Access Risk Analysis 
An access risk is one or more actions or permissions that, when available to a single user (or single role, profile, or HR Object), creates the potential for fraud or unintentional errors.
As part of business operations, you can define access risks that require additional control to ensure that your organization is operating appropriately. You can then monitor and control these risks to proactively prevent users from exploiting vulnerabilities to commit fraud or post unintentional errors.
Access Control enables you to specify the following types of access risks:
-
Segregation of Duties—This is defined as one individual having the ability to perform two or more conflicting functions to control a process from beginning to end without the involvement of others. For example, one person might be able to set up a vendor and process payments, or manipulate sales and customer invoices, to conceal kickbacks.
-
Critical Action—Certain functions are so critical in nature that anyone who has access needs to be identified and assessed to ensure the access is appropriate. This is different from segregation of duties risks in that the person only needs to have access to a single function. For example, the ability to configure a production system is considered a critical action regardless of any other access the person might have.
-
Critical Permission—Similar to a critical action, there are certain permissions (authorization objects) that are considered critical on their own. For example, having background job administration permissions might be considered critical by certain organizations.
After you have defined the risks, you can use the Access Risk Analysis section to generate reports presenting different types of information, including reports presenting access risks, conflicts, or the use of critical actions by user, role, profile, or HR object.
When you identify an access risk in a report, you can resolve or remediate the risk by either removing it or by applying a mitigating control. You can also use reports in the Access Risk Analysis section to view mitigated risks and risks that have not yet been remediated.