Hi All,
I have a risk analysis scenario as described below.
User has selected 3 composite roles in the request.
Role owner performed risk analysis.
Risk analysis report has High level risks and Medium level risks.
When i drill down to the report, risks are between
First Composite Role - Child Role 1 with
Second Composite Role - Child Role 2
Apart from that everything is fine.
Now if the role owner wants to reject the role causing risks, he should reject entire composite role rather the single roles with in it.
As per role design this is fine. But from risk analysis point of view, rejecting a composite role with 20 other roles just for this one role which has risks is not justifiable.
Anyone has come across this kind of scenario?
Any good practices while creating SOD rules with Composite role design?
Please share your views.
Regards,
Sai.