Show TOC

Procedure documentationUsing Organizational Rules Locate this document in the navigation structure

 

The Organization Rule functionality eliminates false positives based on organizational level restrictions. Use this functionality for exception-based reporting only.

Prior to implementation, companies should do analysis to ensure their situation warrants the use of organizational rules; and, should not institute organizational rules until the remediation phase of their project.

It is only after identifying a possible organizational rule scenario that you should create the organization rules.

Recommendation Recommendation

Use the organization level rules exclusively for exception-based reporting to remove false positive conflicts that result from organization level segregation.

Not recommended: Using organizational rules for grouping users into reports by organizational levels, for the purpose of distributing SoD reports to various management levels, is not recommended.

End of the recommendation.

Due to the sizable performance impact that organization level rules can have, use them for only those situations in which the company has made a conscious decision to segregate via organization levels.

Example Example

A customer has a shared service center that allows a team member to process vendor invoices and create Accounts Payable (AP) payments. In many cases, this action might be a high risk conflict. However, the shared services center also segregated its team members. so that the same individual cannot process the invoice and make the payments within the same organizational level.

End of the example.

Procedure

How to use organization rules:

  1. To schedule the organization user mapping job, the Risk Analysis and Remediation administrator needs to schedule the Org User Mapping Background Job to run periodically.

    Consider running this job once a week to ensure that any user organizational levels changes, for roles assigned in the back end, are accurately reflected in the front end.

  2. To identify which risk is mitigated, segregate the organizational levels.

  3. Navigate to   Rule Architect   Functions   Search  .

    1. Enter the first function that needs an organizational rule and choose Search

    2. Highlight the function and select Change History

    3. Select the Permissions tab. Enable the Organization Level field and the Activity field.

  4. Return to the Rule Architect tab, expand the Organization Rules menu, and choose Create.

    You can use a naming convention to identify which organization rule ID to enter in the risk analysis selection.

    Enter the Risk ID that is relevant to this organizational rule and the corresponding organizational levels from the preceding step.

  5. Navigate to   Informer   Risk Analysis   Organizational Level  .

    1. In Analysis Type dropdown list, choose Organizational Rule.

    2. Enter the organization rules and user IDs that you want to analyze.

    3. Execute the report.

    Note Note

    If you define a field with a $ value, the system replaces the value with the one in the corresponding Organizational Rule.

    If the system cannot find the value in the Organizational Rule, it uses the original value.

    End of the note.

More Information

Function Mass Maintenance