Toxic combination
Warning
This feature requires a Governance module license. For more information see Governance.
A toxic combination refers to a set of permissions or roles that, when granted together to a single user, could lead to a potential security risk. These combinations can enable unauthorized access, fraud, data breaches, or other malicious activities, for example.
Configure a toxic combination
Click on the
Provisioning icon in the top toolbar of the admin dashboard.
From the Provisioning dashboard, go to: Business > Rules.
Click on the Toxic policy button located at the top right corner of the page.
Click on the + sign to create a new Toxic combination.
Make settings for the toxic combination.
The following configuration options are available.
Option
Description
Name
Provide a logical name to identify the toxic combination.
Description
Provide a logical description for the toxic combination.
Enabled
When enabled, the toxic combination will be applied during the next evaluation and enforcement.
Input entitlements
Select at least two or more input entitlements to be used for this toxic combination.
For the selection of input entitlements only entitlements that are used in business rules are available for selection.
The maximum number of entitlements to be selected is limited to 10.
Output entitlements
Select at least one of the output entitlements to be used for this toxic combination.
For the selection of output entitlements, only entitlements that are used as input entitlements are available for selection.
Note
The configuration settings will be saved automatically.
Important
Toxic combinations can be configured within the toxic policy in any order, as their sequence does not affect importance.
Example: multiple Office365 conflicting licensing plans
In certain situations it would be nice to configure which permission should overrule another if both of these permissions are granted. This is because there could be a conflict between two permissions.
Most of the time only a single license should be granted to a person because assigning duplicate licenses will be more expensive.
For example, in Office365, licenses could be granted based on business rules scoped to the department attribute of a persons contract. In some cases, due to multiple contracts, a person could end up qualifying for a license in different business rules, where the first business rule grants the E1 license and the other business rule grants the E3 license. In this specific case the end user will receive both licenses which isn't desirable.
In the example below, we have an E3 license which grants more applications than a default E1 license. Therefore we want to make a toxic rule to only assign the E3 license when both licenses, E3 and E1, are granted based on the business rules. Or in case the E1 license (entitlement) is already granted and the E3 should be granted, we would like to revoke the E1 license and grant the E3 license instead.
Example Office365 configuration
Click on the
Provisioning icon in the top toolbar of the admin dashboard.
From the Provisioning dashboard, go to: Business > Rules.
Click on the Toxic policy button located at the top right corner of the page.
Click on the + sign to create a new Toxic combination.
Name your combination "Office 365 Toxic combination".
Make sure the Toxic combination is enabled.
Select Office 365 E1 and Office 365 E3 as input entitlements.
Select Office 365 E3 as output entitlement.
The final result will look as follows:
Run an evaluation report to determine the outcome of this toxic combination.