Home » excel » Role/permission analysis in Excel: comparing list of user permissions with pairs of disallowed roles

Role/permission analysis in Excel: comparing list of user permissions with pairs of disallowed roles

Posted by: admin May 14, 2020 Leave a comment

Questions:

I am exercising doing some simple segregation of duties testing and have two datasets showing (1) disallowed combinations of roles and (2) a list of users and the roles they have.

Some users have up to 20 roles, and there are over 100 disallowed combinations.

The below is an example of the data structure I have.

Disallowed role combinations

critical_1           critical_2
-----------------------------------
role1                role3
role2                role1
role4                role5
...                  ...

User roles

Username        UserRole1        UserRole2         UserRole3      ...
-----------------------------------------------------------------------------
user1           role1
user2           role2            role6             role10
user3           role4            role500           role5

I can also transform the data so it’s a series instead, for example for user3:

Username       Roles
-------------------------------
user3          role4
user3          role500
user3          role5
...            ...

However, I think the permissions being in a single row per user is easier to work with.

The expected result would be that user3 would be identified as having a disallowed role combination (role4 and role5).

I have been experimenting with various INDEX(MATCH) and nested VLOOKUPs but I can’t quite figure out how to lookup pairs in an array and see if they exist in a row of values.

Is this something that can be done without VBA?

How to&Answers:

I think the easiest way to do it without VBA is to create a helper column by user (in the example below column H):

enter image description here

The formula for cell H2 would be the following:

=+IF(AND(COUNTIFS($B:$B,H$1,$C:$C,$E2)>0,COUNTIFS($B:$B,H$1,$C:$C,$F2)>0),"Combination "&$E2&" - "&$F2&" is disallowed","")

You can create more columns for more users and drag the formula.