Change a Separation Rule

From the Separation Rules list, select the rule you want to change.
Modify the privileges for each application if needed:

Select the application in the list. The Details pane is displayed on the right side of the window.

For each privilege, select one of the following options:

Option	Description
	Allow	Select this option if the rule you’re creating includes access to this privilege. For example, if you want to find any users that have access to a permission called “sensitive accounts” then select the allow button next to the “sensitive accounts” privilege. Each privilege you allow or deny will add another criteria that must be met in order for a user to be identified. For example, if you select the allow button next to both “sensitive accounts” and “G/L accounts”, a user would have to have both of those privileges to show up in the Separation Rules review.
	Deny	Select this option if the rule you want to create includes not having access to this privilege. For example, if you want to find any users that have do not access to a permission called “Limit G/L Maintenance” then select the deny button next to the “Limit G/L Maintenance” privilege. Each privilege you allow or deny will add another criteria that must be met in order for a user to be identified. For example, if you select the allow button next to “sensitive accounts” and the deny button next to “Limit G/L Maintenance”, a user would have to meet both of those criteria to show up in the Separation Rules review.
	Reset	To reset the privilege to neither allowed nor denied, select the dot between the Allow and Deny options.

Option

Description

Allow

Select this option if the rule you’re creating includes access to this privilege. For example, if you want to find any users that have access to a permission called “sensitive accounts” then select the allow button next to the “sensitive accounts” privilege.

Each privilege you allow or deny will add another criteria that must be met in order for a user to be identified. For example, if you select the allow button next to both “sensitive accounts” and “G/L accounts”, a user would have to have both of those privileges to show up in the Separation Rules review.

Deny

Select this option if the rule you want to create includes not having access to this privilege. For example, if you want to find any users that have do not access to a permission called “Limit G/L Maintenance” then select the deny button next to the “Limit G/L Maintenance” privilege.

Each privilege you allow or deny will add another criteria that must be met in order for a user to be identified. For example, if you select the allow button next to “sensitive accounts” and the deny button next to “Limit G/L Maintenance”, a user would have to meet both of those criteria to show up in the Separation Rules review.

Reset

To reset the privilege to neither allowed nor denied, select the dot between the Allow and Deny options.

Reminder:

It's the combination of privilege settings within each application of the rule that will cause the rule to be matched against your identities. If all privileges are exactly matched to the rule pattern, a separation violation is created and the user will show up in your review.
For instance, if you set up a Rule to allow "privilege "55" from the CARM application, and set the "Access Batch Interfaces" permission from CRIF to deny, then any user that has access to permission 55 in CARM and does not have access to "Access Batch Interfaces" in CRIF will show up in the review (assuming Separation Rules are included within the review).

Select the Settings tab. This tab allows you to change the name, description, and enabled/disabled status

Rules can also be archived by selecting the Archive Rule link in the lower, right corner of the window.

If a rule is archived, it can be restored by selecting the Restore Rule link.
If all changes have been made to the rule and it is ready to be used, make sure the Enabled field is turned on (showing green) and then select Save.

If you have additional changes to make, you can leave the rule disabled and still save changes by selecting the Save button.
To return to the Separation Rules list, select the Separation Rules link shown at the top, left of the page - just below the title of the rule.