Skip to content

Reviewing Fiori What If Analysis Results

To view results, go to the What If Analysis page by selecting What If Analysis from the left navigation. Select a tab for the type of review you want to find, either User Simulations or Role Simulations.

User What If Results

User What If analysis results are listed in a table, including:

  • Actions - Options include View, Export, Rerun with Changes, and Rerun without Changes.
  • ID - What If Analysis identification number.
  • Status - Pending, completed, faulted.
  • User(s) - Usernames included in the simulation. For long lists, select to see all usernames.
  • % User Risk Mitigated - Percentage of identified user risks that are currently mitigated, expressed as the number of mitigated risks (green text) out of the total number of risks (red text). “Added by” indicates that the risks were added by the What If simulation. “Existed before” indicates that the risks already existed prior to adding in the What If conditions.
  • Rulebook - Rulebook used to run the simulation.
  • Completion Date - Date the simulation was completed.
  • Created Date - Date the simulation was created.
  • Created By - Email of the user who created the simulation.

For columns with a Filter icon , select the icon to filter that column. Use Clear Filters at the top right to clear all filters from your view.

Reviewing User Simulation Results at the Risk Level

When you locate your analysis in the Risk Analysis tab, select the View icon next to it to examine the simulation results on the What If Result – Risk Level page. This shows a listing of the risks produced by the simulation. Each row represents a single risk for a single user.

The Risk Level table includes:

  • Action - Select View to drill down to SAP role, profile, and authorization details.
  • Simulation Impact - Impact of the proposed changes, rated as Removed Risk, Existing Risk (unchanged by the proposed modifications), Existing Risk with Changes (if the risk was already present, but now there are fewer or more permissions with the proposed modifications), or New Risk (the simulation would introduce this user risk).
  • Username - The username associated with the risk; this field displays New User for a new user simulation.
  • Full Name - The full name associated with the user account.
  • Rulebook - Name of the rulebook applied to the simulation.
  • Risk Code - Risk’s identifying code.
  • Risk Name - Name of the risk.
  • Risk Rating - Severity of the risk to the business.
  • Mitigation Status - Mitigated, if the specified user risk has mitigations that are currently applied, Mitigations Available if mitigations are available that could be applied, or None Available if there are no available mitigating controls.
  • Mitigations - When the mitigation status is Mitigated, this field shows a delimited list of mitigating controls that have been applied to the risk.
  • Business Process - Process impacted by the risk.
  • Business Functions - A delimited list of the business function code(s) that create the risk.
  • Permission Hits Count - Number of permissions impacted by the proposed changes.
    • Added By counts the number of new permissions included in the proposed changes that were identified as contributing to the risk.
    • Existed Before counts the number of permissions that the user already had contributing to the risk before the proposed changes.
    • Removed After counts the number of permissions that would be eliminated by the proposed changes.

From the Risk Level page, you can view additional details for any identified risk by selecting the View icon in the Action column.

Role What If Results

To view Role What If results, go to the What If Analysis page by selecting What If Analysis from the left navigation. Select the Role Simulations tab.

Role What If analysis results are listed in a table, including:

  • Actions - Options include View, Export, Rerun with Changes, and Rerun without Changes.
  • ID - What If Analysis identification number.
  • Status - Pending, completed, faulted.
  • Type - Type of analysis. Options are Single Role or Composite Role.
  • Role Name - Role selected to simulate changes to.
  • % User Risk Mitigated - Percentage of identified risks that are currently mitigated, expressed as the number of mitigated risks (green text) out of the total number of risks (red text). “Added by” indicates that the risks were added by the What If simulation. “Existed before” indicates that the risks already existed prior to adding in the What If conditions.
  • Role Risk Count - Total number of inherent role risks identified, broken out by risks that existed before the simulated changes and those added by the simulated changes.
  • Name - Name of the What If analysis.
  • Rulebook - Rulebook applied in the simulation.
  • Completion Date - Date the simulation was completed
  • Created Date - Date the simulation was created.
  • Created By - Access Risk Management username of the user who created the simulation.

For columns with a Filter icon , select the icon to filter that column. Use Clear Filters at the top right to clear all filters from your view.

Reviewing Role What If Simulation Results at the Risk Level

When you locate your analysis in the Risk Analysis tab, select the View icon next to it to review the simulation results on the What If Result – Risk Level pages for both User Impacts” identified at the user level based on all assigned roles, and Role Impacts for inherent risks identified within either the single or composite role modified by the simulation, or for any single role changes that are part of one or more composite parent relationships.

Select the Role Impacts tab to see a listing of the inherent risks identified as part of the simulation.

Each row represents one inherent risk for one role. For example, if you have one risk defined in your rulebook, and you simulate changes to a single role that is not part of any composite role, there could be a maximum of one Role Impact row. If you have one risk defined in your rulebook, and you simulate changes to a single role that is part of two composite roles, there could be a maximum of two Role Impact rows.

