What’s the difference between static and dynamic user SoD access controls? Do I need both?

The static Segregation of Duties (SoD) controls report all existing user SoD access violations when you run a Segregation of Duties Violations Manager (SoD VM) violation snapshot.  The dynamic SoD controls detects individual transactional changes that create violations when they happen.

A report that provides a snapshot of who has access to what, and whether they have access to conflicting functions at the time of report submission, is an example of the static control.  An email that  announces an application menu change that created an access path for twelve users to a defined function conflict is an example of the dynamic control.

Whether you need one or the other or both depends on your risk assessment and the corresponding need to mitigate that risk with automated controls.  Consider:

  • Static SoD will not tell you if someone acquired access to conflicting functions, actually used both, and then removed the access to the conflicting functions before the next report.

Dynamic SoD controls, as implemented in Application Auditor (AA), are based on real-time trigger-based auditing.  They will tell you when a conflicting User-Responsibility assignment is made, or when a Responsibility or Menu is changed such that conflicting functions can now be accessed via a single Responsibility.    These SoD controls are about user access, which is the potential to perform conflicting functions.  Neither the static or dynamic control tells you the actual performance of both functions. However, with AA’s configurable trigger-based table auditing, which is also dynamic, you can create compensating controls that detect when a business transaction actually happens, regardless of source or user. That complements and reinforces SoD controls implemented within the SoD Violations Manager.