Overview of Access Models
An access model performs sensitive-access or separation-of-duties analysis: it detects risk in the assignment of access points, which are roles or privileges that enable users to work with data in business applications.
The model may identify access points that conflict, because in combination they'd allow individual users to complete transactions that may expose a company to risk. Or it may identify a single access point that presents inherent danger, typically because it provides broad access.
An access model consists of filters that specify access points or that define conditions. Each filter cites a business object, which supplies data for analysis.
Access Point and Entitlement Filters
A filter may specify an access point or an entitlement, which is a set of related access points. The filter selects users assigned either the specified access point or any point in the specified entitlement. A model must contain at least one of these filters and, if so, returns records of users selected by the filter. But typically, a model contains two or more of these filters and returns records of users selected by defined combinations of the filters.
Condition Filters
A filter may define a condition, which grants exemptions from access analysis. First, access-point or entitlement filters return records of role assignments that involve specified access points. Then condition filters select records from that set, and so exclude the records they don't select. A condition filter may specify items, such as users or business units, to be included in analysis. Or it may require the model to consider access granted only within, or only across, individual instances of items such as business units.