Skip to content

Change a separation rule

To change a separation rule, complete the following steps:

  1. From the Separation Rules list, select the rule you want to change.

  2. Modify the privileges for each application if needed:

    a. Select the application in the list. The Details pane is displayed on the right side of the window.

    b. For each privilege, select one of the following options:

    Option Description
    Allow Select this option if the rule you're creating includes access to this privilege. For example, if you want to find any users that have access to a permission called "sensitive accounts" then select the allow button next to the "sensitive accounts" privilege. Each privilege you allow or deny will add another criteria that must be met in order for a user to be identified.
    Deny Select this option if the rule you want to create includes not having access to this privilege. For example, if you want to find any users that do not have access to a permission called "Limit G/L Maintenance" then select the deny button next to the "Limit G/L Maintenance" privilege. Each privilege you allow or deny will add another criteria that must be met in order for a user to be identified.
    Reset To reset the privilege to neither allowed nor denied, select the dot between the Allow and Deny options.

    Reminder

    It's the combination of privilege settings within each application of the rule that will cause the rule to be matched against your identities. If all privileges are exactly matched to the rule pattern, a separation violation is created and the user will show up in your review. For instance, if you set up a rule to allow "privilege 55" from the CARM application, and set the "Access Batch Interfaces" permission from CRIF to deny, then any user that has access to permission 55 in CARM and does not have access to "Access Batch Interfaces" in CRIF will show up in the review (assuming separation rules are included within the review).

  3. Select the Settings tab. This tab allows you to change the name, description, and enabled/disabled status.

    Rules can also be archived by selecting the Archive Rule link in the lower-right corner of the window. If a rule is archived, it can be restored by selecting the Restore Rule link.

  4. If all changes have been made to the rule and it is ready to be used, make sure the Enabled field is turned on (showing green) and then select Save.

    If you have additional changes to make, you can leave the rule disabled and still save changes by selecting the Save button.

  5. To return to the Separation Rules list, select the Separation Rules link shown at the top-left of the page, just below the title of the rule.