Skip to content

Using WhatIf Analysis

A WhatIf Analysis simulates what SoD conflicts will occur if you give or remove permissions from users, roles, or composite roles. For example, you may use the User WhatIf analysis to determine whether assigning multiple roles will cause SoD violations and removing a role will eliminate them. This provides greater insight for decision makers and audit evidence for access requests.

There are three types of WhatIf analyses:

  • User

  • Single role

  • Composite role

User WhatIf Analysis

A WhatIf analysis for a user identifies any SoD conflicts that may arise from assigning the user one or more roles so you can understand the impact of role assignment changes. A user WhatIf analysis is automatically generated when creating a provisioning request through IdentityNow or IdentityIQ.

Single Role WhatIf Analysis

A WhatIf analysis for a single role simulates the effect of adding or removing transaction codes and authorization objects from a role. This helps with understanding how a change in transaction code assignments to a role can affect SoD conflicts. Many organizations use this as part of their change management processes to gain risk insight early in the role change process.

Composite Role WhatIf Analysis

A WhatIf analysis for a composite role is similar to the WhatIf analysis for a single role except this analysis shows the impact of changing the single roles in an existing composite role. If composite roles are a significant part of your role design, we recommend you include this simulation in your role management and change management processes as well.

Scheduling a WhatIf Analysis

To see the results of the simulations of different actions taken on users, single roles, and composite roles, you will need to set up and schedule an analysis.

Scheduling a User WhatIf Analysis

You can schedule a WhatIf analysis for one or more users to simulate the SoD conflicts that could occur based on a specific role assignment.

You can select the rulebook(s), users, and roles when you schedule the analysis:

  1. Select WHAT IF ANALYSIS from the left menu and choose USER.

  2. Name the analysis.

  3. Select the field under Rulebooks and choose the rulebook(s) you want included in this analysis.

  4. Use the Security extract dropdown menu to choose the security tables to use in the analysis, based on the date they were pulled. This defaults to the most recent extract.

  5. Use the Role SAP System dropdown menu to select the environment to run the analysis in. This defaults to the same system you are currently working in and shows how roles from other connected systems will give access to users. This is commonly used when creating a new role in a non-production system to test the access the user will have in the production environment.

  6. Use the Role Security Extract dropdown menu to choose the security extract to select roles from based on the date they were pulled from SAP. This defaults to the most recent extract.

  7. Under Users Selection, you can choose to simulate a new user or add one or more users to the simulation.

  8. To simulate a new user without any roles associated, select the checkbox next to Simulate New User.

  9. To add existing users, select + Add Users to see the Users Selection window.

Here you can:

  • Filter users by username, full name, user group, and user type.

  • Search for users.

  • Add all users by selecting Add All +.

  • Specify the user(s) you want to include by selecting the + next to each username.

  • Add users by entering a comma- or line-separated list of UserIDs and selecting + Add.

When you have finished your user selection, select X to close the window.

  1. Use the Roles Selection section to specify the role changes to simulate by removing existing roles and/or adding new roles to the users you've selected.

    • Remove Existing Roles - Select what roles to remove from the selected users.

    • Add Roles - Select what roles to give the selected users.

    Important

    You must select users before you can assign or remove roles. If you add or remove a user after selecting roles, all roles will be cleared.

    To remove roles, select Clear to remove all selected roles or use the Delete icon to remove individual roles.

  2. When you're ready to run the analysis, select Schedule. The Activity History page displays the analysis for you to view or download. See how to review the user results.

Scheduling a Single Role WhatIf Analysis

You can schedule a WhatIf analysis for a single role to simulate the SoD conflicts that could occur based on the transaction code and/or authorization object assignments to a role.

To generate a report on the impact of adding transaction codes and authorization object assignments:

  1. Select WHAT IF ANALYSIS and choose SINGLE ROLE.

  2. Enter a name for your analysis or keep the generated one.

  3. Use the Security extract dropdown menu to choose the security tables to use in the analysis, based on the date they were pulled. This defaults to the most recent extract.

