Skip to main content

Conflicts — Roles

The Conflicts — Roles screen lists the distinct pairs of roles that produce an SoD conflict on a connected application. One line per (Application, Role 1, Role 2) triplet, derived from the Details dataset.

Where Conflicts — Users drives short-term remediation (revoke or deactivate), Conflicts — Roles drives the structural fix: redesign the role pair so the combination cannot occur at all.

At a glance

Nomasx-1 · Applications · Conflicts · RolesAPPLICATIONROLE 1ROLE 212 — JDE ProductionVEND_ADMINAP_APPROVER12 — JDE ProductionPO_OWNERPO_RECEIVER12 — JDE ProductionSALES_ADMINAR_ADJUSTER21 — SAP ProductionZ_PAY_RATEZ_PAYROLL_APV

Goal of the view

For each connected application:

  • Spot the structurally incompatible roles. A pair appearing here means any user holding both will be in conflict. Trimming the role design once closes the issue for every current and future holder.
  • Prioritise the redesign. Pairs producing many Details rows are the highest-impact fix. Use the Summary or Details counts to rank them.
  • Plan the communication. The role pair is the unit of conversation with the security administrator and the role owners — far more actionable than discussing individual users.

The query simply distinct-counts the (CFD_APPS_ID, CFD_ROLE1_ID, CFD_ROLE2_ID) tuples in SOD_CONFLICT_DETAILS, sorted by Role 1.

Columns

ColumnSourceWhat it tells you
Application IDCFD_APPS_ID — application identifier.The connected application.
Role 1CFD_ROLE1_ID — role granting Activity 1. Looked up against the role catalog.First half of the incompatible pair.
Role 2CFD_ROLE2_ID — role granting Activity 2. Looked up against the role catalog.Second half of the incompatible pair.

Tips & best practices

  • Compare each pair with Roles matrix — if the same pair appears in a high-count combination, the conflict is broadly distributed and worth fixing structurally.
  • The pair is symmetric. If (A, B) appears, the redesign discussion is the same as for (B, A). Treat them as a single decision.
  • Three structural fixes are common: split one role into two, narrow one role's object scope, or move an object out of one role and require explicit user-level grant (with documented justification).
  • Re-run the SoD scan after the redesign — proven and theoretical counts should both drop. A drop only in Details but not in Proven points to compensating controls that may still be needed.