Canal Boat Holiday
I used the time between opening locks and steering the narrow boat to work on my database design. There were a few niggles in my head on how the tool could work in creating SOD (Segregation Of Duty) rules, in the situation if there was no actual user data available to base the rules on. The time on the boat gave me a chance to rethink the design, and come up with a way to pre-create theoretically sound rules that could be checked against actual users data.
The images below are sketches of the database design, I had to draw everything out as the 3G signal near Llangollen in Wales was non-existent.
Figure 1 - Tables required for the theoretical SOD rules matched against business roles.
Figure 2 - Tables required for assigning the actual user data/users to business roles
Figure 3 - Using both theoretical SOD rules and roles matched against actual users and roles
Figure 4 - Using the idea of a stored SQL procedure to create the output reports
The advantages of this design allow software vendors linking in with User Guardian to pre-create SOD rules, if the compliance team or business were initially unsure. These could work as base templates that could be altered to save time and prevent potentially "generally known" bad combinations of access attributes being missed.
These rough drawings have been refined and produced into a database design which can be found in section 4. Design.