Ruleset Maintenance
The ruleset is the foundation of any effective access risk analysis. It defines what combinations of access rights constitute a risk and enables MTC Skopos to identify Segregation of Duties conflicts and Critical Access across your organization.
Since every environment is unique, MTC Skopos does not include a built-in ruleset. Customers are expected to develop their own or engage our consulting services to tailor one to their needs. While we can provide a template ruleset as a starting point, it must be reviewed and adapted by the customer to reflect the specifics of their environment.
Understanding Rulesets
As Security consultants, we understand that implementing Segregation of Duties (SoD) and Critical Access (CA) rulesets goes far beyond technical configuration. While system-level controls and technical implementation of authorization are key, they represent only half the equation. The true effectiveness of an SoD and CA framework depends on a deep understanding of the organization's business processes, organizational structure, and system configuration.
To identify risks, it's essential to align technical roles and authorizations with business functions. This means engaging with business stakeholders, mapping out process flows, and ensuring that rulesets reflect the way the organization actually operates not just how the system is technically set up. This holistic approach ensures not only compliance but also operational efficiency and user acceptance.
Types of Rules
Segregation of Duties (SoD) Rules SoD rules define combinations of functions that should not be performed by the same person. For example:
- Creating a vendor AND processing payments to that vendor
- Entering purchase orders AND approving those orders
- Maintaining user accounts AND assigning authorization roles
Critical Access Rules Critical Access rules identify sensitive functions that require monitoring regardless of other access. Examples include:
- Direct database access or debugging capabilities
- System configuration changes
- Mass data modification transactions
Ruleset Structure
How can I maintain the ruleset?
The ruleset file can be opened and maintained directly in Microsoft Excel. The structure is comprehensive and easy to maintain.
The ruleset contains the following key components:
| Component | Description |
|---|---|
| Risk ID | Unique identifier for each risk rule |
| Risk Description | Business-friendly description of the conflict |
| Risk Level | Classification (High, Medium, Low) based on potential impact |
| Function 1 | First function in the SoD conflict |
| Function 2 | Second function in the SoD conflict |
| Actions | Technical transactions, authorization objects, or permissions |
| System | Target system for cross-system analysis |
Best Practices for Ruleset Development
- Start with Business Processes - Map your critical business processes before defining technical rules
- Engage Stakeholders - Involve process owners in validating that rules reflect actual risks
- Prioritize by Impact - Focus on high-risk areas first (financial transactions, master data)
- Document Rationale - Record why each rule exists to support audit inquiries
- Regular Review - Update rulesets when business processes or systems change
Cross-System Rulesets
How does cross-system ruleset work?
Maintain the field "System" to identify the system where the function is expected to be triggered from. This enables MTC Skopos to identify risks that span multiple ERP systems.
Note: Rulesets containing multiple systems can only be used in cross-system risk analysis scenarios.
Example Cross-System Risk: A user who can create vendors in SAP and approve payments in a separate treasury system presents a cross-system SoD conflict that would not be detected by analyzing either system in isolation.
Getting Help
Building an effective ruleset requires both technical knowledge and business process understanding. Our consulting team can assist with:
- Ruleset Development - Create a custom ruleset tailored to your organization
- Template Customization - Adapt our template ruleset to your specific environment
- Validation and Testing - Verify that rules accurately identify real risks
- Training - Enable your team to maintain and evolve the ruleset independently