Create a New Separation Rule
Before creating a separation rule, identify the scenario you want to avoid. The scenario could be one that involves multiple applications or it could involve a single application.
It's the combination of privilege settings within each application of the rule that will cause the rule to be matched against your identities. If all privileges are exactly matched to the rule pattern, a separation violation is created and the user will show up in your review.
For instance, if you set up a Rule to allow "privilege "55" from the CARM application, and set the "Access Batch Interfaces" permission from CRIF to deny, then any user that has access to permission 55 in CARM and does not have access to "Access Batch Interfaces" in CRIF will show up in the review (assuming Separation Rules are included within the review).
To create a new separation rule, complete the following steps:
-
From the Separation Rules list, select the Create Rule button in the upper, right corner of the page. (If a Congratulations page appears, select the Get Started button to continue). A new rule is created and the Applications tab is displayed by default.
-
Add an application to the list by selecting the Select an Application field and then selecting the first application you want to add. Then, select the Add Application button. The application is added to the list.
-
Modify the privileges for the application as follows:
-
Select the application in the list. The Details pane is displayed on the right side of the window.
-
For each privilege, select one of the following options:
Option:
Description:
Allow
Select this option if the rule you’re creating includes access to this privilege. For example, if you want to find any users that have access to a permission called “sensitive accounts” then select the allow button next to the “sensitive accounts” privilege.
Each privilege you allow or deny will add another criteria that must be met in order for a user to be identified. For example, if you select the allow button next to both “sensitive accounts” and “G/L accounts”, a user would have to have both of those privileges to show up in the Separation Rules review.
Deny
Select this option if the rule you want to create includes not having access to this privilege. For example, if you want to find any users that have do not access to a permission called “Limit G/L Maintenance” then select the deny button next to the “Limit G/L Maintenance” privilege.
Each privilege you allow or deny will add another criteria that must be met in order for a user to be identified. For example, if you select the allow button next to “sensitive accounts” and the deny button next to “Limit G/L Maintenance”, a user would have to meet both of those criteria to show up in the Separation Rules review.
Reset
To reset the privilege to neither allowed nor denied, select the dot between the Allow and Deny options.
-
-
Repeat steps 2 and 3 as needed to create the rule as you want it.
-
Select the Settings tab.
-
Select the Rule Name field and replace "New Rule (empty)" with the name of the rule.
-
In the Description field, type a short description of the rule to explain what the rule does.
-
If all changes have been made to the rule and it is ready to be used, select the Enabled button to activate the rule. Then, select Save.
If you have additional changes to make, you can leave the rule disabled and still save changes by selecting the Save button.
-
To return to the Separation Rules list, select the Separation Rules link shown at the top, left of the page - just below the title of the rule.