SoD Rules Builder
Overview:
Most auditors keep the SoD rules in a spreadsheet that look like the figure below.
The X represents a “collision” which means that if a user has access to a role from the “green” list, he can not have access to a role from the “yellow” list.
This example is for role to role but it can be applied to any type of objects as: resource to resource, role to resource, User Attribute to role .. etc.
Before using the CMGR utility, you will need to convert the XLS file to CSV file that contains only the pairs of objects that “collide” (see the “Input File Example” below)
The Rule Builder utility converts simple CSV formatted SoD (Segregation of Duty) rules to SageERM XML Business Policy Rules .
The rule types that you can create with this utility are:
- 'BPR RES RES FORBIDDEN'
This rule requires 2 resources , RES-a and RES-b
The rule that will be created will be: Users that have access to RES-a can not have access to RES-b
Keep in mind that RES-a is represented in SageERM by “ResName1, ResName2, ResName3”
- 'BPR ROLE ROLE FORBIDDEN'
This rule requires 2 Roles , ROLE-a and ROLE-b
The rule that will be created will be: Users that have access to ROLE-a can not have access to ROLE-b
Keep in mind that ROLE-a is represented in SageERM by “Rolename”
- 'BPR USER ATTR RES FORBIDDEN'
This rule requires user HR attribute and a resource (RES-a for example)
The rule that will be created will be: Users that meet the HR attribute should not have access to RES-a.
Keep in mind that:
- User attribute is represented by “Attribute Name, Attribute Value”
- RES-a is represented in SageERM by “ResName1, ResName2, ResName3”
- 'BPR USER ATTR ROLE FORBIDDEN'
This rule requires user HR attribute and a ROLE (ROLE-a for example)
The rule that will be created will be: Users that meet the HR attribute should not have access to ROLE-a.
Keep in mind that:
- User attribute is represented by “Attribute Name, Attribute Value”
- ROLE-a is represented in SageERM by “RoleName”
Usage:
CMGR <Input rules file> <Output bpr file>
Input file is a CSV file, containing the following columns
rule type, rule name, description, parm1, parm2, parm3, parm4, parm5, parm6
Rule Types:
'BPR RES RES FORBIDDEN'
'BPR ROLE ROLE FORBIDDEN'
'BPR USER ATTR RES FORBIDDEN'
'BPR USER ATTR ROLE FORBIDDEN'
'BPR USER ATTR RES ONLY ALLOWED'
'BPR USER ATTR ROLE ONLY ALLOWED'
'BPR USER ATTR ROLE MUST'
'BPR USER ATTR RES MUST'
Input File Format
CSV file
1 line/rule
Column 1: Rule Type
Column 2: Rule Name
Column 3: Rule description
Column 4-9 : Rules values (as role name, resource name etc)
Input file example:
BPR RES RES FORBIDDEN,5AV,5av branch resources,p1,p2,p3,p4,p5,p6
BPR RES RES FORBIDDEN,Stamford Br,Stamford branch resources,p1,p2,p3,p4,p5,p66
BPR ROLE ROLE FORBIDDEN,5av-stamford, people can not have access to role '5av' and 'stamford',5av,stamford
BPR USER ATTR RES FORBIDDEN,5av forbidden for DEVELOP,Fifth Ave Branch are forbidden for DEVELOP/RACF,Organization,Fifth Ave Branch,DEVELOP,RACFPROD,RACF22
BPR USER ATTR ROLE FORBIDDEN,5av forbidden for Stamford role,Fifth Ave Branch are forbidden for Stamford Role,Organization,Fifth Ave Branch,Organization=Stamford Branch
BPR USER ATTR RES ONLY ALLOWED,Only 5av allowed for UG5AVEGEN, Description,Organization,Fifth Ave Branch,UG5AVEGEN,NT5AVE,WinNT
BPR USER ATTR ROLE ONLY ALLOWED,Role Organization=Fifth Ave Branch, Description ,Fifth Ave Branch,Organization=Fifth Ave Branch
Run/Execution example:
Rule created: 'BPR RES RES FORBIDDEN','5AV'
Rule created: 'BPR RES RES FORBIDDEN','Stamford Br'
Rule created: 'BPR ROLE ROLE FORBIDDEN','5av-stamford'
Rule created: 'BPR USER ATTR RES FORBIDDEN','5av forbidden for DEVELOP'
Rule created: 'BPR USER ATTR ROLE FORBIDDEN','5av forbidden for Stamford role'
Rule created: 'BPR USER ATTR RES ONLY ALLOWED','Only 5av allowed for UG5AVEGEN'
Rule created: 'BPR USER ATTR ROLE ONLY ALLOWED','Only 5av allowed for role Organization=Fifth Ave Branch'
InFile :'rules.txt'
OutFile :'rules.bpr'
7 rules created
Result
The rules will be converted to SageERM rules (BPR file)
