Skip to main content

SoD — Matrix

The Matrix screen lists the pairs of activities that produce an SoD risk. One line per (Application, Process, Activity 1, Activity 2). Each row maps the pair to a Risk and a Risk level — the rules engine behind every conflict the Conflicts views surface.

This is the most operationally important SoD setting: editing a row here changes what every conflict screen computes from the next refresh.

At a glance

Nomasx-1 · Settings · SoD · MatrixAPPPROCESSACT 1ACT 2RISKLEVEL12P2PVEND-CRPAY-APVR-P2P-01High12P2PPO-MODRCT-APVR-P2P-02Medium12O2CCUST-CRADJ-POSTR-O2C-04Medium

Goal of the view

  • Encode the SoD rule book — every pair declared here generates a row in Conflicts → Details whenever a user holds the two activities.
  • Tie each pair to a named risk. The Risk column is what auditors read; the Risk level drives weighting.
  • Maintain symmetrically. (A, B) and (B, A) mean the same thing — declare one and let the engine traverse both ways.

Columns

ColumnSourceWhat it tells you
Application IDMATRIX_APPS_ID — application.The application the rule applies to.
Process IDMATRIX_PROCESS_ID — process.The business process.
Activity 1MATRIX_ACT1_ID — links to Activities.First incompatible action.
Activity 2MATRIX_ACT2_ID — links to Activities.Second incompatible action.
Risk IDMATRIX_RISK_ID — links to Risks.The named risk the pair instantiates.
Risk levelMATRIX_RISK_LEVEL — severity.Multiplier applied to the conflicts produced.

Edit dialog

Click Add or double-click a row to open the form.

Edit SoD matrix rowApplication12 — JDE Prod ▾ProcessP2P ▾Activity 1VEND-CR ▾Activity 2PAY-APV ▾RiskR-P2P-01 ▾LevelHigh ▾CancelSave
FieldWhat to enter
ApplicationDrop-down of declared applications.
ProcessDrop-down filtered to the chosen application's processes.
Activity 1Drop-down filtered to the activities of the chosen process. First incompatible activity.
Activity 2Drop-down filtered to the same activities. Second incompatible activity.
RiskDrop-down filtered to the risks declared on the chosen process. The named risk the pair instantiates.
LevelHigh / Medium / Low (or numeric scale). Overrides the risk's default level for this pair if needed.

Tips & best practices

  • Adding a row generates new conflicts at the next SoD refresh — coordinate with the security administrator and HR.
  • Removing a row clears existing conflicts at the next refresh. Document the rationale: an auditor reviewing the SoD framework will ask why.
  • Risk level here should match the Risks catalog level — keeping the two in sync avoids confusing dashboard rendering.
  • A pair of activities with low business interaction should not be a rule — keep the matrix to the conflicts that actually happen in practice.