Good day,
i would like to know the best way of going about a SOD review/SOD matrix. by default theres about 3555 permissions i need to review, and thats just for one group. I want to know what other people have been doing for this or the best way to get around this, as having 22 groups already would leave me with doing just around 78k worth of reviews.
i did this many years ago in a (very) large multinational company, in particular with SAP.
- i had very well defined matrix (employee org roles against application/roles/permissions), this is the base of all, for this you need app experts, department managers and hr. grc had nothing to do there as these apps in my case at least operated in the accounting domain (for which im not an expert)
- no one could touch roles at apps unless we all agreed and that matrix was updated
- provisioning and deprovisioning of accounts followed that matrix (in our case was initially done manually, then we automated it)
- we built a script that pulled the system accounts→roles assignations for every app and compared those against the matrix on the first step.
we later just purchased SAP GRC which did all this quicker and safer for sox purposes.
eramba is now bringing automation so you will be able to run any script as many times you want, that only works if you have the previous items well well defined tough.