Database Reference
In-Depth Information
If an initial analysis run returned a high volume of incidents, you should not only
decide on a focus area, but also create some filtered views that include only those
controls that you want to focus on. For example, if you choose to focus on the
priority area, Procure-to-Pay business area, filter on that priority and business area,
and then create a view. This will make it easy to quickly select the records you are
analyzing and working to remediate.
Reviewing intra-role incidents
Intra-role incidents are caused when access points within the same role conflict.
Clean these up first. The role has been incorrectly set up if it contains access points
that conflict with each other. When you start by eliminating intra-role incidents, you
may also clean up several inter-role incidents.
View
intra-role violations
by the Control report found in the Report Management
task. This gives a high-level view of roles that have conflicting access points within
themselves. You may want to focus on controls that you have rated as the
highest priority.
View
access violations
within a Single Role (intra-role) report. For a given role that
has conflicting access points within itself, it shows the controls that are violated and
their details—including the users and access points with incidents.
First, use the intra-role violations by Control report to determine your highest
priority controls with intra-role conflicts. Then run this report and focus on cleaning
up the roles related to those high-risk controls first.
A role may be expected to incorporate conflicts. For example, a Purchasing Super
User role may incorporate all purchasing functions, including some that conflict,
such as the ability to create a purchase order and approve it. Such a role would be
assigned sparingly, but might nevertheless be necessary for high-level managers
to do their jobs. As a result, AACG permits the creation of a
sensitive access
control
—one that sets a responsibility or role in conflict with itself because it
provides so much authority that any user should require approval before being
granted access to it.
In most cases, however, a role should not contain access points that conflict with one
another. The access violations within a Single Role (intra-role) report identify such
roles so that conflicts may be removed from them.
Search WWH ::
Custom Search