Idea Details

SoD rule enhancement

Last activity 06-03-2019 08:22 PM
borpe02's profile image
10-23-2015 03:59 AM

I would like to create an enhancement request for the Risk module in Identity Portal.

A SoD rule is created that prevents the user from having two permissions at the same time.

Suppose that the user first requests one permission and this goes into an approval Workflow. Before this request is approved the user then requests the other permission. He can do that even though the permissions are not allowed to be combined! It should be possible to prevent this.


Comments

12-21-2017 11:45 PM

You can do whats isuggested by Per Borg above (escalation).

 

At one of our other clients, we can also implemented logic where the request can be raised only ones and till that is fulfilled subsequent requests cannot be raised. Workflow is very flexible as far as to logic you want to implement but would require customization

12-21-2017 02:53 AM

In regards of users going for long vacations you can solve that issue in the following ways:

  • Implement escalation at the WF approval level. E.g. if a request is not handled within a week time it gets escalated to the next level.
  • You can enable the feature to let the requesters cancel their requests.

12-21-2017 02:13 AM

We are talking security here with SoD. In this case, I would prefer to have to deal with a rare case of user in long vacation asking a wrong right as an exception than to allow bad intent users to request several rights in SoD.

 

For sure, we can implement it at IM level but there are 2 issues :

- it is non standard and need to be maintained

- the error message displayed to the Customer when the request is intercepted at IM level cannot be the same looking than the one from IP on "normal" SoD violation.

11-20-2017 12:05 PM

Let's say just for the sake of the argument there is a work item submitted by mistake and assigned to someone on long vacation the forgot to set the out of office. The user won't be able to request the right access and will have to wait for someone to reject the request first.

 

So, yes, there is a bypass SoD but on the other hand you can also take care of it on the permission fulfilling side in IDM:

you can have a set of PXs or Identity policy that will trigger if someone is try to bypass the SoD and stop processing.

07-20-2017 09:41 AM

Hello Per,

 

I was going to create a similar idea and found yours. The principle is to include the current requests in the SOD rule validation process (on top of current user permissions and the cart contents).

 

Since I ended up taking screenshots (in the newest version IP 14 CR2) of all the process to bypass the SOD, rather than have it on another thread I'm going to add it here, if you don't mind:

 

1. SOD Rule:

 

2. If a new request contains both permissions, the SOD is correctly enforced:

 

3. But, if you feel like bypassing this security measure, you can always request them separetely:

 

4. The subsequent approvals don't contain any alert as well:

 

5. In the end, the user can effectively and simply bypass the SOD enforcement:

 

6. The only evidence of this is the "Current Risk" information:

 

 

As a side note, we presented the SOD to one of our customers and they decided they cannot include the SOD feature in their internal IAM offer because of this.

 

Regards,

Pedro