Skip to content

Exporting What If Analysis Results

To download an analysis as a .csv file, locate the analysis you want and select Actions > Download.

Note

What If results downloads are only available in a .csv format.

Understanding a What If Analysis CSV file

A What If Analysis .csv file includes parameters, with metadata about the simulation, and results, with one row per risk, entitlement, or permission that was added, removed, or preexisting.

Parameters include:

  • Simulation ID - Identifier for the What If simulation.
  • Customer ID - Access Risk Management Customer identifier.
  • Total Users - Total number of users included in the simulation.
  • System ID - Access Risk Management ERP system identifier.
  • Rulebook - Name of the rulebook(s) used in the What If simulation.
  • Extract ID - Identifier for the security extract used in the What If simulation.
  • Extract Date UTC - UTC timestamp for when the security extract was generated.
  • Analysis ID - Identifier for the analysis used to produce the What If simulation.
  • Baseline Analysis Date UTC - UTC timestamp for when the analysis used to produce the What If simulation was run.
  • Created UTC - UTC timestamp for when the What If simulation was created.
  • Requested By - User who requested the What If simulation.
  • Completed UTC - UTC timestamp for when the What If simulation was completed.

Results include:

  • Simulation ID - Identifier for the What If simulation
  • User - ERP User ID
  • Full Name - User’s full name
  • Role Added or Removed - Role that was added or removed in the What If simulation granting the permission.
  • Change Type - Indicates whether the permission was Added, Removed, or part of the simulated user’s pre-existing access, with NoChange.

  • Impact - Used in combination with the Change Type column to determine the risk impact:

    • Existing Risk with Changes is a Risk the user already had access to, but has been either worsened or lessened based upon the changes.

      Examples:

      • Change type of Added with an impact of Existing Risk with Changes indicates the user had sufficient access prior to the changes, but the permission on this row would grant further conflicting access to the risk.
      • Change type of Removed with an impact of Existing Risk with Changes indicates the user would lose access to the permission after the changes, but would continue to have sufficient access to execute the functions associated with the risk.
      • Change type of No Change with an impact of Existing Risk with Changes indicates the user had, and would continue to have, access to the permission after the changes, but there were changes to other permissions associated with the risk. The remaining permissions would need to be removed to fully eliminate the risk.
        • For remediation projects, filtering on rows with this combination allows you to identify the remaining permissions that would need to be removed to fully eliminate the risk.

    • New Risk is a risk that the user did not have previously, but would be introduced by the proposed changes.

    • Removed Risk is a risk that the user had previously, but would be eliminated by the proposed changes.

  • Risk Name – Full name of the risk.

  • Risk Code – Short code identifying the risk/
  • Rating – Risk rating, such as informational, low, medium, high, or critical.
  • Business Process – Affected business process that the risk belongs to.
  • Function Name – Full name of the business function.
  • Function Code – Short code identifying the business function.
  • Logic Group – A logical grouping of permissions within a business function that, dependent upon how you set the permission logic for the business function, determine whether you have access to the business function. Traditionally for SAP this would be a transaction code, but now that Access Risk Management supports Fiori, logic groups can also be Fiori applications.
  • Auth Object - Authorization object name.
  • Field – Authorization field name.
  • SAP Value From – Authorization field FROM value, assigned by the SAP authorization.
  • SAP Value To – Authorization field TO value, assigned by the SAP authorization.
  • Risk Value From - Authorization field FROM value, as written in the Access Risk Management rulebook permission.
  • Risk Value To - Authorization field TO value, as written in the Access Risk Management rulebook permission.
  • SAP Profile – The profile granting the permission.
  • Derived? – Boolean column to identify derived child roles.
  • Parent Role – For derived roles, this is the parent role, for single roles inherited from a composite role, this is the composite parent.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.