You can search for a role that matches the security scenario. If no perfect match is found, you can create a role for the security scenario in several ways.
The match roles function gets the security configuration data from the latest snapshot.
Name | Responsible | Description |
---|---|---|
Create snapshot |
Security administrator |
You create snapshots to be able to use Security and compliance studio functions, for example:
SnapshotA snapshot is an image of the security configuration at a specific date and time. A snapshot consists of:
Snapshot creationYou create a snapshot in these cases:
You are advised to create snapshots:
Dynamic snapshotIn the Security and compliance studio parameters, you can use the 'Enable dynamic snapshots' field to enable automatic updates of security configuration changes to the latest snapshot. So, no new snapshot is required each time you change the security configuration. Automatic updates of security configuration changes to the latest snapshot are done when you, for example:
Note: If yo use dynamic snapshots, you are advised to create a snapshot regularly. You do so to ensure that no security inconsistencies occur and to create a safety net, |
Match security roles to security scenario |
Security administrator |
Use match roles to match all securable objects, as defined in a security scenario, to security roles. In general, a match means that the securable object exists on the role with a given access level.
Which roles are a match, is defined by:
You can match roles in these ways:
Each security role, with a match for at least one of the securable objects from the security scenario, is shown as a matched role. The matching degree of each matched security role indicates to what extent the role has matching entry points.
If you find a matched security role, you can assign users to it.
|
Create segregation of duty |
Security administrator |
You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. For example, you might not want the same person both to acknowledge the receipt of goods and to process payment to the vendor. Segregation of duties helps you reduce the risk of fraud, and it also helps you detect errors or irregularities. You can also use segregation of duties to enforce internal control policies. Complete the following procedure to create a rule from the Match roles page. |
Duplicate role |
Security administrator |
It is advisable to create a subset of security roles that are actually used in your company. This way, the security administrator has a better overview of the security roles that are used in your company. So, if a standard security role matches a scenario, you can create an exact copy of this standard security role and assign this copy to the applicable users. |
Create role from scenario based on selected role and selected duties and/or privileges |
Security administrator |
If a partially matched security role is found, you can create a new security role based on the selected role and selected duties and/or privileges. |
Create role from scenario with selected duties |
Security administrator |
If you match roles to the securable objects from a security scenario, you can choose to create a new role from a selection of matched duties. So, you can create a specific security role, which is still based on the security scenario. The matched duties have at least one of the securable objects from the scenario. In determining the match, the access level for the securable objects, as defined on the security scenario, are not considered.
Note that:
This information offers the opportunity to reduce license costs. You can search for and select the duties with the lowest license type.
|
Create role from scenario with selected privileges |
Security administrator |
If you match roles to the securable objects from a security scenario, you can choose to create a new role from a selection of matched privileges. So, you can create a specific security role, which is still based on the security scenario.
This information offers the opportunity to reduce license costs. You can search for and select the privileges with the lowest license type. |