Exclusions

In Authorizations Insights, primary violating objects such as users, roles or responsibilities can have a business need for objects or authorizations that produce violations. In this case, these objects can be excluded from the rules in question. When you exclude violating objects from a rule, you must provide compensating controls to document the mitigation of any associated risk. Compensating controls document the reasons for the exclusion and can be associated to the rule.

Exclusions generally have an expiry date which specifies how long the exclusion is valid for the rule. After the expiry date has passed, the object is no longer excluded from the rule.

To exclude an object from a rule, go to the Rule Details page for that rule and click the Exclusions tab on the Compensating Controls and Exclusions panel. You can exclude specific primary violating objects or specify attributes by which to exclude the required objects.

Objects excluded from a rule can be tracked on the Exclusion Lists page, which displays a list of rule books owned by the signed-in user or rule books containing rules owned by the signed-in user. The Exclusion Lists page provides an overview of which rule books contain rules with associated exclusions.  This is particularly useful if you plan to use these rule books in an analysis as the exclusions will impact the violations generated for that rule book.

On the Exclusions List page, first select the rule book, and then the rule from which objects were excluded.

When you exclude violating objects from a rule, you must provide compensating controls to mitigate any associated risk. Compensating controls can be associated to the rule from this page.