Toxic combination

Warning

This feature requires a Governance module license. For more information see Governance

A toxic combination refers to a resulting set of permissions or roles that, when granted together to a single user could lead to a potential security risk. These combinations can enable unauthorized access, fraud, data breaches, or other malicious activities for example.

Configuration

Follow the steps below to configure a toxic combination.

1. Click on the Provisioning icon in the top menu bar of the HelloID admin dashboard.

2. From the Provisioning dashboard, go to: Business > Rules.

3. Click on the Toxic policy button located at the top right corner of the page.

4. Click on the + sign to create a new Toxic combination.

5. The following configuration options are available for use when creating a toxic combination

Option	Description
Name	Provide a logical name to identify the toxic combination
Description	Provide a logical description for toxic combination
Enabled	When enabled the toxic combination will be applied during the next evaluation and enforcement
Input entitlements	Select at least two or more input entitlements to be used for this toxic combination. For the selection of input entitlements only the entitlements being used inside business rules are avaliable for selection. The maximum amount of entitlement to be selected is limited to 10.
Output entitlements	Select at least one of the output entitlements to be used for this toxic combination. For the selection of output entitlements, only the entitlements being used as input entitlements are available for selection.

Note

The configuration settings will be saved automatically.

Important

There will be no order of importance being applied to toxic combinations, so multiple toxic combination can be configured inside the toxic policy but the order of the combinations is not important.

Example when using multiple Office365 conflicting licensing plans

In certain situations it would be nice to configure which permission should overrule another if both of these permissions are granted. This is because there could be a conflict between two permissions.

Most of the time only a single license should be granted to a person because duplicate liceses assignment will be more expensive.

For example in Office365, to grant licenses based business rules scoped to the department attribute of a persons contract. In some cases due to multiple contracts of a person this could lead to the result of ending up in different business rules. Where the first business rule contains the E1 license and the other business rule contains the E3 license. In this specific case the end user will receive both licenses which isn't desirable.

In our example below, we have an E3 license which grants more applications than a default E1 license. Therefore we want to make a toxic rule to only assign the E3 license when both licenses E3 and E1 are granted based on the business rules. Or in case the E1 license is already granted (entitled) and the E3 should be granted we would like to revoke the E1 license and grant the E3 license as desired result.

Example Office365 configuration

1. Click on the Provisioning icon in the top menu bar of the HelloID admin dashboard.

2. From the Provisioning dashboard, go to: Business > Rules.

3. Click on the Toxic policy button located at the top right corner of the page.

4. Click on the + sign to create a new Toxic combination.

5. Name your combination "Office 365 Toxic combination".

6. Make sure the Toxic combination is enabled.

7. Select Office 365 E1 and also Office 365 E3 as input entitlements.

8. Select Office 365 E3 as output entitlement.

9. The final result will look like the following:

10. Run an evaluation report to determine the outcome of this toxic combination.

In this section:

HelloID