I've used it in the past quite a bit and they have made some improvements since then. I don't like that they won't let you transport anything for it such as the mitigating controls, rules, sod other config aspects of the tool. You can move rules between SAP systems with flat file on your PC, which is both sloppy and not secure by it's very nature. If your company transports roles (they should) then I also believe you should be able to transport VRAT config. It becomes very cumbersome.
The interface does it's job but it's ugly and makes it hard to teach someone how to use it. SOD checks are also very slow.
It has a very good (none are perfect) list of profile value combinations that create SODs, which is what you check against. The problem with that is companies tend to think they can buy an SOD tool (not specific to Virsa here) and implementing it is as simple as running SOD checks on users and fixing a few deficiencies. In reality it's more work to figure out what the business case is for any SODs. Many times users will have an SOD according to their authorizations but it means nothing to the company. You have to do something about that. Either remove that check from the rules or add a mitigating control entry into Virsa.
Virsa is a so-so tool in my opinion, but it does its job. The whole SOD thing is a can of worms, however!
Oh, do ever agree with that. SOD really works against us getting the work done. We need something, be it Virsa or something else. Are you aware of something that might be better?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.