SOD Conflict Analysis
This template was designed to report on users whose authorizations either completely or partially meet the selection criteria for one or more Segregation of Duty conflicts. The template uses an External Data Source named SOD Conflicts that provides transaction/authorization combinations, or Conflict Sets. Each set exclusively represents a separate Segregation of Duty conflict. The workflow also contains a parameter named Sample SOD Conflict Sets which is not used, but provides an example of how to specify SOD conflicts that use transaction codes and authorizations.
The workflow indicates whether each object in a Conflict Set has been used according to the available performance history data. Used objects are obtained from the AppStats External Data Source, which must be populated beforehand by running either the ‘Native - Get Perf Data’ or ‘XDS - Get Perf Data’ workflow in the Upgrade package.
The workflow generates an Excel report which contains the following worksheets:
Conflict Set Selections
This worksheet contains the Conflict Sets stored in the SOD Conflicts External Data Source.
| Column | Description |
|---|---|
| CONFLICT | The name of a Segregation of Duty Conflict Set. |
| OBJECT | Authorization object name. |
| FIELD | Authorization field name. |
| VALUE | Authorization value. |
Summary Totals
This worksheet provides a summary for roles and users, listing the total number of roles and users, the number of roles and users with potential Segregation of Duty conflicts, and the number of roles and users with actual Segregation of Duty conflicts. Actual Segregation of Duty conflicts occur when a user or role meets all the selection criteria for a Segregation of Duty Conflict Set.
| Column | Description |
|---|---|
| SUMMARY | The name of the summary. |
| TOTAL | The total for the summary. |
Potential Conflicts
This worksheet provides details of any potential Segregation of Duty conflicts.
| Column | Description |
|---|---|
| CONFLICT | The name of a Segregation of Duty Conflict Set. |
| USER | SAP user name. |
| ROLE | SAP role name. |
| PROFILE | SAP profile name. |
| OBJECT | Authorization object name. |
| FIELD | Authorization field name. |
| VON | Authorization value. |
| USTYP | User type. |
| POTENTIAL | This column is set to ‘Y’ if the user’s role meets PARTIAL selection criteria for the Segregation of Duty Conflict Set. |
| COMPLETE | This column is set to ‘Y’ if the user’s role meets ALL the selection criteria for the Segregation of Duty Conflict Set. |
| USED | This column is set to ‘Y’ if the object in the VON (authorization value column) was used according to the obtained performance history data. |
Creating RFC Destinations
Before you begin, you will need to create an RFC Destination for the SAP system you wish to analyze.
Select the RFC Destination in the LiveCompare hierarchy, and click the PHD tab. Enter a value (n) in the ‘Keep this many months of data:’ field, and click ‘Update Data’ to download the most recent <n> months of performance history data. You may also specify a schedule so that the available performance history data is downloaded at regular intervals. See the Retrieving Performance History Data help topic for details.
Preparing the Workflow
To prepare the SOD Conflict Analysis workflow, drag its workflow template from the Templates folder into your own workspace, and modify the workflow as follows:
To specify the system to analyze:
-
Select the System 1 parameter and choose ‘Edit RFC Destination’ from its context menu to display the RFC Destination dialog.
-
Select the RFC Destination for the system to analyze, then click ‘Save’.
Save the workflow using the ‘Save’ toolbar button.
Running the Workflow
To run the SOD Conflict Analysis workflow, click the ‘Run’ toolbar button, choose ‘Run Now’ from the diagram’s context menu, or press F5. The currently running workflow action is marked with an animated display. When the workflow execution has completed, select the Report URL dataset and choose ‘View Details’ from the context menu to access the generated report. The results are obtained by matching the lists of Users, Roles and Authorizations collected by the called workflows Users for Selected Authorizations and Users for Selected Transactions with the Conflict Sets obtained from the External Data Source.
Additional Information
You can define your own Segregation of Duty conflicts by either replacing the ‘SOD Conflicts’ External Data Source, or by specifying the Segregation of Duty conflicts in a Table parameter, and using that in place of the External Data Source. The following is an example conflict table containing two exclusive Segregation of Duty conflicts.
| CONFLICT | OBJECT | FIELD | VALUE |
|---|---|---|---|
| CF000001 | S_TCODE | TCD | SE38 |
| CF000001 | S_DEVELOP | ACTVT | 01 |
| CF000001 | S_DEVELOP | OBJTYPE | * |
| CF000001 | S_PROGRAM | P_ACTION | SUBMIT |
| CF000001 | S_PROGRAM | P_ACTION | VARIANT |
| CF000002 | S_TCODE | TCD | SM30 |
| CF000002 | S_DEVELOP | ACTVT | * |
| CF000002 | S_DEVELOP | OBJTYPE | PROG |
Note: These do not represent actual conflicts. They are for demonstration purposes only.
-
To completely satisfy the selection criteria for Conflict Set CF000001, a user must have a role with the authorization for transaction SE38 and the exact values (or ‘*’) listed for OBJECTs S_DEVELOP and S_PROGRAM.
-
To completely satisfy the selection criteria for Conflict Set CF000002, a user must have a role with the authorization for transaction SM30 and the exact values (or ‘*’) listed for the OBJECT S_DEVELOP.
-
The same user may meet the selection criteria for one or more Segregation of Duty Conflict Sets.