Imagine a scenario where you have AD controlling access to hundreds (this is the key word here) of applications meaning that a single AD group actually represents an entitlement in a specific application.
Let's say that my current rules are doing checks between two AD Groups based on their extended properties that describe the "type" or "purpose" of the group like this:
Sub rule 1:
An AD Group that meets the following conditions:
- Has Extended property that equals "Development"
Sub rule 2:
An AD group that meets the following conditions:
- Has Extended property that equals "Change Management"
Now these Extended properties are not system specific which causes false SoD violations as having a group for "Development" in application X and a group for "Change Management" in application Y is not really a SoD. To reduce these false SoDs I would like to make the rule system specific.
I would have an option to automate a deployment that would make a variant of each rule for every system. But If I have 100 SoD rules and 500 applications that I want to check SoD against this would generate 50 000 SoD rules. Not a nice option.
Is there a way of making SoD rules check that a certain value is the same between Subrule1 and Subrule2 so that I could use a single rule to achieve this? As an example, let's say that these applications are also modeled as Extended properties and linked to the groups. Something like:
Sub rule 1:
An AD Group that meets the following conditions:
- Has Extended property "Development"
AND
- Has Extended property @application
Sub rule 2:
An AD group that meets the following conditions:
- Has Extended property "Change Management"
AND
- Has Extended property @application
So this would only cause a violation if both groups have the same extended property @application (not caring what the actual value is as long it is the same in both groups) and that the other would also have the "Developer" and other "Change Management".
