Flows
| Flow | Description |
|---|---|
|
Audit security history |
In the Security and compliance studio, you can audit the security configuration in several ways. You can also generate a security history log report for audit or other compliance requirements. |
|
Compose security scenarios |
You can use a security scenario to indicate all securable objects and related access levels that are required for a user to perform one or more tasks. |
|
Explore security configuration |
You can explore the security configuration for:
The security explorer gets the security configuration data from the latest snapshot. |
|
Manage security scenarios and match roles |
You can use security scenarios to record and define all securable objects and related access levels that are required for a user to perform one or more tasks. You can create a security role in several ways. In the Security and compliance studio, you can record the working tasks for a target user. The recording results are stored in a security scenario. You can use this security scenario to fine-tune all securable objects and related access levels that are required for the target user to perform the working tasks. If the security scenario is complete, you can search for a role that matches the security scenario. If no perfect match is found, you can create a security role for the security scenario in several ways. You can link the matched or new security role to the applicable users. |
|
Manage segregation of duties |
You can set up rules to separate tasks that must be performed by different users. This concept is named segregation of duties. For example, you might not want the same person both to acknowledge the receipt of goods and to process payment to the vendor. Segregation of duties helps you reduce the risk of fraud, and it also helps you detect errors or irregularities. You can also use segregation of duties to enforce internal control policies. |
|
Manage segregation of duties (enhanced) |
You can set up rules to separate tasks that must be performed by different roles or users. This concept is named segregation of duties. For example, you might not want the same person both to acknowledge the receipt of goods and to process payment to the vendor. Segregation of duties helps you reduce the risk of fraud, and it also helps you detect errors or irregularities. You can also use segregation of duties to enforce internal control policies. Why consider using the enhanced segregation rules? With the enhanced segregation rules, you can not only define segregation rules on duty level, but also on privilege level, on entry point level, and with segregation security sets.
With a segregation rule on duty level only, the related privileges or entry points can also be linked to another duty to which the segregation rule does not apply. By defining the segregation on a lower level (privilege or entry point), you can enforce segregation more precisely.
If you use enhanced segregation rules, the related validation and verification of user-role compliance is done on the defined level.
Example:
SoD-rule1 segregates Duty1 and Duty2. So, these duties cannot be linked to the same role/users. For example, Role1.
Using the entry points of Duty1, a new duty is created: Duty3.
Using the entry points of Duty2, a new duty is created: Duty4.
As SoD-rule1 does not segregate Duty3 and Duty4, both can be linked to Role1. This gives Role1 all rights as defined by Duty1 and Duty2, which is not allowed by SoD-rule1.
SoD-rule2 segregates EntryPoint1 and EntryPoint5. By defining the segregation on entry point level, Duty3 and Duty4 are not allowed together for Role1.
Segregation on duty level only:
Segregation on entry point level:
|
|
Manage stand-ins |
You can appoint a user as a stand-in for another user for a specified period. For example, if a user has a vacation, you can appoint a stand-in during this vacation. For auditing purposes, you cannot delete stand-in records with periods in the past. |
|
Match roles |
You can search for a role that matches the security scenario. If no perfect match is found, you can create a role for the security scenario in several ways. The match roles function gets the security configuration data from the latest snapshot. |
|
Merge security roles |
You can merge existing security roles into another existing security role or a new security role. |