Skip to content

Using What If Analysis

A What If analysis simulates what separation of duties (SoD) conflicts will occur if you give or remove permissions from users, roles, or composite roles. For example, you may use the User What If analysis to determine whether assigning multiple roles will cause SoD violations and removing a role will eliminate them. This provides greater insight for decision makers and audit evidence for access requests.

You can schedule a What If analysis by type and review analysis results.

There are three types of What If analyses:

  • User

  • Single role

  • Composite role

User What If Analysis

A What If analysis for a user identifies any SoD conflicts that may arise from assigning the user one or more roles so you can understand the impact of role assignment changes. A user What If analysis is automatically generated when creating a provisioning request through IdentityNow or IdentityIQ.

Single Role What If Analysis

A What If analysis for a single role simulates the effect of adding or removing transaction codes and authorization objects from a role. This helps with understanding how a change in transaction code assignments to a role can affect SoD conflicts. Many organizations use this as part of their change management processes to gain risk insight early in the role change process.

Composite Role What If Analysis

A What If analysis for a composite role is similar to the What If analysis for a single role except this analysis shows the impact of changing the single roles in an existing composite role. If composite roles are a significant part of your role design, we recommend you include this simulation in your role management and change management processes as well.