Take Advantage of the Support for Multiple Rulesets in SAP Access Control 10

  • by Kehinde Eseyin, Security Architect
  • May 30, 2013
Learn how to use a business rule to influence the ruleset that is automatically applied to an access request based on defined attributes.
Key Concept
Request multiple ruleset is a functionality in SAP Access Control 10.0 that can be used to determine the appropriate ruleset to use in risk analysis based on defined conditions in a business rule. An example is an environment in which multiple rulesets are used for access risk analysis based on request attributes such as location or business process. This capability is designed to enforce control in the use of the appropriate ruleset for risk analysis while avoiding the risk or likelihood of human error in ruleset assignment for risk analysis.

SAP Access Control 10.0 provides users the flexibility to create and maintain multiple rulesets. A typical organization needs to manage multiple rulesets for various reasons ranging from business process control structure to organizational structure make-up. SAP Access Control allows you to choose from more than one ruleset to perform risk analysis automatically. This capability is also seamlessly supported in access request management functionality.

More important, you can build Business Rule Framework plus (BRFplus) logic to default a specific ruleset to an access request once defined criteria are satisfied. This is essentially the business case on which I focus. This is a way to eliminate the need for a manual field (ruleset) update and also to enforce control so that the risk analysis is executed using the correct and appropriate ruleset, thereby making the entire process of risk analysis less error prone.

Figure 1 shows a representation of the behavior of the business logic on which Request multiple ruleset is based. It shows that if an access request is created for a user against the business process BS_EAST and parameter 1071 (Enable risk analysis on form submission) is set to NO, then on form submission to the approver the ruleset field is autopopulated as RS_EAST and risk analysis is not automatically performed. On the contrary, if another access request is created for a user against the business process BS_WEST and parameter 1071 (Enable risk analysis on form submission) is set to YES, then on form submission to the approver the ruleset field is autopopulated as RS_WEST and risk analysis is automatically performed. This illustrates a simple use case of this business logic that I replicate in this article.

 

Kehinde Eseyin

Kehinde Eseyin is a security architect. He holds a bachelor’s degree in computer science. He has about 12 years of IT security, governance framework, IS risk, and compliance experience gained by working in numerous global organizations. Over the years, he has demonstrated competencies in security design, information assurance, cyber security, data privacy, threat and vulnerability management, penetration testing, business architecture, project management, IT audit, IS controls framework, and identity and access management.
 

See more by this author


Comments

No comments have been submitted on this article. 


Please log in to post a comment.

To learn more about subscription access to premium content, click here.