Skip to content

User Risks by Rating

The User Risks by Rating report shows all the risks in the environment broken down by the risk rating defined in the rulebook. These are separated by the utilization of the users with access to those risks.

The graph shows four types of utilization and their associated risk levels:

  • Not Executed - A risk where the user has access to all business functions defined for that risk (one for a sensitive access risk and two or more for an SoD risk) but has not executed transactions from any of those functions.

  • Partially Executed - A risk where the user has access to all business functions associated with an SoD risk and has executed transaction codes associated with some, but not all, of the business functions.

  • Fully Executed - A risk where the user has access to all business functions associated with an SoD risk and has executed transaction codes from all of the business functions.

  • Sensitive Access - A sensitive access risk that requires access to only one function and the user has executed transaction codes associated with that function.

To see more details, you can select a section of the graph and navigate to the User Risk Level Details screen with the appropriate filters applied to match the selection.

Use Case

This summary-level report is often used by business owners or managers to see users who pose the most risk to the business. You can view and filter by the different levels of risk and see which users have that access. This can help determine if the users have access to the expected risks and if remediation is needed. If the reported users are not ones expected to have the risk, further remediation should occur. If remediation is not possible, mitigating controls can be assigned.