The Risk Level Role Impacts table includes:

  • Actions - View details.
  • Simulation Impact - Existing, Existing risk with changes, or Removed Risk.
  • Role Name - Role selected to simulate changes to.
  • Rulebook - Rulebook applied in the simulation.
  • Risk Code - Code identifying this risk.
  • Risk Name - Name of the risk.
  • Risk Rating - Informational, low, medium, high, or critical.
  • Business Process - Code indicating the business process impacted by this risk.
  • Business Functions - A delimited list of the business function code(s) that create the risk.
  • Permission Hits Count - Number of permissions associated with a newly introduced risk added by the simulated changes, number of permissions associated with risks that existed before the simulated changes, and the number of permissions associated with a risk that would be removed by the simulated changes.
  • Role Location Name - Location of the role, if configured in Access Risk Management.
  • Role Description - Description of the role, either the default SAP description or custom descriptions, if configured in Access Risk Management.

From the Risk Level page, you can view additional details for any identified risk by selecting the View icon in the Action column.

To export a copy of these results, select Actions > Download. Find your report on the Activity History page > Data Exports tab. Select Actions > Download to download your report. The Action button is temporarily disabled while the export is in progress.

View details about this What If simulation by selecting Request Details above the table. Information includes the simulation’s properties, such as Role Name, What If request ID, What If created date, extract ID, extract created date, analysis ID, rulebook ID, rulebook name, number of new and existing user risks, number of removed user risks, number of new role risks, number of existing role risks, number of removed role risks and the roles that were added or removed in this analysis.

Note

The Request Details view allows you to quickly screenshot all of the simulation parameters, along with summary counts of the number of risks identified, which is useful for complying with audit evidence requests.

Applying Mitigations

You can apply mitigating controls to a user risk on the What If Result – Risk Level page. The system automatically identifies any mitigating control that has been mapped to the specific risk and will include the status Mitigations Available in the Mitigation Status column. Users with either Mitigating Control Administration or Mitigating Control Mapping permissions can use the Actions dropdown in the risk’s row to apply a control to the SAP user.

  1. In the Action column, select Actions > Apply Mitigation.
  2. In the Mitigations Available window, find a mitigation and select Actions > View Mitigation Details or Actions > Apply Mitigation.
  3. If you selected View Mitigation Details, review the details on the Mitigating Controls – Maintenance page.
  4. If you selected Apply Mitigation, add a comment in the Mitigation Note field. Optionally, you can set a date for the mitigation to expire. Select Submit.

Reviewing Risk Permission Details

The What If Result - Detail Level page shows entitlement and permission level details specific to the selected risk that either surfaced due to proposed changes, or existed prior to the simulation.

What If result detail page shows a table of completed simulations

This analysis includes the following data:

  • Change Type - Identifies whether permissions are associated with a risk being added, removed, or were preexisting, which is identified as No Change.
  • Business Function Code - Code indicating the impacted business functions.
  • Business Function Name - Name of the impacted business function.
  • Permission Group - This is the logical grouping of permissions. For SAP, these are generally transaction codes. They may also be Fiori apps. Groupings can be customized in your rulebook.
  • Auth Object - The SAP authorization object.
  • Field - The field of the SAP authorization object.
  • SAP Value From - The authorization FROM field value as assigned in SAP.
  • SAP Value To - The authorization TO field value as assigned in SAP.
  • Risk Value From - The authorization FROM field value as defined in the rulebook.
  • Risk Value To - The authorization TO field value as defined in the rulebook.

  • Role Name - Name of the role responsible for the permission risk line.

    Note

    If Parent Role is blank, this role is directly assigned to the user. If Parent Role is not blank, this role is inherited by the user from the composite parent.

  • Profile Name (User What If only) - The SAP profile associated with the single role.

    Note

    If role name is blank, this profile is directly assigned to the user, otherwise the profile name is inherited from the role.

  • Is Derived - Boolean indicating whether or not the role is derived from a parent role.

  • Parent Role - The parent for the single role, if applicable.

    Note

    Parent role is blank if a single role or profile is directly assigned to the user.

Select the Filter icon to filter the columns. Select Clear Filters at the top right to clear all filters from your view.

Select Request Details at the upper right to see the details about the request properties and generation. These include: role name, What If request ID, What If created time, extract ID, extract created date, analysis ID, rulebook ID, rulebook name, number of new user risks, number of existing user risks, number of removed user risks, number of new role risks, number of existing role risks, number of removed role risks, role name, and change type.

To return to the What If Analysis list from the Risk Level view, select the Back button at the upper right.

Note

Using the Back button above the table will retain any filters applied to the prior grid, while using the browser's back button will not.

Rerunning a What If Analysis

In the Actions dropdown for each analysis row on the What If Analysis page, as well as in the Actions dropdown above the What If Result - Risk Level and the What If Result - Detail Level page, there are two options for rerunning a What If analysis without having to reenter the parameters:

  • Rerun with changes – Displays a New Simulation window that is prepopulated with the same parameters as the analysis that was selected. You can adjust your parameters and run a new analysis.
  • Rerun without changes – Runs a new analysis with the same parameters.

Note

The Rerun without Changes option will automatically run the simulation against the same baseline Risk Analysis. If you want to use the most up-to-date analysis data, select Rerun with Changes and then select the most recent analysis.

For either option, any mitigations you have updated are included when you rerun the simulation.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.