SAP Identity Access Governance (IAG) is a cloud-based solution that helps organizations manage the access rights of their users across different systems and applications. One of the key features of SAP IAG is the ability to define and monitor risks, which are combinations of access rights that may pose a threat to the security or compliance of the organization. For example, a risk could be that a user has both the ability to create and approve purchase orders, which could lead to fraud or misuse of funds.
In the previous versions of SAP IAG, the risk owner was a static attribute that had to be manually assigned to each risk by the administrator. The risk owner was responsible for reviewing and mitigating the risks, as well as approving or rejecting any requests for exceptions. However, this approach had some limitations, such as:
- The administrator had to know the appropriate risk owner for each risk, which could be difficult in complex or dynamic organizations.
- The risk owner had to be a single person, which could create bottlenecks or delays if the person was unavailable or changed roles.
- The risk owner could not be changed easily, which could lead to inconsistent or outdated risk management.
To overcome these limitations, SAP IAG 2406 introduces a new feature called Dynamic Risk Owner, which allows the risk owner to be determined automatically based on the context of the risk. With this feature, the administrator can define rules that specify the criteria for selecting the risk owner, such as the system, application, role, or attribute of the user who has the risk. The rules can also include fallback options, such as a default risk owner or a group of risk owners, in case the criteria are not met, or multiple risk owners are found. The rules are evaluated at runtime, whenever a risk is detected or a request is submitted, and the appropriate risk owner is assigned dynamically. This way, the risk owner is always relevant and up-to-date, and the risk management process is more efficient and flexible.
Example on how to use dynamic risk owner
Additional Changes in Business Rule:
Additional parameters which can be used to set the values in runtime
