" in (select rm.member_id from avuser.t_applications rs, avuser.t_av_roles rl, avuser.t_av_rolememberships rm where rl.roleset_id=rs.id and rl.id=rm.role_id and rs.name='yourroleset' and rs.resource_type='R' and rm.member_type='user' group by rl.id having count(1) > 3)
basically the rule would disallow any user having memberships / access to the roles in your roleset. but as we scope the users to only include the user IDs that have more than 3 memberships, all the ones in the safe zone drop out and don't get a violation associated with them.
query may need tweaking. that part of the product is a bit picky when it comes to joins and groupings.
I will play with that. I may be able to use that approach for other uses.
Thank your for your response.
Retrieving data ...