  4. Select the field under Rulebooks and choose the rulebook(s) you want included in this analysis.

  5. Use the dropdown menu under SAP Role to select the SAP role you want to simulate by adding new TCodes and objects.

  6. Select + Add TCode and choose a transaction code from the dropdown menu. This will automatically fill in the object, field, and value/range. You can delete the automatically provided objects, fields, and values/ranges by selecting the Delete icon .

  7. Add additional TCodes, authorization objects, and/or field values to simulate how they will affect the role.

  8. When you're ready to run the analysis, select Schedule. The Activity History page displays the analysis for you to view or download. See how to review the role results.

Scheduling a Composite Role WhatIf Analysis

You can schedule a WhatIf analysis for a composite role to simulate the SoD conflicts that would occur when you add or remove a single role from that composite role.

To generate a report on the impact of deleting existing roles or adding roles to a composite role:

  1. Select WHAT IF ANALYSIS and choose COMPOSITE ROLE.

  2. Enter the name for your analysis or keep the generated one.

  3. Use the Security extract dropdown menu to choose the security tables to use in the analysis, based on the date they were pulled. This defaults to the most recent extract.

  4. Select the field under Rulebooks and choose the rulebook(s) you want included in this analysis.

  5. Use the dropdown menu to select an existing composite role.

  6. Use the dropdown menu under Composite Role to select the role(s) you are simulating changes to.

  7. In the Roles Changes section, remove existing roles and/or add roles to simulate what could happen when those roles are removed or added from a composite role.

  8. When you're ready to run the analysis, select Schedule. The Activity History page displays the analysis for you to view or download. See how to review the role results.

Reviewing WhatIf Analysis Results

To view user, role, and composite role WhatIf results, select View next to your analysis in Activity History or go to WHAT IF ANALYSIS > RESULTS and select View. To download the analysis as an .xlsx file, select Download.

Analysis results show a high-level summary view and the authorizations that make up the risk or role. You can also see the number of unmitigated risks for pre-existing conflicts and for new conflicts.

Select the Download icon to download the report as an .xlsx. Select the Comment icon to add a comment about a specific item in the report or select the book icon to see more granular information about the permission changes in the analysis.

To return to the summary view from the detailed view, select the Refresh icon in the upper-right corner.

Viewing User WhatIf Analysis

The User WhatIf analysis identifies the risks that surfaced by changing a user's roles.

This analysis shows these key data points:

  • Risk rating - The level of risk associated with the role assignment.

  • Conflict Source - Identifies if the risks are new or pre-existing. The three possible values are:

    • Existed Before Changes - The risk was already present based on the user's previous access.

    • Caused By Changes - This change introduces a new risk.

    • Gone After Changes - The user will no longer have the access that created this risk.

  • Business Function Hits - This shows a total of every single "hit," or authorization object, within the business functions. The different categories for the business function hits are:

    • Existed Before Changes - The user already had access to these authorizations.

    • Caused By Changes - The user will have these new authorizations if the proposed changes are applied.

    • Gone After Changes - The user will no longer have access to these authorizations if the proposed role changes are applied.

Select the book icon to see more information about the permissions, including the hit source, function code, object, field, and more.

Viewing Single Role WhatIf Analysis

The single role WhatIf analysis identifies the risks that surfaced by adding transaction codes to a role, including these key data points:

  • Risk rating - The level of risk associated with the transaction code assignment.

  • Conflict Source - Identifies if the risks are new or pre-existing. The two possible values are:

    • Existed Before Changes - The risk was already present based on the role's previous access.

    • Caused By Changes - The change introduces a new risk.

  • Business Function Hits - This shows a total of every single "hit," or authorization object, within the business functions. The different categories for the business function hits are:

    • Existed Before Changes - The role already had access to these authorizations.

    • Caused By Changes - The role will have these new authorizations if the proposed changes are applied.

    • Gone After Changes - The role will no longer have access to these authorizations if the proposed changes are applied.

Select the Role Reporting tab to see more specific information about the rules and their effect on the roles.

Select the book icon on either tab for more information about the hit source, function code, object, field, and more.

Viewing Composite Role WhatIf Analysis

The composite role WhatIf results show changes to the inherent risk within the role and the impact on users when roles are removed or added from the composite. See the Viewing Single Role WhatIf Analysis for more details.