Show TOC

Function documentationOrganization Rules Locate this document in the navigation structure


The organization rules functionality provides an additional filter for your segregation of duties (SoD) reports. Organization rules are used to eliminate false positive risks in your access risk analysis reports. Use this functionality for exception-based reporting only.

Prior to implementation, companies should do analysis to ensure that their situation warrants the use of organization rules. You should not institute organization rules until the remediation phase of your project. It is only after identifying a possible organizational rule scenario that you should create organization rules.

Caution Caution

If you create organizational rules incorrectly, you could potentially filter out too much. By filtering out too much, you cannot identify possible control concerns with your access. From a control perspective, it is much better to over-report (causing false positives) rather than under-report (causing false negatives).

End of the caution.

Recommendation Recommendation

Use organization rules exclusively for exception-based reporting to remove false positive conflicts that result from organization-level segregation.

Do not use organization rules for grouping users into reports by organizational level for the purpose of distributing SoD reports to various management levels.

Due to the sizable performance impact that organization rules can have, use them only those in situations where the company has made a conscious decision to segregate via organization levels.

End of the recommendation.

Example Example

A customer has a shared service center that allows a team member to process vendor invoices and create accounts payable (AP) payments. In many cases, this action might be a high-risk conflict. However, the shared services center also segregated its team members so that the same individual cannot process the invoice and make the payments within the same organizational level.

End of the example.